# Legacy HIPAA Business Associate Agreement Accounts

<!-- WARNING: THIS FILE WAS AUTOGENERATED! DO NOT EDIT! -->

If your account has **not** signed the updated November 2020 [HIPAA business associate agreement (BAA)](https://support.zoom.us/hc/en-us/articles/207652183-HIPAA-Business-Associate-Agreement-BAA), some Zoom APIs will **not** return users' [Protected Health Information (PHI)](https://www.hhs.gov/answers/hipaa/what-is-phi/index.html).

Users who sign the updated (November 2020) HIPAA business associate agreement are **not** restricted.

> **Note:** For users who migrate from a legacy HIPAA BAA to the updated BAA, any historical data under the previous (legacy) BAA will remain hidden **except** participant email addresses.

Legacy HIPAA business associate agreements are considered those which were signed **prior** to November 2020. Restrictions under this signed BAA include:

-   No PHI exposed via meeting reports or meeting/webinar Dashboard-related APIs.
-   Disabled and hidden cloud recording feature.
-   Enhanced encryption is enabled and **cannot** be disabled.
-   In meeting chats **cannot** be copied or saved.
-   The **Require Encryption for 3rd Part Endpoints (H.323/SIP)** is enabled and **cannot** be disabled.

Under the legacy BAA **without** a data processing addendum, reports containing PHI will behave as follows:

-   Meeting participant reports will **not** display users' PHI. However, webinar attendee reports will display users' PHI.
-   [Dashboard](/docs/api/accounts/#tag/dashboards) API responses for meeting **and** webinar participants will **not** display users' PHI. This also includes Dashboard CSV exports.

For information on how to sign a new BAA or sign a data processing addendum, [contact Zoom Sales](https://zoom.us/contactsales).

## Legacy BAAs and API responses

An account that calls a BAA-restricted API under the legacy BAA **without** a signed data processing addendum cannot view the user's following information:

-   Usernames.
-   IP addresses.
-   The user's location.
-   The user's email address.

Users that sign a data processing addendum are given limited access to users' PHI. However, they still cannot view the following information:

-   The user's location.
-   The user's IP address.

### APIs

The following APIs **do not** return user PHI under the legacy BAA without a signed data processing addendum:

### Dashboard APIs

-   [List meeting participants](/docs/api/accounts/#tag/dashboards/GET/metrics/meetings/{meetingId}/participants)
-   [Get meeting participant QoS](/docs/api/accounts/#tag/dashboards/GET/metrics/meetings/{meetingId}/participants/{participantId}/qos)
-   [List meeting participant QoS](/docs/api/accounts/#tag/dashboards/GET/metrics/meetings/{meetingId}/participants/qos)
-   [Get webinar participants](/docs/api/accounts/#tag/dashboards/GET/metrics/webinars/{webinarId}/participants)
-   [Get webinar participant QoS](/docs/api/accounts/#tag/dashboards/GET/metrics/webinars/{webinarId}/participants/{participantId}/qos)
-   [List webinar participant QoS](/docs/api/accounts/#tag/dashboards/GET/metrics/webinars/{webinarId}/participants/qos)

### Reports APIs

-   [Get meeting participant reports](/docs/api/meetings/#tag/reports/GET/report/meetings/{meetingId}/participants)