The privacy of your health information is a priority for our team. Please see the communication below from Ochin, who hosts our Epic electronic medical record and Zoom Virtual Visits, and our contract with Zoom, explaining the privacy and security of our Zoom Virtual Visit meetings.
Dear OCHIN Epic Members,
You may be aware of reports in the media warning of FBI concerns that third parties are intruding on Zoom meetings, referred to as Zoom-Bombing. OCHIN takes the privacy and security of our systems very seriously and I want to assure you of our work to address concerns from a professional and patient privacy standpoint.
OCHIN uses Zoom as a health care platform and has implemented this functionality following requirements to ensure we operate within a HIPAA controlled environment. Our system is encrypted end-to-end when using the OCHIN workflow. If patients or providers deviate from this workflow and call in to the meeting or appointment using a landline without using the Zoom tool, they are no longer encrypted. We highly recommend that patients and providers utilize the MyChart integrated Zoom capability, use audio within the tool, and follow the designated workflow when using Zoom.
OCHIN continues to actively monitor the application along with all our tools. We believe the MyChart integrated Zoom platform is an important clinical tool during the COVID19 crisis and beyond.
Please see below for additional details on our agreement with Zoom to help reassure you of our diligence to the issue. If you have any questions, please don’t hesitate to reach out to me at firstname.lastname@example.org.
OCHIN HIPAA compliance with Zoom:
1. OCHIN has a signed Business Associates Agreement (BAA) with Zoom, which holds Zoom and its staff to the same requirements for the protection of patient data as we have with all organizations that process or transport patient data.
2. Encryption of Zoom meetings is implemented end-to-end for all users that are using the Zoom client provided through OCHIN Epic; this includes the Zoom client on PC, MAC, or mobile device. The information is encrypted before leaving the device and is decrypted by the receiving device. This does not allow Zoom employees to access the information shared between patient and provider. Nothing is stored on the Zoom servers. In addition, MyChart virtual visits are password protected.
- Exception: If a person joins a meeting via telephone by calling into the Zoom meeting without using the Zoom client on their phone, the portion of the call between that telephone and the Zoom data centers is not encrypted. The conversation between the Zoom data Center and the rest of the participants is fully encrypted. The phone call portion is considered outside the OCHIN Epic integrated workflow and carries some risk. Phone calls between providers and patients, including those related to this portion of Zoom, while not encrypted are still fully HIPAA compliant and covered under the Federal Wiretapping regulations.
- Additional Detail: This post by Zoom provides additional details: The Facts Around Zoom and Encryption for Meetings/Webinars
3. Information about Zoom’s efforts to improve security for public uses during this time of explosive growth can be found on their blog here.