GoToMeeting can be used in a HIPAA-compliant way, but it doesn’t come that way out of the box. GoTo, the company behind GoToMeeting, offers a Business Associate Agreement (BAA), which is the legal contract healthcare organizations need before using any third-party platform to handle protected health information (PHI). Without that signed BAA, no video conferencing tool is HIPAA compliant, regardless of its security features.
Getting to compliance requires both the legal agreement and deliberate configuration choices on your end. Here’s what that looks like in practice.
The Business Associate Agreement
HIPAA requires any vendor that could access, transmit, or store patient information to sign a BAA with the healthcare organization. GoTo publishes a Business Associate Addendum that takes effect either when you sign an order that incorporates it or when you begin using the service after it’s been published to GoTo’s website. This means the BAA is available as a standard part of doing business with GoTo rather than something you need to negotiate from scratch, which isn’t the case with every video platform.
If you’re evaluating GoToMeeting for telehealth or internal healthcare communications, securing this BAA is step one. Without it, even perfectly configured security settings won’t satisfy a HIPAA audit.
Encryption and Data Protection
GoToMeeting’s technical infrastructure aligns with what HIPAA’s security rule demands for protecting electronic PHI. The platform uses several layers of encryption depending on the type of data being transmitted or stored.
For data in transit, GoTo relies on TLS (the same protocol that secures online banking) for all web connections, APIs, and internal services. Voice calls are protected using an audio encryption protocol built on AES-128 at minimum, and non-media data like chat messages travels over TLS-secured channels. Screen sharing and other session media use additional protections including DTLS and SRTP.
For data at rest, the protections are stronger. Cloud recordings are stored in Amazon Web Services (AWS) S3 with AES 256-bit encryption, which is the current gold standard for stored data security. Profile data, session reports, chat messages, uploaded files, and transcription audio files all receive the same AES 256-bit encryption at rest. Audio files used for transcription are encrypted during processing and deleted immediately after the speech-to-text conversion finishes.
Cloud recordings are automatically deleted after one year of storage on a rolling basis.
Meeting Security Features You Should Enable
Encryption protects data from outside interception, but HIPAA also requires access controls, meaning only authorized people should be able to join a session where PHI might be discussed. GoToMeeting provides several features to lock down individual meetings, though you need to actively turn them on.
Meeting passwords are the most straightforward control. Organizers can require a password for any scheduled meeting, and attendees must enter it before joining. One important detail: password-protected meetings can only be recorded locally, not to the cloud. If your compliance workflow depends on cloud recordings, this creates a tradeoff you’ll need to plan around.
Beyond passwords, GoTo’s HIPAA guidance for its communication products covers four key areas: access controls and authentication to limit who can reach communications features, encryption for PHI in transit and at rest, audit logging that tracks administrative changes and access activity, and integrity safeguards for stored data like voicemail, recordings, and faxes. GoTo publishes a configuration guide with specific feature recommendations so your IT team knows exactly which settings to adjust.
Third-Party Security Audits
GoTo undergoes SOC 2 Type II audits, which are independent assessments of how a company handles data security, availability, and confidentiality over a sustained period (not just a single snapshot). SOC 2 Type II is widely considered the benchmark for cloud service providers handling sensitive data. GoTo also publishes SOC 3 reports, the shareable version of those audit results, which you can download from their product resources page.
A SOC 2 Type II audit isn’t a HIPAA certification (no such certification officially exists), but it validates that GoTo’s internal controls meet rigorous security standards. For healthcare organizations building a compliance case, having a vendor with current SOC 2 documentation makes the risk assessment process considerably smoother.
What Makes It Compliant vs. What Doesn’t
The distinction worth understanding is that GoToMeeting provides the tools and legal framework for HIPAA compliance, but compliance itself is a shared responsibility. The platform won’t stop a user from screen-sharing a patient record in an unprotected meeting or forwarding a recording to an unsecured email address. Your organization still needs policies governing how staff use the platform, training on what can and can’t be shared during sessions, and proper configuration of every security setting GoTo makes available.
In practical terms, a healthcare organization using GoToMeeting in a HIPAA-compliant way will have the BAA executed, meeting passwords enabled for any session involving PHI, audit logs reviewed regularly, cloud recording settings aligned with their data retention policies, and staff trained on secure use. Skip any of those steps and the platform’s technical safeguards alone won’t protect you in a compliance review.