HIPAA & BAA · Video conferencing / collaboration
Is Cisco Webex HIPAA compliant?
Yes. Cisco will sign a BAA for Webex with HIPAA covered entities and their business associates, and publishes a BAA document, but the platform must be configured and used under organizational policies that control PHI disclosure.
Key facts
- BAA available: Yes — with a signed BAA
- What it takes: Cisco will sign a BAA with covered entities and business associates; confirm eligible service scope
- Official source: Cisco — Business Associate Agreement (official PDF) — https://www.cisco.com/c/dam/en_us/about/doing_business/legal/docs/business-associate-agreement.pdf (verified 2026-06)
How to use Cisco Webex in a HIPAA-compliant way
- Engage Cisco/Webex to request the Business Associate Agreement
- Review Cisco's published Webex BAA terms with legal
- Confirm which Webex services are in scope and execute the BAA before handling PHI
- Configure Webex (encryption/TLS 1.2, access controls, recording/data settings) for HIPAA use
- Apply organizational policies controlling PHI disclosure during telehealth/provider conferencing
Important caveats
- Webex is not HIPAA compliant out of the box — correct configuration and a signed BAA are both required
- Confirm which Webex products/features are covered by the BAA before sending PHI
- Covered entities remain responsible for access controls, staff training, and ongoing compliance
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Cisco Webex correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Cisco Webex.
Frequently asked questions
Does Cisco Webex sign a BAA?
Yes. Cisco will sign a BAA with covered entities and business associates; confirm eligible service scope A signed BAA is required before any PHI is involved.
Is Cisco Webex HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Cisco Webex offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Cisco Webex with PHI?
Webex is not HIPAA compliant out of the box — correct configuration and a signed BAA are both required
