Legacy HIPAA Business Associate Agreement Accounts

If your account has not signed the updated November 2020 HIPAA business associate agreement (BAA), some Zoom APIs will not return users' Protected Health Information (PHI).

Users who sign the updated (November 2020) HIPAA business associate agreement are not restricted.

Note: For users who migrate from a legacy HIPAA BAA to the updated BAA, any historical data under the previous (legacy) BAA will remain hidden except participant email addresses.

Legacy HIPAA business associate agreements are considered those which were signed prior to November 2020. Restrictions under this signed BAA include:

No PHI exposed via meeting reports or meeting/webinar Dashboard-related APIs.
Disabled and hidden cloud recording feature.
Enhanced encryption is enabled and cannot be disabled.
In meeting chats cannot be copied or saved.
The Require Encryption for 3rd Part Endpoints (H.323/SIP) is enabled and cannot be disabled.

Under the legacy BAA without a data processing addendum, reports containing PHI will behave as follows:

Meeting participant reports will not display users' PHI. However, webinar attendee reports will display users' PHI.
Dashboard API responses for meeting and webinar participants will not display users' PHI. This also includes Dashboard CSV exports.

For information on how to sign a new BAA or sign a data processing addendum, contact Zoom Sales.

Legacy BAAs and API responses

An account that calls a BAA-restricted API under the legacy BAA without a signed data processing addendum cannot view the user's following information:

Usernames.
IP addresses.
The user's location.
The user's email address.

Users that sign a data processing addendum are given limited access to users' PHI. However, they still cannot view the following information:

The user's location.
The user's IP address.

APIs

The following APIs do not return user PHI under the legacy BAA without a signed data processing addendum:

Dashboard APIs

Reports APIs

Get meeting participant reports