WSU Zoom accounts, meetings now HIPAA compliant

Users no longer need to request HIPAA-compliant Zoom account; all accounts compliant by default

The university has approximately 45,000 HIPAA-compliant Zoom licenses currently in use. 

LAUREN PETTIT | DAILY EVERGREEN FILE

The university has approximately 45,000 HIPAA-compliant Zoom licenses currently in use. 

MELINA ERNST, Evergreen reporter

All WSU Zoom accounts and meetings are Health Insurance Portability and Accountability Act compliant as of July 16.

The university intends to safeguard the privacy of protected health information with all Zoom accounts now being HIPAA compliant, according to a WSU Insider article.

WSU had limited HIPAA-compliant Zoom licensing prior to July 16, said Travis Williams, WSU video conferencing infrastructure and support manager.

Previously, users had to submit a request to use a secondary HIPAA-compliant Zoom account, he said. Now, all WSU Zoom accounts are HIPAA compliant by default. The university has approximately 45,000 licenses currently in use. 

Around 200 users accessed the HIPAA-compliant accounts, with counselors and researchers often requesting to use them. Williams said he believes universal HIPAA compliance will particularly benefit WSU’s science and medical departments. 

“The biggest struggle that we contend with is those faculty who do research but also have teaching positions,” he said.

Researchers needing to protect their information were previously unable to teach using the same Zoom account, Williams said. Now, faculty members serving two roles no longer have to worry about submitting a request and switching between accounts.

He said it is important to be aware of HIPAA guidelines and understand Zoom only protects users to a certain extent. 

“[If] the intent of the meeting is to be HIPAA compliant … the leader of the meeting needs to make it clear what the user onus is,” Williams said. “Zoom makes your meeting HIPAA compliant, it doesn’t make the person HIPAA compliant.”

For instance, Zoom cannot detect if a user took a meeting screenshot, said Jacqueline Southwick, Information Technology Services systems communication and customer experience director. Individuals concerned that other attendee(s) captured information for unintended purposes should address it immediately.

Users can still record meetings locally to their computers. However, the host must disable this feature if a meeting needs to be HIPAA compliant, Williams wrote in an email.

“One of the important things to remember is our Zoom licensing now [has] encryption in place [and] password protections,” Southwick said. “Those all feed into the protections that HIPAA requires.” 

Zoom recordings are encrypted using the Advanced Encryption Standard. Three Zoom service administrators have access to meeting recordings, alongside hosts and the individual(s) they share the recording with, Williams wrote in an email. The Zoom Cloud stores recordings for 180 days. WSU has complete ownership over any PHI stored on the Zoom Cloud.

He said Zoom’s updated HIPAA Business Associate Agreement has privacy policies in place ensuring users’ protection. 

For example, Zoom’s encrypted chat feature allows attendees to send messages without disclosing personal information to Zoom’s servers, according to the agreement. Privacy features also allow hosts to establish waiting rooms, enable lock room functionalities and control attendee admittance.

“While we cannot control every malicious act, we work to protect to the best of our … industry abilities,” Williams wrote in an email. 

Individuals can view Zoom’s HIPAA compliance datasheet to learn more about Zoom’s compliance standards.