As a user of the University Zoom service for teleconferencing or tele-practicing, and as someone handling health information, it’s critical that you play your part in ensuring the privacy and security of patient/client health information. Any employee utilizing the University Zoom with Protected Heath Information (PHI) should contact the Information Security Office (ISO) at firstname.lastname@example.org to gain access to the University HIPAA compliant Zoom service.
NOTE: The portal to access the HIPAA compliant Zoom service for the University is the same portal as the regular user access. Users will not know that they are currently in the HIPAA Zoom service as the only indication is that they will not be permitted to record their video sessions in the cloud. "Record on this Computer" will be the only option for the HIPAA Zoom service.
Some key points to keep in mind:
- Zoom can potentially be abused by hackers through a technique known as “Zoombombing”, which is possible if you run a public meeting and the meeting link becomes known to the attacker. Make sure that even if an attacker obtains a link, they cannot interfere with your meetings or observe client sessions.
- Some groups are handling health information that does not qualify as HIPAA PHI however, those groups are still required to store their videos locally in a University approved encrypted location such as the U:\ or M:\ drive.
- All recorded tele-practice sessions and any PHI should always be stored on the University's M:\ Drive or the U:\ Drive. PHI should never be stored in non-university storage.
- By default, only the host is permitted the ability to share a screen. This helps prevent bad actors from sharing screens with inappropriate content. During the meeting, the host may grant permission to additional users if need be.
Required Accounts Settings
The University have taken steps to mitigate the key points above by changing the default settings in the HIPAA Zoom service. Users who plan to discuss, provide, or interact with health data on Zoom are required to make sure the following account settings are still in place when scheduling a meeting in Zoom.
In your Zoom settings:
- Automatically Generate a Meeting ID
- Require Meeting Password
- Enable the Waiting Room Feature
- Disable “Join Before Host”
- Limit Screen Sharing to Host
Please contact the ITS Service Center at (716) 673-3407 or email@example.com if you need any assistance with your Zoom settings.