About Health Data on Zoom
As a user of the University Zoom service for teleconferencing, and as someone handling health information, it’s critical that you play your part in ensuring the privacy and security of patient/client health information.
Some key points to keep in mind:
- Zoom can potentially be abused by hackers through a technique known as “Zoombombing”, which is possible if you run a public meeting and the meeting link becomes known to the attacker. Make sure to ensure that even if the attacker obtains a link, they cannot interfere with your meetings or observe client sessions.
- Those using Zoom may not store Personal Health Information (PHI) on the Zoom cloud storage system: you must store the videos in a secure University location. Please work with your technical staff to ensure proper file protections are in place. Note that some groups are handling health information that does not qualify as HIPAA PHI: those groups are still required to store their videos locally. Operate as if your data also qualify as PHI.
- By default, Zoom meeting hosts do not need to grant screen share access for another participant to share their screen. By default, any participant in a meeting can share their video, screen, and audio.
Required Accounts Settings
The key points above are present using the default settings in Zoom. Users who plan to discuss, provide, or interact with health data on Zoom are required to make the following account settings changes before using Zoom.
In your Zoom settings:
- Automatically Generate a Meeting ID
- Require Meeting Password
- Enable the Waiting Room Feature
- Disable “Join Before Host”
- Limit Screen Sharing to Host