Topics Map > Communication & Collaboration > Conferencing > Zoom

How can I protect PHI while using Zoom?

Individuals in a covered component of the University of Illinois Covered Entity may access the HIPAA compliant "UIC PHI" Zoom portal, capable of creating secure meetings for discussing PHI and providing telehealth services.

As Zoom is regularly used as a collaboration tool on campus, the UIC PHI portal will be a separate entity that requires users to agree to the acceptable use standards including reviewing and following the guidance outlined below in the Protecting PHI using Zoom HIPAA Compliant Portal document.


Introduction


Recognizing the need for a secure way to conduct online meetings where Protected Health Information (PHI) is discussed, the University of Illinois (University) has established an agreement with Zoom.com (Zoom) to offer users the ability to create secure HIPAA compliant online meetings.

Zoom is built as a communication tool, with the purpose of making communication and data sharing convenient.  As a result, to ensure that it is used in compliance with HIPAA standards, controls are necessary.  This document outlines the Privacy Official’s required and recommended actions that members of the University community must follow to use Zoom.com with PHI in a compliant manner.  However, it is ultimately up to those Workforce members implementing ZHCP meetings to consider the technology and use it in a manner that complies with the University’s HIPAA Directive and this document.

General HIPAA training, that all Workforce Members are required to complete, is separate from the required and recommended actions contained in this document.

UIC-PHI Security Controls:

Responsibility of Meeting Owner:

  • Individuals must read and understand this document before using the Zoom HIPAA Compliant Portal.
  • Always ensure that you are using the correct Zoom portal when setting up your meeting, using regular university zoom meetings to discuss PHI is prohibited.
  • Ensure that your meeting room is password protected or otherwise limit participant access.
  • Ensure when creating meetings that no Protected Health Information is listed in the meeting title such as individual participant names or medical information.
  • Technical security measures help protect rooms from access, but meeting hosts should always ensure only appropriate individuals are participating in the meeting.
  • Avoid using the internet browser plugins for Zoom to Firefox/Chrome/etc - while these plugins cannot be disabled, their use is not allowed in the PHI portal.

Technical Controls Enabled for Zoom HIPAA Compliant Meetings:

  • Additional encryption enabled for all participants to meet HIPAA requirements.
  • Cloud and local recordings are disabled.
  • Additional device and user information is logged for auditing purposes.
  • Encrypted chat is enabled which will secure chat messaging that disables saving of chat and screen captures.
  • File transfers with Zoom has been disabled.

Gaining access to the Zoom HIPAA Compliant Portal at the University

  1. Only employees, volunteers, trainees, and other persons under the direct control of the University are eligible to access the UIC-PHI portal for creating meetings.
  2. All meeting owners must understand and implement the required security measures discussed above.
  3. Follow the instructions at How can I use Zoom for PHI? for instructions on accessing the portal.

See Also:




Keywords:HIPAA, security, portal, compliant, compliance   Doc ID:101406
Owner:Anthony M.Group:University of Illinois at Chicago ACCC
Created:2020-04-24 14:03 CDTUpdated:2020-06-01 13:34 CDT
Sites:University of Illinois at Chicago ACCC
Feedback:  0   0