Zoom Health at IU

On this page:


Overview

Important:

This UITS system or service meets certain requirements established in the HIPAA Security Rule thereby enabling its use for work involving data that contain protected health information (PHI). However, using this system or service does not fulfill your legal responsibilities for protecting the privacy and security of data that contain PHI. You may use this system or service for work involving data that contain PHI only if you institute additional administrative, physical, and technical safeguards that complement those UITS already has in place.

For guidance on division of responsibility when using a UITS system approved for PHI, see Shared responsibility model for securing PHI on UITS systems.

Indiana University and Zoom have signed a Business Associates Agreement (BAA) to facilitate private, secure online collaborations for research, teaching, or administration involving the transmission of protected health information (PHI).

Following are some examples of Zoom collaborations that involve PHI and should be conducted using a Zoom Health account:

  • Distributed research team working sessions with patient data
  • Clinical researchers interviewing participants or participant teams as part of research projects
  • Distributed administrative or technical teams working directly with patient data
Notes:
  • If the meeting host uses their IU Zoom Health account, the meeting satisfies HIPAA requirements (even if some participants do not have IU Zoom Health accounts).

    Breakout Rooms are available in Zoom Health; you can enable them in your Zoom settings and use them normally.

Alternatives

The fastest way to gain the ability to host and schedule meetings approved for PHI is by switching to a secure Microsoft Teams meeting; see Use Microsoft Teams to host meetings that contain protected health information (PHI).

Zoom Health eligibility at IU

Any IU user who will be working with PHI in Zoom should use Zoom Health. All active IU students, faculty, staff, and affiliates can request Zoom Health status.

Users who are approved for Zoom Health accounts will be placed into a subgroup within IU's primary Zoom instance.

Notes:
  • Zoom meetings inherit the settings of the user who creates them, even if that user does not begin or attend the meeting. If you schedule Zoom meetings for others in which PHI is present or discussed, you should use Zoom Health.
  • Zoom Health users must be up to date with IU's annual HIPAA compliance training.
  • IU Health employees who do not also have an active IU status are not eligible for Zoom Health.
  • Per HIPAA guidelines, IU Group accounts are not eligible for Zoom Health status and cannot be used to create or host Zoom Health meetings.

Differences between Zoom Health and standard Zoom accounts

While standard IU Zoom accounts provide encryption for all data transferred between the Zoom cloud, client, and room, Zoom Health accounts offer:

  • Encryption for third-party endpoints (SIP/H.323)
  • Anonymized usage reports
  • Increased privacy through limited access to features that are not appropriate when working with PHI
Important:
  • Waiting rooms are enabled by default for all attendees. Hosts must admit each attendee. If an unexpected attendee attempts to join the meeting, the host can message them while they remain in the waiting room.
  • Users with Zoom Health accounts do not have access to third-party apps offered in the Zoom App Marketplace.
  • Zoom Health hosts can only save chats from Zoom Health sessions to their local workstations. Chats cannot be saved to Zoom cloud storage. Attendees cannot save chats from Zoom Health sessions.
  • Zoom Health accounts do not allow cloud recordings. Hosts with Zoom Health accounts can record Zoom meetings locally to their workstations. Attendees can only record with host permission.

    Once a recording is complete, follow HIPAA best practices for storing any recording that contains protected health information (PHI).

    To request a new institutional storage account, fill out the Institutional storage request form.

    At Indiana University, never store files containing sensitive institutional data, especially protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), on your desktop workstation, laptop, USB flash drive, tablet, smartphone, or other mobile device unless the files are properly encrypted on the device, and your senior executive officer or the IU Institutional Review Board (IRB) has given prior written approval. Because PHI must remain encrypted at rest, make sure you are using full-disk encryption on any device that has research data containing PHI on it. If you are not sure, ask your department or school IT Pro for help.

Account requests

To request Zoom Health status, fill out the IU Zoom Health request form.

To request the removal of Zoom Health status from your account, fill out the Remove IU Zoom Health status form.

This is document atps in the Knowledge Base.
Last modified on 2024-01-30 17:05:16.