Issue:

I have a user (in my area or department) who needs to conduct compliance-regulated sessions (such as HIPAA, GDPR, etc.) using Zoom at WSU - which needs to be managed by a Compliance Officer or IT Administrator.

Compliance Officers and IT Administrators need access to manage, audit, and oversee compliance-regulated Zoom Meetings and Recordings, but do not need access to non-regulated Zoom Meetings and Recordings for the given user.

Example: I work in a site clinic that has clinicians, mentors, and reviewers. The IT professionals managing my clinic support the account, but reviewers and clinicians need to be able to access clinic recordings (independent of my personal Zoom recordings).

I need to meet specific compliance standards (HIPAA, GDPR, etc.) for a Grant, Research, or Study and leverage Zoom Meetings as part of it.

Solution:

WSU and Zoom have signed a BAA (Business Associate Agreement), and WSU Zoom is configured to be compliant for regulatory needs (including HIPAA). WSU users with compliance needs do not need to have Zoom accounts segregated into a separate WSU Zoom environment.

While all WSU Zoom Meetings and Cloud Recordings are configured for compliance using best practices, some situations call for compliance officers to manage and enforce compliance-regulated meetings and recordings. We will refer to them as managed WSU Zoom Regulated Accounts.

This single process, Role-Based Access Control (RBAC), and account type (first.last.reg) now apply to all compliance use cases, including HIPAA, GDPR, and other regulated scenarios.

Please review the sections below for a complete understanding of the Structure, Components, Process, and Default Settings associated with a managed WSU Zoom Regulated Account.

See specific information regarding HIPAA here: HIPAA Information and FAQ

Structure

  • Users will utilize a separate account (first.last.reg) to conduct compliance-regulated meetings using WSU Zoom.

  • WSU Regulated users are mapped to specific groups, where various controls and settings are required to keep WSU Zoom meetings secure and protect regulated data.

  • Area Administrators and Compliance Officers will be provided access and control to manage their regulated users.

  • ITS's Zoom Team will assist in this setup process, be available for consultation, and provide Area Administrators and Compliance Officers support.

  • Ownership and management of these WSU Zoom regulated user groups is the direct responsibility of the Area Administrators and Compliance Officers.

This diagram is a visual representation of the Structure:

 


Components

  • Area will need to designate an administrator or compliance officer(s) who will have elevated permissions to manage and oversee their regulated users in WSU Zoom. These individuals will have access to manage all Zoom settings at a group level and have full access to the .reg accounts of their users. The Zoom Service Team will manage this administrative group in Okta

  • A security group (either AD-Synced or in Okta) will be managed by the Area IT team which will contain the .reg accounts for their users. This security group is mapped via SAML to a corresponding group in Zoom.

  • Regulated WSU accounts (first.last.reg) are created and utilized for compliance-regulated Zoom workflows (such as HIPAA, GDPR, or specific research grant requirements). Users will utilize their normal WSU Zoom account for all other Zoom workflows.

  • Specific Zoom settings will be locked or enabled by default to follow best practices for regulatory compliance. Any unlocked and adjustable settings are available but should be implemented with careful consideration.

Process

  1. Submit a request to zoom.support@wsu.edu detailing the compliance needs (HIPAA, GDPR, research, etc.), details around the use case, administrator or compliance officer, and users who intend to conduct compliance-regulated WSU Zoom meetings.

  2. If approved by the WSU Zoom Team, the administrator or compliance officer accepts liability for managing a secure group. The WSU Zoom Team will be available to help - but not responsible for - any misconduct or moderation errors.

  3. The WSU Zoom Team will create and manage the Area Administrators and Compliance Officers group, which provides elevated access in Zoom to View and Edit user Settings, Meetings, and Recordings. Changes for this access will be the responsibility of the Zoom Team and requests are processed through the Zoom Service Desk (zoom.support@wsu.edu).

  4. The Area IT or Compliance Officer will submit a request (crimsonservicedesk@wsu.edu or Crimson Service Desk Portal) to the Crimson Service Desk to create regulated accounts:

    • Provide a list of users who will need regulated accounts (first.last.reg)

    • Note in the request these accounts intend to be used for regulated workflows (e.g., HIPAA) in Zoom

  5. The Area IT will create a group that contains the regulated accounts of their users.

    • Create a group in Active Directory in an Okta synced AD OU (find where this OU is from CAS groups)

    • If you do not have access to create groups in this OU, please note this in the request so that CDS can provide access to do so

  6. The user will need to activate their new regulated account via https://account.wsu.edu and choose a password

  7. The WSU Zoom Team will create a group within Zoom following our standard security configuration for regulated accounts. Additional changes or enhancements to these default settings can be made and managed by the Area Administrators or Compliance Officers.

  8. The WSU Zoom Team will create and configure SAML mapping for the Area Administrators and Compliance Officers' access in Zoom, Licensing for Regulated Accounts, and the Regulated account user group in Zoom.

    1. Note: Check Application assignment in Okta (Zoom Team) - assign individually by account or by Okta group.

  9. Area Administrators and Compliance Officers should review security settings and general best practices with their users

  10. Upon logging into WSU Zoom with the Regulated Accounts, users will be ready and able to conduct compliance-regulated Zoom Meetings.

  11. User will use the Regulated account to use WSU Zoom for regulated workflows, and their normal WSU Zoom account for everything else (users can have multiple accounts logged into the Zoom Desktop client, and switch between accounts)

Default Settings for User, Meetings, and Recording

General Settings

  • Data Centers are restricted to the US and locked (can be adjusted based on participant location needs)
  • Screenshot blur for mobile OS enabled and locked
  • Huddles disabled and locked

Security Settings 

  • Waiting Room enabled and locked by default
  • Passcode enabled and locked by default
  • Authentication enabled and locked
  • Join Before Host is disabled and locked

In-Meeting Settings 

  • Remote Control disabled and locked
  • Screen Sharing is restricted to host-only enabled and locked
  • File Transfer disabled and locked

Recording Settings 

  • Local Recording disabled and locked
  • Cloud Recording downloads are restricted to host only and locked
  • Authentication for Cloud Recordings enabled and locked

AI Settings

  • AI Companion Features disabled and locked

Chat Settings 

  • In-meeting chat saving is disabled and locked (auto-save and manual)
  • Continuous chat disabled and locked


Need Help? You can submit a ticket from our Jira service desk: WSU Zoom Service Desk