What Zoom says officially
Zoom publishes a specific HIPAA BAA guide . It says Zoom enters into BAAs with healthcare and other eligible customers. Pro customers can select and accept the United States BAA during purchase or enable it later in Plan Management. Customers buying Business, Business Plus, or Enterprise plans are directed to sales. The page does not extend that path to the free Basic plan.
Zoom also says that executing the agreement does not require a separate technical switch. That does not remove the customer’s operational responsibilities. Account owners and admins can use accountlevel settings for meetings, recordings, chat, apps, whiteboards, and other features, and can lock settings so individual users cannot change them.
The result is conditional: there is a documented contract and paid-product path, but the practice still controls who joins, what gets recorded, and where information goes after a call.
What this means for a medical practice
A telehealth visit contains more than live audio and video. The meeting title, invitation, waiting room, participant display names, chat, screen shares, whiteboards, transcripts, AI output, and cloud recordings can all reveal patient information. Calendar and EHR connections may create additional copies.
Suppose a clinician uses an account covered by the BAA but downloads a recording to a personal laptop, invites a personal email address, or enables an unreviewed transcription service. The Zoom contract does not bring those separate storage locations or vendors into scope. The practice needs a clear policy for which features are permitted and who can enable them.
The same end-to-end review applies to a HIPAAconscious medical website that launches patients into a virtual appointment. The website should not expose a reusable meeting link or unnecessary health details. A careful patient engagement design should also tell patients what to expect without putting clinical context in public-facing reminders.
How to use it safely
- Purchase an eligible paid Zoom plan under the practice’s managed account.
- Execute Zoom’s BAA in checkout or Plan Management, or complete it through sales for the applicable plan. Keep the effective agreement with vendor records.
- Assign named users, require strong authentication, remove former staff promptly, and limit admin roles.
- Review and lock meeting, chat, recording, AI, app, and whiteboard settings at the account level.
- Decide whether recordings and transcripts are allowed. If they are, document their destination, access, and retention.
- Test invitations, waiting rooms, calendar entries, notifications, and connected services before using real patient information.
Compliant alternatives
Microsoft 365 includes Teams among its in-scope commercial services under Microsoft’s BAA and may fit a practice already managing Microsoft identities. Google Workspace can cover Meet under Google’s BAA, but consumer Google accounts and third-party add-ons remain outside that managed path.
Review the Zoom agreement and account policy set again whenever the practice enables a new meeting, recording, AI, chat, or app feature.
Bottom line
Zoom provides a clear BAA route for eligible paid customers. Treat it as a conditional option: execute the agreement first, centrally govern the account, and verify every recording, integration, and downstream destination that may receive PHI.