Does FaceTime enable HIPAA compliance?

Due in large part to the coronavirus pandemic, 91 percent of medical practitioners are expected to offer telehealth services by the end of 2020. Working with patients in a virtual setting demands the help of video tools and chat applications, like Apple’s FaceTime.

Similar to Skype and Google Hangouts, FaceTime allows you to conduct one-on-one video calls between newer iPhones, iPads, iPod touch devices, and Mac notebooks and desktops. But before using FaceTime for patient communication, it’s important to ask, can you be HIPAA-friendly when using FaceTime?

Pro Tip

Keep patient data safe with Jotform’s medical forms that help you achieve HIPAA compliance. You can even integrate them with video conferencing software!

So, is it?

In order to use FaceTime — or any other tool — in a HIPAA-friendly manner, one thing you should do is consider entering into a business associate agreement (BAA) before sharing, transmitting, storing, or maintaining protected health information (PHI) with the provider of the tool.

Simply put, a BAA is a contract between the business associate — in this case, Apple — and the healthcare service provider, such as the clinic that uses FaceTime for telehealth purposes. Both parties must agree to undertake certain responsibilities in managing PHI. One of the stipulations in HIPAA states that the BAA must ensure that “the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.” In other words, the contractor working with the healthcare provider will not use PHI in any way besides what is stated in their contract or necessary for legal use.

In the case of Apple, this makes little difference as the tech giant has stated, or at least implied, that it won’t enter into a BAA with healthcare companies. Furthermore, it even states that its iCloud data storage service does not enable HIPAA compliance and should not be used by healthcare organizations.

This seems to indicate that FaceTime can’t be used in a way that helps with HIPAA compliance. Yet it’s not quite that simple. Entities that are defined as “business associates” for the purpose of HIPAA must sign BAAs, but entities defined as “conduits” are exempt. If FaceTime is a conduit, and not a business associate, then healthcare organizations can use FaceTime without a BAA. So which is it?

What is the HIPAA Conduit Exception Rule?

The HIPAA Conduit Exception Rule basically says that if an organization acts only as a conduit to PHI — that is, it only transfers health data but doesn’t have access to it or store it — then it is exempt from the BAA requirement.

Unfortunately, cloud service providers (CSPs) are generally not considered conduits. According to HHS guidance on HIPAA and cloud computing, cloud service providers that receive or store PHI are in fact business associates. This is the case even if the CSP can’t view the data because it’s encrypted. If and to the extent that Apple is a CSP, then the conduit exemption may not apply to it.

Apple states that messages sent via FaceTime are secured by end-to-end encryption, and only authorized users can access an account using their Apple ID. Apple states that it also doesn’t retain any information delivered via FaceTime — which would suggest FaceTime can be used in a HIPAA-friendly manner — but it is possible to use FaceTime in a non-compliant way. It depends much more on the user than on the technology.

Send Comment:

Jotform Avatar
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.