As a user of the University Zoom service for teleconferencing or tele-practicing, and as someone handling health information, it’s critical that you play your part in ensuring the privacy and security of patient/client health information.
...
- Zoom can potentially be abused by hackers through a technique known as “Zoombombing”, which is possible if you run a public meeting and the meeting link becomes known to the attacker. Make sure that even if an attacker obtains a link, they cannot interfere with your meetings or observe client sessions.
- Some groups are handling health information that does not qualify as HIPAA PHI however, those groups are still required to store their videos locally in a University approved encrypted location such as the U:\ or M:\ drive.
- All recorded tele-practice sessions and any PHI should always be stored on the University's M:\ Drive or the U:\ Drive. PHI should never be stored in non-university storage.
- By default, Zoom meeting hosts do not need to grant screen share access for another participant to share their screen. By default, any participant in a meeting can share their video, screen, and audioonly the host is permitted the ability to share a screen. This helps prevent bad actors from sharing screens with inappropriate content. During the meeting, the host may grant permission to additional users if need be.
Required Accounts Settings
The University have taken steps to mitigate the key points above by changing the default settings in the HIPAA Zoom service. Users who plan to discuss, provide, or interact with health data on Zoom are required to make sure the following account settings are still in place when scheduling a meeting in Zoom.
...