Main menu (IT)

Telehealth - HIPAA Zoom

The HIPAA (Health Insurance Portability and Accountability Act) lays out privacy and security standards that protect the confidentiality of patient health information.  

When video conferencing, the security architecture must provide end-to-end encryption so that transmitted data cannot be intercepted.  

Zoom enables HIPAA Compliance, meaning the company is responsible for keeping patient information secure. Zoom does not have access to identifiable health information and protects and encrypts all audio, video, and screen sharing data. Zoom has signed a Business Associates Agreement with CSUN that certifies that they are HIPAA compliant.

Telehealth Guidelines for Seeing Patients/Clients Remotely:  

  • All students, faculty and researchers must comply with relevant laws, regulations, ethical standards, and CSUN policies to ensure the confidentiality of clients.   
  • Field Faculty, supervising faculty, program coordinators, researchers and students will confirm that they have read and acknowledged written policies/protocols specific to their field around the use of technology and confidentiality. 
  • Take reasonable steps to maintain appropriate boundaries when using personal phone numbers or other electronic communication.  
  • Position web cameras so that others can only see your face - all visible confidential data must be removed from the camera view.  
  • Conduct all sensitive conversations in a private space. Be mindful of the potential for family members or bystanders to overhear any portion of your discussions.  
  • Record keeping of video-conferencing interactions should be similar to any other form of client interactions.  
  • A consent form must be obtained via conversation and written/online. The student must disclose to client the risks and benefits of recording (if recording).  
  • Must attempt to verify the location and residence of their clients in order to avoid crossing state lines if licensing applies only to the resident state. 

Do Regular Zoom and HIPAA-compliant Zoom use the same frontend and the same URL,

Yes. Users will continue to log into zoom using the same login and workflow. The difference is on the back end where additional security features are enabled.

Is there a way for a user to tell, visually or otherwise, that their account/Zoom session is HIPAA compliant? I have heard something about HIPAA Zoom always requiring a password, but I don’t see where this is the case with my own meetings.

HIPAA Zoom will require a meeting password, that users will be required to use.

Are there any settings (in the Settings portion of the Zoom Profile page) that control the security level, or is that all locked out?

They can continue to change some settings, but will find other settings disabled, or locked (Encryption, Password, etc).

Are all meetings that are hosted by the user automatically HIPAA compliant? There was some question about a difference in scheduled vs. ad hoc meetings.

Yes, all meetings hosted by that user will conform to the HIPAA Guidelines.

If a HIPAA user joins a meeting hosted by a non-HIPAA user, I’m assuming that it will not be HIPAA-compliant then. Basically, the security level of the meeting is determined by the host. Is this correct?

Correct, it is determined by the host.

Several of my users are saying that, after being upgraded to a HIPAA account, their license level was also changed to “basic”, which allows them to host meetings of 40 minutes only. They were able to then ask for this to be changed back. Is that correct?

After a user signs in, I have to manually go in and assign the license, I am trying to check 2-3 times a day and move those users over. They will then have the full license.