This revised version of an email I posted on the EDT-List discussion group may be helpful to therapists using Zoom to see patients. Disclaimer: it is based on my current best understanding of Zoom, but it is offered “as is,” with no assertion on my part or on behalf of the IEDTA that it will definitely solve any problems, or that it will definitely not cause problems of its own.
—Nat Kuhn
[Edit: as of 4 April 2020, Zoom is enabling the Waiting Room by default, and enabling passwords on meetings. This link will take you to more information from Zoom. The approach I outline below is what I had worked out, and it still works. However, most people will probably want to use the simpler but still secure approach of creating a new meeting for each session, with a new Meeting ID. To set this up, on the Mac Zoom app, I clicked on the little “v” next to the “New Meeting” button and unchecked “Use my Personal Meeting ID (PMI).” Then to start an appointment, click on “New Meeting,” and send an invitation email to the patient. With passwords and waiting room enabled by default, you should be good. The post below has more explanation, but some of it is now out of date, e.g. because the Waiting Room is now enabled by default.]
The Covid-19 epidemic has led to a huge upswing in the use of Zoom for videoconferencing, which in turn has drawn attention to some of Zoom’s vulnerabilities and to some security flaws. My impression is that this is a reflection of Zoom’s popularity rather than any shoddiness on their part. They seem to be making a good-faith effort to address the reported vulnerabilities.
The most important step is to use the “Waiting Room” feature. When the Waiting Room is enabled, anyone who wants to join the meeting needs to wait until the meeting host (which should be you, the therapist) explicitly decides whether to admit them or not. When someone tries, to join, you will hear a chime and to admit the person, you have to click on a button. If you’re with a patient, don’t admit anyone else. It’s as simple as that. No Zoom bombing, no patient collisions. You will need to enable the Waiting Room for your account, and you will also need to turn it on for each “meeting” where you want to use it. [The full Zoom documentation for Waiting Room is here.]
Enabling the Waiting Room for your account
To enable the Waiting Room for your account, log on to Zoom in your browser, go to “Settings” on the left sidebar, and then “In Meeting (Advanced).” Scroll down to “Waiting room.” Turn it on and then click on “All participants.” The different apps have different features and settings available in different places, and the instruction here are very specifically for the web interface.
Understanding Zoom “meetings”
Before we go any further, it will help to understand what a Zoom “meeting” actually is. You might think it is two or more people videoconferencing, and that when you hit “End Meeting” the meeting, uh, ends. Well, not really. What Zoom calls a “meeting” is actually more like a “meeting room.” (Unfortunately, to add to the confusion, there something called “Zoom Rooms,” which involves physical conference rooms with videoconferencing hardware.) Each “meeting” has a “meeting ID,” a 10-digit number, which is basically the “address” of this meeting room. If you hit “end meeting” and then end it for everyone, the room is emptied out but the “meeting” continues to exist, and people can go back to it and meet there again. How long does it exist for? “A non-recurring meeting ID will expire 30 days after the meeting is scheduled for. You can restart the same meeting ID as many times as you would like, within the 30-day period.” And recurring meetings? “A recurring meeting ID will expire 365 days after the meeting is started on the last occurrence. You can re-use the meeting ID for future occurrences.” So meetings are available outside of their scheduled time, which is good. You could start a meeting early, come back to it, etc., without having to re-enter it on your calendar. (The quotes are from the Zoom documentation on scheduling meetings.)
Whenever you send someone a Zoom invitation, it is to a specific “meeting.” The meeting ID is right there in the link. If they want to join by phone, they need to key in the meeting ID. No one can join the meeting without the meeting ID. So if you do not publish the ID, you should be safe from ZoomBombing, unless someone is trying random 10-digit numbers and hits yours.
Your “Personal Meeting Room”
Every Zoom account comes with a pre-made meeting (your “Personal Meeting Room”), referred to by your “Personal Meeting ID” (PMI), a single 10-digit number that is yours and yours alone. If you pay $15/month, you can choose your own number; in the US, your phone number is a good choice. If I were teaching a class and wanted to have virtual office hours so people could come and go, that’s how I would do it, if I weren’t worried about random people showing up and shouting obscenities. If I were worried about that—because my PMI were published widely—I would enable the Waiting Room for my Personal Meeting Room by going (again on the web) to Meetings > Personal Meeting Room, scrolling down to “Edit this Meeting,” checking the box for “Enable Waiting Room,” and then clicking “Save.”
You can then use your Personal Meeting Room for patients without worrying too much. It is still possible that while you’re with one patient, another patient might try to enter, but as long as you don’t admit them, it’s all fine.
Another approach: one meeting per patient, but not one meeting per session
I actually do not use the Personal Meeting Room with patients. I create a separate “meeting” for each patient. That way, each patient has their own meeting ID, which more secure. At the same time, the same link works for every one of that particular patient’s appointments. A big advantage is that I can put the meeting on my calendar in various places, and share those calendar events with the patient. That way, they can accept the event, and it then goes into their calendar with the link (and other joining information) embedded right there in the calendar event. (Note that calendar invitations go via email, and it is important for the patient to understand the risks of doing it that way. It is basically the same level of risk as a patient emailing you to set up an appointment.)
If you want to create a meeting for a patient, here’s how:
- Under “Topic” I put something including the patient’s initials (I say “Nat Kuhn MD for AA”, for example.) This title will show up in the patient’s calendar. I don’t put the full name there for confidentiality, just in case.
- Don’t enter time/date under “When.” Go down and click “Recurring meeting.” In the “Recurrence” drop-down box that appears, change from “Daily” to “No fixed time.” This took me a bit to figure out, but it makes things much simpler all of a sudden.
- If “Meeting ID” doesn’t have “Generate Automatically” already selected, click it.
- I have been using passwords but I’m actually not sure I would recommend it; see the discussion at the end of this post. If you want to use a password, check the box. At times Zoom seems to generate a new random password, at times it seems to re-use the same one, so if you want to use one, maybe enter a random 5-digit string. If you don’t want to use a password, make sure “Require meeting password” is unchecked.
- I turn “Video” on for both host and participant, so people mostly don’t have to fumble to turn their camera on, although sometimes they still do. I set Audio to “Telephone and Computer Audio” (occasionally if people are having sound problems, they can also dial in to the meeting and we can get the sound that way. Just be aware that if you do this, Zoom considers your meeting to have three participants, and the free version of Zoom will time out after 40 minutes.)
Then I check “Enable join before host” (which actually probably does nothing), and (important) “Enable waiting room.”
Then hit “Save.” Congratulations, you have created a meeting space personalized to you and that patient, which will continue to exist for a year after the last time you use it. No one can join it unless they have that particular patient’s specific meeting ID (and password, if you have passwords enabled). Even if they get the ID somehow (or guess the 10-digit number), they can’t join the meeting unless you admit them, because you enabled the waiting room. (If the patient is dialing in for the audio, as mentioned above, you will need to admit the phone call as well, but other than that, at the risk of being excessively repetitive, you should never allow anyone else to join if the patient is already there, except by careful pre-arrangement.)
Using the patient’s individual meeting room without calendar automation
When I first posted this, I explained my work flow, which involves Google calendar, but should also work for other calendar programs. Those instructions are still given below, but you do not need to use them. If you do, you should be aware of the security issues involved.
After you create the meeting, you can return to it in the Zoom interface at any time. On the web interface, from the dashboard go to Meetings and look at the “Upcoming Meetings” tab, the same one where you clicked on “Schedule a New Meeting.” (From the zoom.us page you may need to click on “My Account” to get to the dashboard. If you’re not signed in, you will need to sign in first.) Find the “meeting” for your patient (there can be several pages worth, and you may need to go to another page.) Click on the topic/title (“Nat Kuhn MD for AA” in the example above.) You will see the “Join URL” there. You can copy it and share it with the patient. You can also click on “Copy the Invitation, which will allow you to copy the full invitation (including phone joining instructions) to your clipboard. You can paste that into an email. If you’re not using a password for the meeting (see below), you could even leave the link in phone message: it’s just zoom.us/j/[10-digit meeting ID]. If you’re using a password, the link will be too long.
When you want to start the meeting (just before your appointment), you can click on “Start this Meeting” on the same screen. But you do not need to be logged on to the zoom web interface, you can just use the same link. Incidentally, you should be able to do this section in other Zoom clients. On the Mac (and I suspect the PC is similar), in the opening window that has a “New Meeting” and a “Join” button, click on “Meetings” in the top bar. Meetings show up on the left, make sure “Upcoming” is clicked. Click on the meeting for your patient. There is a “Copy Invitation” button which copies the invitation to your clipboard, a link to “Show Meeting Invitation” and a “Start” button to start the meeting.
You and the patient can use this link at any time. It does not need to be formally scheduled on any calendar. Of course, you can enter the patient’s appointment on your own calendar manually, and you can even paste the invitation into the notes for the calendar event. Or you can use a more automated work flow, in the next section.
Just a reminder: email is not HIPAA-compliant. Nonetheless, most patients are comfortable with using it to communicate about things like scheduling appointments, even when they would not be comfortable with having details of therapy sessions communicated on an insecure medium. In my initial paperwork, I explain to patient that if they email me, they are consenting to the use of email despite the fact that I cannot guarantee its security.
Scheduling an appointment in the patient’s individual meeting room on a calendar
Here is the work flow I use, which is an alternative to the previous section. Go to “Meetings > Upcoming Meetings.” (Because you created it as a recurring meeting, it is still considered “upcoming,” even though you haven’t actually scheduled it.) Listed there, you should see the meeting you created for the patient (though if you’ve created a bunch it may be on a later page). Click on the title/topic you entered when you created the meeting. (Don’t click on “Schedule a New Meeting,” you already did that.)
Right below “Topic,” it should say “Time,” and then “Recurring meeting.” Then “Add to” with three buttons: Google Calendar, Outlook Calendar (.ics), Yahoo Calendar (Is that a thing? I guess so). I use Google Calendar, and when I click there it goes right to Google’s page that lets me put it in my calendar and allows me to invite the patient under “Guests.” (I usually uncheck the box that allows the patient to invite others.) When this edit calendar page opens, the event time and date is set to right now, so don’t forget to put in the actual date, and actual start and end times. Add whatever recurrence you want, like for weekly appointments. If you do add the patient under “Guests,” they get an email, and they should be able with a click or two to add the event to their calendar and the Zoom invitation with both the joining link and the phone info will be attached to the event. If you use the iCal calendar program on the Mac, click on the “Outlook Calendar (.ics)” button. It will download a “.ics file.” When you open that file, the Mac will prompt you to add it to iCal. You should be able to invite the patient from there, if you want to.
The patient can still have a hard time finding the link, so if they are a minute or two late, I email them the link again.
In my case, I pay $6/month for GSuite, so that my Google calendar is considered HIPAA-compliant. As discussed in more detail above, patients may or may not be comfortable with appointment scheduling information being communicated via email.
OK, what about passwords?
- If someone randomly guessing the 10-digit meeting ID, they will not be able to get to your waiting room without the 5-digit password, and no one is that lucky
- Instructions are circulating saying that to be secure you should use passwords, so patients may be concerned that your sessions are not secure if you are not using one.
Patients may also have heard that to be secure, you should “disable screen sharing,” from very reasonable articles like this. This would keep any guests from sharing their screen. In this case that is just your patient, since you won’t be letting anyone else in. It’s good advice if you will have larger, open meetings.
Whatever you decide about passwords, the bottom line is: enable the Waiting Room for your account and for any “meetings” you use with patients. Keep your meeting IDs reasonably private, but if you are using the Waiting Room, it’s not the end of the world if one slips out.