Is Zoom HIPAA Compliant? Plans, the BAA, and HIPAA Mode in 2026
Last updated: July 16, 2026
Is Zoom HIPAA compliant? Yes, with conditions, and the conditions are where practices slip. Zoom signs a Business Associate Agreement (BAA) for healthcare customers on qualifying paid plans, including Zoom Workplace for Healthcare and eligible Business, Business Plus, and Enterprise accounts. The BAA is not automatic. You request it through Zoom's healthcare compliance process, and you enable the HIPAA settings on the account. Free and standard personal accounts are never covered, so a single patient call on one is a violation. This is one of the most-asked telehealth questions there is, and the answer follows the same rule as every vendor on this site: the contract decides, not the encryption. Here is the plan-by-plan answer, what HIPAA mode changes, and the half of telehealth compliance that Zoom cannot cover for you. Disclosure up front: we sell that other half.
TL;DR: Quick answer
Is Zoom HIPAA compliant? Yes on qualifying paid plans that offer a BAA: Zoom Workplace for Healthcare, and eligible Business, Business Plus, and Enterprise accounts.
The BAA must be requested and executed, and the account's HIPAA settings enabled. It does not switch on by itself when you pay.
Free and standard Zoom accounts have no BAA path. Any patient conversation on them, even one call, violates 45 CFR § 164.308(b).
Zoom's AES-256 encryption is strong and still not the test. The BAA is the legal gate; the settings and staff behavior do the rest.
Zoom covers the video call. Your booking flow, intake forms, and website records are outside its BAA and need their own compliant home.
When is a video call PHI?

Almost always, in a care context. A telehealth session links an identified patient to their health condition in real time. The session itself, the chat beside it, any recording, and the appointment details around it are all protected health information (PHI) under 45 CFR § 160.103. That makes the video platform a Business Associate: it transmits PHI for you, so under 45 CFR § 164.308(b) it must sign a BAA before the first patient call. The platform question is one piece of the larger telehealth stack, which we map in HIPAA compliant telehealth.
Is Zoom HIPAA compliant on your plan?

Plan | BAA available? | Patient calls? |
|---|---|---|
Free / Basic | No | Never |
Standard personal paid plans | No BAA path on standard accounts | No |
Business / Business Plus / Enterprise | Eligible, on request through Zoom's process | Yes, once the BAA is signed and HIPAA settings are on |
Zoom Workplace for Healthcare | Yes, built for it | Yes, with the BAA executed and settings configured |
Three details matter. First, request the BAA and keep the signed record; paying for Business does not create coverage by itself. Second, enabling the HIPAA configuration changes the product: certain features are restricted or disabled so PHI does not land where it should not, and your team should review what changes before go-live. Third, plan names and eligibility shift over time, so confirm the current terms with Zoom directly. As always, put the whole arrangement in your risk analysis under 45 CFR § 164.308(a)(1)(ii)(A).
Why Zoom's encryption does not settle the question
Zoom encrypts meetings with AES-256 GCM and signals over TLS 1.2, which is genuinely strong. It is also the wrong test, and this is the misunderstanding behind most "but it is secure" arguments. Under HIPAA, the first question is contractual: has the vendor accepted Business Associate responsibility in writing? A free Zoom account has the same encryption as a healthcare account and none of the legal coverage. The same pattern runs through every vendor we have reviewed, from AWS to Calendly: security protects the data, the BAA assigns responsibility for it, and compliance requires both.
The setup that actually works

Whether Zoom is HIPAA compliant for your practice comes down to five steps, in order:
Get on a qualifying plan. Zoom Workplace for Healthcare if telehealth is core to your practice; an eligible Business or Enterprise plan can work if Zoom confirms BAA coverage for it.
Request and sign the BAA through Zoom's healthcare process, and file the executed copy with your compliance records.
Enable the HIPAA settings and review what they restrict. Decide your recording policy deliberately; a recorded session is stored PHI with its own storage obligations.
Train the team on account discipline. Patient calls happen only on the covered account. A clinician toggling to a personal free Zoom "just this once" is the most common failure in the wild.
Cover the rest of the visit path. The booking form, the intake questionnaire, the reminder emails, and the page where patients click "join" all carry PHI before Zoom ever opens.
What Zoom's BAA does not cover: everything around the call
Zoom covers the session. It does not cover how the patient got there, which is why "is Zoom HIPAA compliant" is only half the telehealth question. The appointment was booked somewhere, and if that scheduler has no BAA, the violation happened before the call started; see is Calendly HIPAA compliant for that exact trap. The intake form collected symptoms somewhere, and those standards are in HIPAA compliant forms. The confirmation email, the patient-facing page, and any stored records live on your website's infrastructure, which needs its own BAA and safeguards. That infrastructure is what we sell: BAA-covered environments from $79 per month self-managed or $229 managed with migration included, detailed in managed HIPAA hosting. Zoom plus compliant infrastructure is the full telehealth stack; either alone is half a compliance posture.
The trap: the personal account that took one patient call

Most Zoom violations are not platform choices. They are drift. The practice signed the healthcare BAA years ago, then a new associate joined, her account invite sat in a queue, and she took Tuesday's sessions on her personal free Zoom to keep the schedule moving. Every one of those calls moved PHI through a service with no BAA, and the 2026 penalty tiers start at $145 per violation. The fix is boring and works: covered accounts for everyone who sees patients, from day one, checked as part of the same sweep as our HIPAA website audit.
If you want the whole visit path handled
Tell us how your telehealth visits run today: how patients book, what the intake asks, where the site lives, and which Zoom plan you hold. If your Zoom setup is already right, that is the answer you will get, and we will point at the gaps around it instead. Booking, intake, and the site itself on HIPAA compliant hosting is the half we build, and our client-side compliance review documents what the current flow leaks. We sell those services, so weigh that as a disclosure.
Frequently asked questions
Is Zoom HIPAA compliant?
Yes, with conditions. Zoom signs a BAA for qualifying paid plans, including Zoom Workplace for Healthcare and eligible Business and Enterprise accounts. The BAA must be requested and signed, and the HIPAA settings enabled. Free and standard accounts are never covered.
Does Zoom sign a BAA?
Yes, for healthcare customers on qualifying plans, through its healthcare compliance process. It is not automatic with payment. Request it, sign it, and keep the record before any patient call.
Can I use free Zoom for telehealth?
No. Free and basic accounts have no BAA path, so even a single patient session on one violates 45 CFR § 164.308(b), regardless of the encryption underneath.
What does Zoom's HIPAA configuration change?
It applies restrictions that keep PHI contained, and some convenience features are limited or disabled as a result. Review the current list with Zoom when you enable it, and set your recording policy deliberately, since recordings are stored PHI.
Is Zoom with a BAA enough for telehealth compliance?
No. Zoom covers the call. Your scheduler, intake forms, reminder emails, and website need their own BAA-covered homes, and the whole path belongs in your risk analysis.
Recap: is Zoom HIPAA compliant?
To recap, is Zoom HIPAA compliant? Yes, conditionally. Get a qualifying plan, request and sign the BAA, enable the HIPAA settings, and keep every patient call on the covered account. Free and standard accounts are never an option. Encryption is not the test; the contract is. And Zoom is half the telehealth stack: the booking, intake, and website around the call need their own compliant infrastructure. Check both halves before the next patient clicks join.
This article is general information, not legal advice. Zoom's plans, BAA eligibility, and HIPAA configuration are as publicly described in mid-2026 and change; confirm current terms with Zoom directly, consult qualified counsel, and base your safeguards on a documented risk analysis. We sell HIPAA compliant hosting and compliance reviews. Reviewed July 2026.
Sources
Zoom Support: HIPAA Business Associate Agreement (BAA)
HIPAA Journal: Is Zoom HIPAA compliant?
45 CFR § 160.103 (PHI and Business Associate definitions): ecfr.gov
45 CFR § 164.308 (administrative safeguards, BAA provisions): ecfr.gov