HIPAA lawyer Jeff Drummond has a blog post about the concerns Consumer Reports raised about using Zoom. Jeff focuses on its use for those who are covered by HIPAA, and he has a good tip for covered entities:
This highlights two things: think about the services your (sic) are using that get to view your information and find out what they can do with it (especially find out if they are actually doing it or deny doing it, even though they have the right to). And make sure you get a BAA if (i) you are a covered entity under HIPAA and (ii) any of the information that the service comes into contact with might be PHI.
I’ve looked at Zoom’s BAA. It’s ok (“meh”). Doxy.me has a much better one. But both are minimally sufficient.
UPDATE: one other thing: be the host, if you are the CE.
Read more on HIPAA Blog.