Using Zoom APIs
Error Definitions
Rate Limits
Testing Zoom APIs with Postman
Chat Channels
Chat Channels (Account-level)
Chat Messages
Chatbot Messages
Cloud Recording
IM Chat
IM Groups
SIP Connected Audio
SIP Phone
Tracking Field
Zoom Rooms
Zoom Rooms Account
Zoom Rooms Location
Zoom Rooms Devices
Deprecated API Endpoints
Phone Account
Phone Settings
Phone Users
Phone Auto Receptionists
Phone Blocked List
Call Logs
Phone Call Queues
Call Handling
Common Area Phones
Phone Devices
Directory Backup Routing Rules
Emergency Service Locations
External Contacts
Monitoring Groups
Phone Numbers
Phone Reports
Setting Templates
Shared Access
Phone Shared Line Groups
Phone Site
Provider Exchange
Archiving Events
Account Events
App Events
Billing Events
Chat Message Events
Chat Channel Events
Chatbot Events
Meeting Events
Phone Events
Recording Events
TSP Events
User Events
Webinar Events
Video SDK Events
Zoom Room Events
Deprecated API Endpoints

Legacy HIPAA Business Associate Agreement Accounts

If your account has not signed the updated November 2020 HIPAA business associate agreement (BAA), some Zoom APIs will not return users’ Protected Health Information (PHI).

Users who sign the updated (November 2020) HIPAA business associate agreement are not restricted.

Note: For users who migrate from a legacy HIPAA BAA to the updated BAA, any historical data under the previous (legacy) BAA will remain hidden except participant email addresses.

Legacy HIPAA business associate agreements are considered those which were signed prior to November 2020. Restrictions under this signed BAA include:

  • No PHI exposed via meeting reports or meeting/webinar Dashboard-related APIs.
  • Disabled and hidden cloud recording feature.
  • Enhanced encryption is enabled and cannot be disabled.
  • In meeting chats cannot be copied or saved.
  • The Require Encryption for 3rd Part Endpoints (H.323/SIP) is enabled and cannot be disabled.

Under the legacy BAA without a data processing addendum, reports containing PHI will behave as follows:

  • Meeting participant reports will not display users’ PHI. However, webinar attendee reports will display users’ PHI.
  • Dashboard API responses for meeting and webinar participants will not display users’ PHI. This also includes Dashboard CSV exports.

For information on how to sign a new BAA or sign a data processing addendum, contact Zoom Sales.

Legacy BAAs and API responses

An account that calls a BAA-restricted API under the legacy BAA without a signed data processing addendum cannot view the user’s following information:

  • Usernames.
  • IP addresses.
  • The user’s location.
  • The user’s email address.

Users that sign a data processing addendum are given limited access to users’ PHI. However, they still cannot view the following information:

  • The user’s location.
  • The user’s IP address.


The following APIs do not return user PHI under the legacy BAA without a signed data processing addendum:

Dashboard APIs

Reports APIs