Is FaceTime HIPAA compliant?

Due in large part to the coronavirus pandemic, 91 percent of medical practitioners are expected to offer telehealth services by the end of 2020. Working with patients in a virtual setting demands the help of video tools and chat applications, like Apple’s FaceTime.

Similar to Skype and Google Hangouts, FaceTime allows you to conduct one-on-one video calls between newer iPhones, iPads, iPod touch devices, and Mac notebooks and desktops. But before using FaceTime for patient communication, it’s important to ask, Is FaceTime HIPAA compliant?

So, is it?

In order for FaceTime — or any other tool — to be HIPAA compliant, the company that makes that tool must sign a business associate agreement (BAA) before sharing, transmitting, storing, or maintaining protected health information (PHI).

Simply put, a BAA is a contract between the business associate — in this case, Apple — and the healthcare service provider, such as the clinic that uses FaceTime for telehealth purposes. Both parties must agree to undertake certain responsibilities in managing PHI. One of the stipulations in HIPAA states that the BAA must ensure that “the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.” In other words, the contractor working with the healthcare provider will not use PHI in any way besides what is stated in their contract or necessary for legal use.

In the case of Apple, this makes little difference as the tech giant doesn’t seem to have any intention of entering into a BAA with healthcare companies. Furthermore, it even states that its iCloud data storage service is not HIPAA compliant and should not be used by healthcare organizations.

Because Apple won’t sign a BAA for FaceTime, that seems to indicate that FaceTime isn’t a HIPAA-compliant service. Yet it’s not quite that simple. Entities that are defined as “business associates” for the purpose of HIPAA must sign BAAs, but entities defined as “conduits” are exempt. If FaceTime is a conduit, and not a business associate, then healthcare organizations can use FaceTime without a BAA. So which is it?

What is the HIPAA Conduit Exception Rule?

The HIPAA Conduit Exception Rule basically says that if an organization acts only as a conduit to PHI — that is, it only transfers health data but doesn’t have access to it or store it — then it is exempt from the BAA requirement.

Unfortunately, Apple is a cloud service provider (CSP), and CSPs are generally not considered conduits. According to HHS guidance on HIPAA and cloud computing, cloud service providers that receive or store PHI are in fact business associates. This is the case even if the CSP can’t view the data because it’s encrypted.

When it comes to using PHI on FaceTime, Apple is indeed a business associate, and is not covered by the conduit exception rule.

All messages sent via FaceTime are secured by end-to-end encryption, and only authorized users can access an account using their Apple ID. Apple also doesn’t retain any information delivered via FaceTime — which would suggest FaceTime can be used in a HIPAA compliant manner — but it is possible to use FaceTime in a non-compliant way. It depends much more on the user than on the technology.

In addition, as mentioned above, since Apple is considered a business associate, the company must sign a BAA before sharing, transmitting, storing, or maintaining PHI using Apple services. Since Apple won’t sign a BAA and isn’t covered under the HIPAA Conduit Exception Rule, FaceTime is not HIPAA compliant — under normal circumstances.

A HIPAA exemption

However, the coronavirus pandemic has brought about anything but normal circumstances. Under the shadow of COVID-19, enforcement of HIPAA regulations was relaxed, specifically relating to telemedicine — including FaceTime. The Office for Civil Rights (OCR) clearly deemed it necessary to relax the rules to allow for much-needed telehealth capabilities nationwide.

Providers won’t be penalized for using these services, even if they’re not fully HIPAA compliant, as long as they inform their patients about the potential privacy risks and protect sensitive patient information.

But this current exemption won’t last, which means you can’t rely on popular consumer applications like FaceTime as a long-term solution. It’s important to set up HIPAA-compliant video conferencing software options as soon as possible.

Make sure that your software provider will sign a BAA to ensure you’re complying with HIPAA standards. And ensure that you and your patients can easily use the software — now and in the future.