Insurance brokers face a unique challenge: clients expect fast, personalized service through video calls and screen sharing, but one misstep with Protected Health Information (PHI) or client financial data can trigger devastating regulatory penalties such as HIPAA fines. A single recorded Zoom call discussing policy details without proper safeguards could result in HIPAA fines reaching $50,000 per violation or FINRA sanctions!

The good news? You don’t need to choose between modern sales tools and HIPAA and FINRA regulatory compliance. This post will guide you through the specific requirements for HIPAA and FINRA compliant video communication, evaluate popular platforms against those standards, and provide a practical checklist to protect your business and your clients.

The Compliance Minefield: Why HIPAA and FINRA Compliant Video Communication is Critical

When you share a screen showing policy options, discuss a client’s medical history for underwriting, or present retirement portfolio projections, you’re handling sensitive information that triggers multiple layers of regulatory oversight, including HIPAA and FINRA.

Many brokers assume their familiar video tools (Zoom, Google Meet, or consumer-‑grade screen sharing platforms) provide adequate protection. This isn’t always the case under HIPAA and FINRA rules.

HIPAA’s Security Rule requires specific technical safeguards for any system that stores, transmits, or processes PHI. This includes:

• Business Associate Agreements (BAAs): Any vendor handling PHI must sign a legally binding agreement accepting liability for breaches.
• Encryption: Both data in transit (during video calls) and at rest (stored recordings) must use industry-standard encryption.
• Access Controls: Systems must restrict who can view PHI and maintain audit logs of all access.
• Audit Trails: Detailed records of who accessed what information and when

For insurance brokers working with health, life, or Medicare products, even mentioning a client’s medication history or pre-existing condition during a screen share constitutes PHI transmission. 

Without proper safeguards, you’re exposed to HIPAA and FINRA violations.

FINRA adds another layer of complexity to video communication compliance. Rule 2210 classifies electronic communications into categories (correspondence, retail communications, and institutional communications), each with distinct supervision and retention requirements. 

When you run a virtual sales presentation or record a screen share walking through policy illustrations, you’re creating business records that must be:

• Retained: SEC Rule 17a-4 requires broker-dealers to preserve electronic communications for at least three years (six years for certain records), with the first two years in an easily accessible location.
• Supervised: All business communications require supervisory review under FINRA Rule 3110.
• Retrievable: Records must be downloadable in human-readable formats and produced promptly for regulatory examination.

Using a platform that doesn’t support these requirements puts your license at risk. FINRA can impose fines, require corrective action plans, or suspend your ability to operate.

What Does ‘Compliant’ Really Mean? A Broker’s Framework for HIPAA & FINRA Rules

Before evaluating specific platforms, let’s establish clear criteria. A compliant video and screen-sharing solution for insurance brokers must meet these non-negotiable requirements:

HIPAA Technical Safeguards

Business Associate Agreement (BAA): The vendor must willingly sign a BAA for all plans, not just enterprise tiers. This contract legally makes the vendor responsible for PHI protection and obligates them to report breaches. If a vendor refuses to sign a BAA or only offers it to premium customers, they acknowledge they cannot guarantee HIPAA compliance for standard users.

End-to-End Encryption: All data must be encrypted using Advanced Encryption Standard (AES) 256-bit encryption at rest and Transport Layer Security (TLS) 1.2 or higher in transit. This applies to video streams, screen shares, chat messages, and any recordings. Consumer-grade tools often encrypt data in transit but leave recordings unencrypted on shared servers.

Access Controls and Authentication: The platform must restrict access to PHI through multi-factor authentication, unique session IDs, and role-based permissions. Waiting rooms, password protection, and the ability to remove unauthorized participants are essential features.

Audit Logs: HIPAA requires detailed tracking of all access to PHI. Your platform should automatically log who joined sessions, what was shared, when recordings were accessed, and any changes to permissions. These logs must be tamper-proof and readily available for regulatory audits.

FINRA Record-Keeping and Supervision Requirements

Record Retention Capabilities: Your platform must allow you to retain all business communications for the periods specified under SEC Rule 17a-4. For most communications, this means three years, with the first two years easily accessible. Critical records like account information require six-year retention.

According to FINRA Rule 2210(b)(4), members must maintain records including:

• A copy of the communication and dates of first and last use.
• The name of any registered principal who approved the communication.
• For communications not pre-approved, the name of the person who prepared or distributed it.
• Source information for any data, charts, or illustrations used.

This means if you conduct a screen share showing policy comparisons or portfolio performance, you need a platform that can record the session, timestamp it, and store it securely with metadata about participants and approvals.

Supervisory Review Mechanisms: FINRA Rule 3110 requires all correspondence and communications to be supervised and reviewed. Your platform should facilitate this by allowing designated supervisors to access session recordings, review shared content, and document their oversight. Some platforms offer manager dashboards specifically for this purpose.

Download and Transfer Capabilities: SEC Rule 17a-4(f) specifies that electronic records must be readily downloadable “in human readable and reasonably usable electronic formats” upon request by regulatory authorities. Your video platform must allow you to export recordings, transcripts, and metadata without vendor intervention.

Audit Trail for Electronic Records: If your platform uses an electronic record keeping system, it must either preserve records in a non-rewriteable, non-erasable format OR maintain a complete time-stamped audit trail showing all modifications, deletions, and access events. This audit trail itself must be preserved for the same retention period as the records it tracks.

Evaluating Popular Platforms: Which Tools Meet Compliance Standards?

BombBomb: Video Messaging with Partial Compliance

BombBomb markets itself as a video email platform for sales professionals, and has gained traction among insurance agents, but lacks HIPAA and FINRA compliance documentation. According to their Data Security FAQs, BombBomb encrypts all customer data at rest using AES-256 and in transit using TLS 1.2+. They are SOC 2 Type II-compliant and implement role-based access controls.

HIPAA Considerations: BombBomb states they comply with GDPR, CCPA, CAN-SPAM, and CASL, but their public documentation does not mention HIPAA compliance or Business Associate Agreements. Without a signed BAA, brokers cannot use BombBomb for communications involving PHI. This is a critical gap for health and Medicare insurance professionals.

FINRA Considerations: BombBomb allows users to delete videos permanently, which creates a record retention challenge. While brokers can export videos before deletion, there’s no built-in mechanism to enforce FINRA’s retention requirements or prevent premature deletion of business records. The platform lacks supervisory review tools or audit trails showing when principals approved communications.

Verdict: BombBomb offers strong encryption and secure storage, but the absence of explicit HIPAA/BAA support and FINRA-specific record retention features makes it risky for regulated insurance brokers handling PHI or maintaining business records.

Vidyard: Business Video Platform Without Healthcare Focus

Vidyard is an enterprise video platform used for sales and marketing. Like BombBomb, their public materials emphasize general security practices, but do not prominently feature HIPAA and FINRA compliance. Research into Vidyard’s compliance offerings found no publicly available information confirming BAA availability or HIPAA-specific controls.

HIPAA Considerations: Without confirmation of BAA support and healthcare-specific features, brokers should assume Vidyard does not meet HIPAA requirements for PHI transmission.

FINRA Considerations: Vidyard offers video analytics, CRM integrations, and content management features that could support record-keeping, but there’s no evidence of FINRA-specific retention policies, supervisory review workflows, or audit trails meeting SEC Rule 17a-4 standards.

Verdict: Vidyard may work for general marketing videos, but insurance brokers conducting regulated sales activities should seek platforms with explicit compliance certifications.

CrankWheel: Screen Sharing Built for Regulated Industries

CrankWheel takes a different approach by focusing specifically on instant, no-download screen sharing designed for sales professionals in regulated sectors. According to their financial services page, CrankWheel is built to “accommodate the often stringent requirements we make, being a financial institution,” as noted by Már Másson, Head of Digital Business and Innovation at Íslandsbanki bank.

Key Compliance Features:

Key Compliance Features:

• No‑Download Security: Viewers join CrankWheel sessions instantly through a browser link, with no software installation required, reducing security vulnerabilities and eliminating work‑arounds.
• Targeted Screen Sharing: Presenters can share only a specific browser tab, application window, or cropped area, preventing accidental exposure of sensitive information.
• Audit Logs and Session Recording: Detailed audit logs track session start/end times, participants, and viewer engagement. Recording sessions is mandatory for compliance; disputes can be resolved by reviewing logs.
• Remote Control with Security Boundaries: Viewers can interact with the presenter’s screen within defined boundaries; control ends automatically if focus changes.
• Encryption and Data Security: CrankWheel encrypts data in transit and implements access controls. Their Trust Center confirms HIPAA compliance and audited security standard compliance (SOC 2 Type II and ISO 27001).

HIPAA Compliant, BAA Available: CrankWheel’s Trust Center confirms HIPAA compliance. They can enter into BAA agreements both with larger organizations as well as self-service for independent insurance agents and brokers.

FINRA Considerations: CrankWheel’s session recording, audit logging, and metadata tracking support FINRA record-keeping requirements. The platform allows recordings to be exported and stored in compliance with retention schedules, and organizations can choose to disallow deletion of recordings from the CrankWheel platform. Recording retention is configurable per account and can be extended to 10 years or longer if required. Supervisors can review session recordings and access audit trails, facilitating the supervisory review required under Rule 3110.

Verdict: CrankWheel is purpose-built for regulated sales environments and offers strong technical controls. Brokers can confidently use the platform for HIPAA-regulated PHI as well as for FINRA-regulated financial services communications with proper retention procedures in place.

Your Compliance Checklist: Vetting Any Video Platform Before You Hit Record

Essential Questions to Ask Every Vendor

1. Do you sign a Business Associate Agreement (BAA) for all plan tiers?

If the answer is no or “only for enterprise customers,” the platform cannot be used for HIPAA-regulated communications. Some vendors offer BAAs only to large organizations, leaving individual brokers and small agencies exposed.

2. What encryption standards do you use for data in transit and at rest?

Require confirmation of TLS 1.2+ for data in transit and AES-256 for data at rest. Ask specifically about recordings, transcripts, and any metadata storage. Generic claims like “we use industry-standard encryption” are inadequate. Demand specifics.

3. Where is client data stored, and who has access?

Verify that data is stored in secure, compliant data centers. Confirm that only authorized personnel with legitimate business needs can access your data, and that the vendor maintains access logs.

4. Do you provide complete audit trails for user activity?

The platform should automatically log all access to recordings, who joined sessions, what was shared, and when recordings were viewed or exported. These logs must be tamper-proof and retained for your required record-keeping period.

5. How do you support FINRA record retention requirements?

Ask whether the platform can enforce retention policies preventing premature deletion, whether recordings can be exported in standard formats, and whether the system meets SEC Rule 17a-4 requirements for electronic record keeping (including non-rewriteable/non-erasable storage or complete audit trails).

6. What supervisory review tools do you offer?

FINRA Rule 3110 requires supervision of business communications. Confirm that designated principals can access recordings, review shared content, document approvals, and monitor usage—all without compromising client confidentiality.

7. What happens to data if we terminate our subscription?

Ensure you can export all records before cancellation and that the vendor has a clear data retention and deletion policy. FINRA requires you to maintain records even after changing vendors.

Implementation Best Practices for HIPAA and FINRA compliance

• Establish Clear Policies: Document when and how to use video tools, what information can be discussed, and procedures for obtaining client consent before recording sessions.
• Train Your Team: All agents must understand HIPAA and FINRA requirements, how to use the platform’s security features correctly, and how to handle potential breaches or technical issues during client calls.
• Obtain and Document Consent: Before recording any session, clearly state your intent (“I’m going to record this session for our records and to help prepare your policy documents”) and document the client’s agreement in your CRM.
• Implement Pre‑Session Hygiene: Close unrelated applications, clear your desktop of sensitive information, and verify you’re sharing only the intended window or tab before starting any screen share.
• Review and Audit Regularly: Designate supervisors to review recorded sessions, verify that agents are following security procedures, and conduct periodic audits of retention practices.

Avoiding Critical Errors: 3 Compliance Mistakes Brokers Make Even With the Right Tools

Mistake #1: Discussing PHI Before Securing the Session

Brokers often begin conversations over standard phone lines, then switch to video mid‑call, potentially breaching HIPAA before securing the session.

Mistake #2: Failing to Use the Platform’s Security Features

Many platforms offer waiting rooms, password protection, and selective screen sharing, but brokers skip these features to save time. This convenience creates vulnerabilities. Always enable available security controls, even if it adds 30 seconds to your setup time.

Mistake #3: Inadequate Record Retention Procedures

Recordings are useless if you can’t find them during an audit. Implement a systematic approach to naming, tagging, and organizing session recordings. Include client names, policy types, dates, and the approval of the supervising principal. Store recordings in a central, backed‑up location that enforces your retention schedule.

Frequently Asked Questions About Broker HIPAA and FINRA Compliance

Can I use Zoom or Microsoft Teams if I upgrade to their healthcare plans?

Both Zoom and Microsoft offer HIPAA‑compliant versions with signed BAAs. Zoom for Healthcare and Microsoft Teams for Healthcare can work for insurance brokers handling PHI, but they require configuration to enable all security features, and recordings must be carefully managed to meet FINRA retention requirements. They also require clients to download software, which creates friction in the sales process.

What if my client insists on using their own video platform?

You control the sales process. Politely explain that regulatory requirements require secure, approved platforms for discussing policy details and personal information. Most clients appreciate your professionalism and commitment to protecting their data. If a client refuses, document their decision and limit the discussion to general information only, no PHI or specific financial details.

Do I need a BAA if I’m only discussing life insurance, not health insurance?

Life insurance applications often require medical underwriting, which involves discussing health history, medications, and medical conditions. All of which is PHI under HIPAA. Even if you’re not a covered entity, maintaining HIPAA‑level protections builds client trust and prepares you for evolving regulations.

How long do I need to keep screen-sharing recordings under FINRA rules?

Most business communications must be retained for three years under SEC Rule 17a‑4, with the first two years easily accessible. However, records related to account opening and certain disclosures require six‑year retention. When in doubt, consult your compliance officer or retain records for the longer period.

What should I do if I accidentally share sensitive information during a screen share?

Immediately stop sharing your screen, acknowledge the issue with the client, and document the incident according to your firm’s breach notification procedures. Under HIPAA, breaches affecting fewer than 500 individuals must be reported to the Department of Health and Human Services within 60 days. For FINRA purposes, report any potential violations immediately to your compliance officer.

Are there affordable compliant options for independent brokers?

Yes. Platforms like CrankWheel offer low-cost plans with core security features and enterprise tiers that remain affordable for small agencies. The cost of compliance is always less than the cost of a single regulatory violation.

What is the most important security feature for HIPAA‑compliant video calls? End‑to‑end encryption with AES‑256 at rest and TLS 1.2+ in transit, combined with a signed Business Associate Agreement, ensures PHI is protected throughout the session.

Where can I find a list of video platforms that offer a BAA? Check the vendors’ Trust Center or compliance pages; reputable platforms such as CrankWheel, Zoom for Healthcare, and Microsoft Teams for Healthcare publicly provide BAA documentation.

How can I quickly verify that a recording meets FINRA retention standards? Use a platform that timestamps recordings, stores them in a non‑erasable format, and allows export in human‑readable files; then confirm the retention schedule aligns with SEC Rule 17a‑4.

Should I choose a platform with built‑in supervisory dashboards or integrate a third‑party tool? A native supervisory dashboard simplifies compliance by centralizing review and approval workflows, reducing the risk of gaps that can occur with fragmented third‑party integrations.

Ready to see how secure screen sharing can accelerate your sales process without compromising compliance? Start your free CrankWheel trial today and experience instant, no-download screen sharing built for regulated professionals.