HIPAA Compliant Video Conferencing: Zoom, Teams, and Doxy.me Compared

The most common misconception about HIPAA compliant video conferencing is that compliance is a property of the brand — that “Zoom” or “Teams” is or isn’t allowed. It is not. Compliance is a property of two things you control: whether the vendor will sign a business associate agreement for your account, and whether the account is configured to protect PHI. The same product can be compliant on one plan and prohibited on another.

The free consumer version is the real trap

Zoom, Microsoft Teams, and Google Meet all offer consumer or free tiers, and those tiers generally will not sign a BAA. A clinician who hosts a telehealth visit on a personal free account has handed PHI to a vendor with no contractual obligation to protect it — a textbook violation regardless of how careful the visit itself was. The OCR enforcement discretion that relaxed telehealth rules during the COVID-19 public health emergency has ended, so full compliance is required again.

How the three platforms compare

Zoom offers a healthcare-oriented configuration and will execute a BAA on qualifying paid plans; it must be set up with encryption enabled and cloud recordings either disabled or routed to secured storage. Microsoft Teams is covered under Microsoft’s BAA for eligible business and enterprise licenses, but the tenant has to be configured and recordings governed appropriately. Doxy.me is purpose-built for telemedicine, signs a BAA, and runs in-browser with a built-in waiting room, which reduces the configuration burden for small practices. In every case the BAA plus correct configuration — not the logo — is what makes it compliant.

Configuration is where compliance is won or lost

Beyond the BAA, the controls that matter are encryption in transit, unique meeting IDs and passcodes, an enabled waiting room so the clinician admits each patient deliberately, authentication for hosts, and a clear policy on recording — including where any recording is stored and who can access it. A compliant platform configured carelessly (open meeting links, recordings synced to a personal cloud drive) is still a breach waiting to happen.

Security Risk Analysis and the 2026 proposed rule

Your choice of video platform is one system among many that a Security Risk Analysis under 45 CFR § 164.308(a)(1)(ii)(A) must evaluate — including how it is configured, who can access recordings, and which BAA governs it. The HIPAA Security Rule update proposed in the NPRM published in December 2024 (not finalized; a 240-day compliance window would follow publication of any final rule) would make encryption and multi-factor authentication effectively mandatory and require a documented inventory of the systems that handle ePHI — your video platform included.

How Medcurity helps

Medcurity helps practices document the Security Risk Analysis that should sit behind any telehealth tooling decision — capturing which platform you use, how it’s configured, and which BAA covers it. The platform is $499/year (about $42/month), and larger or multi-location organizations can request a quote. For the bigger picture, read our essential guide to HIPAA compliance in telehealth, and use our business associate agreement guide to confirm your video vendor is properly covered.

Frequently Asked Questions

Is Zoom HIPAA compliant?

Zoom can be used compliantly when you are on a qualifying paid plan, have executed Zoom’s business associate agreement, and configure the account correctly — encryption on, and cloud recordings disabled or stored securely. The free consumer version, which will not sign a BAA, is not compliant for PHI.

Do I need a business associate agreement for video conferencing?

Yes. Any platform that transmits or records a patient visit is handling PHI on your behalf and is a business associate, so a signed BAA is required before you use it for clinical visits. No BAA means no compliant use, regardless of the platform’s features.

Is Microsoft Teams or Doxy.me better for HIPAA?

Both can be compliant. Teams is covered under Microsoft’s BAA on eligible licenses but requires tenant configuration; Doxy.me is purpose-built for telemedicine with a BAA and a built-in waiting room, which is often simpler for small practices. The right choice depends on your existing tooling and configuration capacity.

Did HIPAA telehealth rules change after COVID-19?

Yes. The OCR enforcement discretion that temporarily allowed non-public-facing consumer apps during the public health emergency has ended. Practices must again use platforms covered by a BAA and configured for HIPAA, rather than relying on the pandemic-era relaxation.