Introduction
Using Zoom APIs
Pagination
Error Definitions
Rate Limits
Testing Zoom APIs with Postman
Accounts
Archiving
Billing
Chat Channels
Chat Channels (Account-level)
Chat Messages
Chatbot Messages
Contacts
Cloud Recording
Dashboards
Devices
Groups
IM Chat
IM Groups
Meetings
PAC
Reports
Roles
SIP Connected Audio
SIP Phone
Tracking Field
TSP
Users
Webinars
Zoom Rooms
Zoom Rooms Account
Zoom Rooms Location
Zoom Rooms Devices
Deprecated API Endpoints
Phone Account
Phone Settings
Phone Users
Phone Auto Receptionists
IVR
Phone Blocked List
Call Logs
Phone Call Queues
Call Handling
Common Area Phones
Dashboard
Phone Devices
Directory Backup Routing Rules
Emergency Service Locations
External Contacts
Monitoring Groups
Phone Numbers
Recordings
Phone Reports
Setting Templates
Shared Access
Phone Shared Line Groups
Phone Site
SMS
Voicemails
Provider Exchange
Archiving Events
Account Events
App Events
Billing Events
Chat Message Events
Chat Channel Events
Chatbot Events
Meeting Events
Phone Events
Recording Events
TSP Events
User Events
Webinar Events
Video SDK Events
Zoom Room Events
Deprecated API Endpoints

Legacy HIPAA Business Associate Agreement Accounts


If your account has not signed the updated November 2020 HIPAA business associate agreement (BAA), some Zoom APIs will not return users’ Protected Health Information (PHI).

Users who sign the updated (November 2020) HIPAA business associate agreement are not restricted.

Note: For users who migrate from a legacy HIPAA BAA to the updated BAA, any historical data under the previous (legacy) BAA will remain hidden except participant email addresses.

Legacy HIPAA business associate agreements are considered those which were signed prior to November 2020. Restrictions under this signed BAA include:

  • No PHI exposed via meeting reports or meeting/webinar Dashboard-related APIs.
  • Disabled and hidden cloud recording feature.
  • Enhanced encryption is enabled and cannot be disabled.
  • In meeting chats cannot be copied or saved.
  • The Require Encryption for 3rd Part Endpoints (H.323/SIP) is enabled and cannot be disabled.

Under the legacy BAA without a data processing addendum, reports containing PHI will behave as follows:

  • Meeting participant reports will not display users’ PHI. However, webinar attendee reports will display users’ PHI.
  • Dashboard API responses for meeting and webinar participants will not display users’ PHI. This also includes Dashboard CSV exports.

For information on how to sign a new BAA or sign a data processing addendum, contact Zoom Sales.

Legacy BAAs and API responses

An account that calls a BAA-restricted API under the legacy BAA without a signed data processing addendum cannot view the user’s following information:

  • Usernames.
  • IP addresses.
  • The user’s location.
  • The user’s email address.

Users that sign a data processing addendum are given limited access to users’ PHI. However, they still cannot view the following information:

  • The user’s location.
  • The user’s IP address.

APIs

The following APIs do not return user PHI under the legacy BAA without a signed data processing addendum:

Dashboard APIs

Reports APIs