Security, Protecting PHI using the Zoom HIPAA Compliant Portal
Protecting PHI using the Zoom HIPAA Compliant Portal Policy and Guidelines
Individuals in a covered component of the University of Illinois Covered Entity may access the Zoom HIPAA Compliant Portal (ZHCP) capable of creating secure meetings for discussing PHI and providing telehealth services.
As Zoom is regularly used as a collaboration tool on campus, the ZHCP will be a separate entity which requires users to agree to the acceptable use standards including reviewing and following the guidance outlined below in the Protecting PHI using Zoom HIPAA Compliant Portal document.
Recognizing the need for a secure way to conduct online meetings where Protected Health Information (PHI) is discussed, the University of Illinois (University) has established an agreement with Zoom.com (Zoom) to offer users the ability to create secure HIPAA compliant online meetings.
Zoom is built as a communication tool, with the purpose of making communication and data sharing convenient. As a result, to ensure that it is used in compliance with HIPAA standards, controls are necessary. This document outlines the Privacy Official’s required and recommended actions that members of the University community must follow to use Zoom.com with PHI in a compliant manner. However, it is ultimately up to those Workforce members implementing ZHCP meetings to consider the technology and use it in a manner that complies with the University’s HIPAA Directive and this document.
General HIPAA training, that all Workforce Members are required to complete, is separate from the required and recommended actions contained in this document.
ZHCP Security Controls:
Responsibility of Meeting Owner:
• Individuals must read and understand this document before using the Zoom HIPAA Compliant Portal.
• Always ensure that you are using the correct Zoom portal when setting up your meeting, using regular university zoom meetings to discuss PHI is prohibited.
• Ensure that your meeting room is password protected or otherwise limit participant access.
• Ensure when creating meetings that no Protected Health Information is listed in the meeting title such as individual participant names or medical information.
• Be cognizant when using any Zoom add-ons which sync meeting information to a third party (For example, syncing meetings to your email calendar. This would not be compliant if there were any PHI in the meeting title).
• Technical security measures help protect rooms from access, but meeting hosts should always ensure only appropriate individuals are participating in the meeting.
Technical Controls Enabled for Zoom HIPAA Compliant Meetings:
• Additional encryption enabled for all participants to meet HIPAA requirements.
• Cloud and local recordings are disabled.
• Additional device and user information is logged for auditing purposes.
• Encrypted chat is enabled which will secure chat messaging that disables saving of chat and screen captures.
• File transfers with zoom has been disabled.
Gaining access to the Zoom HIPAA Compliant Portal at the University
1. Only employees, volunteers, trainees, and other persons under the direct control of the University are eligible to access the ZHCP for creating meetings.
2. All meeting owners must understand and implement the required security measures discussed above.
3. Follow the instructions in the How to Change Zoom Portals KB article for switching instructions on accessing the portal.