How can I protect PHI while using Zoom?

Overview

Individuals in a covered component of the University of Illinois Covered Entity may access the HIPAA-compliant UIC Zoom portal, capable of creating secure meetings for discussing PHI and providing telehealth services.

As Zoom is regularly used as a collaboration tool on campus, a separate group within uic.zoom.us called UIC-PHI requires users to agree to the acceptable use standards, including reviewing and following the guidance outlined below.

 

Introduction

Recognizing the need for a secure way to conduct online meetings where Protected Health Information (PHI) is discussed, the University of Illinois (University) has established an agreement with Zoom.com (Zoom) to offer users the ability to create secure HIPAA-compliant online meetings.
 
Zoom is built as a communication tool, with the purpose of making communication and data sharing convenient.  As a result, to ensure that it is used in compliance with HIPAA standards, controls are necessary. This document outlines the Privacy Official’s required and recommended actions that members of the University community must follow to use Zoom.com with PHI in a compliant manner. However, it is ultimately up to those Workforce members implementing ZHCP meetings to consider the technology and use it in a manner that complies with the University’s HIPAA Directive and this document.

General HIPAA training, which all Workforce Members are required to complete, is separate from the required and recommended actions contained in this document.

 

UIC-PHI Group Security Controls:

Responsibility of Meeting Owner:

  • Individuals must read and understand this document before using the Zoom HIPAA Compliant Service.
  • Always ensure that you are using the correct Zoom UIC-PHI Group when setting up your meeting. Using regular university Zoom meetings to discuss PHI is prohibited.
  • Ensure that your meeting room is password protected or otherwise limit participant access.
  • Ensure when creating meetings that no Protected Health Information is listed in the meeting title such as individual participant names or medical information.
  • Technical security measures help protect rooms from access, but meeting hosts should always ensure only appropriate individuals are participating in the meeting.
  • Avoid using the internet browser plugins for Zoom to Firefox/Chrome/etc - while these plugins cannot be disabled, their use is not allowed for PHI.

Technical Controls Enabled for Zoom HIPAA-Compliant Meetings:

  • Additional encryption enabled for all participants to meet HIPAA requirements.
  • Additional device and user information is logged for auditing purposes.
  • Encrypted chat is enabled which will secure chat messaging that disables saving of chat and screen captures.
  • File transfers with Zoom has been disabled.
 

Gaining access to the Zoom HIPAA Compliant Portal at the University

  1. Only employees, volunteers, trainees, and other persons under the direct control of the University are eligible to access the UIC-PHI group for creating meetings.
  2. All meeting owners must understand and implement the required security measures discussed above.
  3. Utilize the request form to be added/removed from the UIC-PHI Zoom group.

Details

Article ID: 1499
Created
Tue 1/19/21 9:13 PM
Modified
Tue 2/27/24 4:52 PM