Due in large part to the coronavirus pandemic, 91 percent of medical practitioners are expected to offer telehealth services by the end of 2020. As more healthcare providers choose to meet with patients virtually, it’s important to determine whether or not the services they use are HIPAA compliant.
One popular tool for video communication is FaceTime, a video chat application offered by Apple — very similar to Skype and Google Hangouts. FaceTime allows you to conduct one-on-one video calls between newer iPhones, iPads, iPod touch devices, and Mac notebooks and desktops. But before using FaceTime for patient communication, it’s important to ask, Is FaceTime HIPAA compliant?
So, is it?
In order for FaceTime — or any other tool — to be HIPAA compliant, the company that makes that tool must sign a business associate agreement (BAA) before sharing, transmitting, storing, or maintaining protected health information (PHI).
Simply put, a BAA is a contract between the business associate — in this case, Apple — and the provider that states each party’s responsibility when it comes to the handling of PHI. According to HIPAA, the BAA must also state that “the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.”
However, Apple has given no indication that they will sign a BAA with healthcare organizations for any of their services. The only time they mention anything related to their services and HIPAA compliance is in relation to iCloud. Even then, Apple clearly states that it should not be used by healthcare providers or their business associates to create, receive, maintain, or transmit PHI.
Because Apple won’t sign a BAA for FaceTime, that would seem to indicate that FaceTime isn’t a HIPAA-compliant service. However, BAAs only need to be signed by business associates, which is where there’s a little confusion — is Apple considered a business associate or a conduit?
What is the HIPAA Conduit Exception Rule?
The confusion comes in determining whether or not FaceTime is covered under the HIPAA Conduit Exception Rule. To be considered a conduit, the service provider can’t store any ePHI, can’t access ePHI, and can’t have a key to unlock encrypted data. The rule generally applies to entities like the U.S. Postal Service, courier firms, and their electronic equivalents. But since Apple is a cloud service provider (CSP), it may be held to different standards.
CSPs are generally not considered conduits, and according to HHS guidance on HIPAA and cloud computing, “CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.”
This means that when using FaceTime to communicate PHI, Apple is considered a business associate, not a conduit.
All messages sent via FaceTime are secured by end-to-end encryption, and only authorized users can access an account using their Apple ID. Apple also doesn’t retain any information delivered via FaceTime — which would suggest FaceTime can be used in a HIPAA compliant manner — but it is possible to use FaceTime in a non-compliant way. It depends much more on the user than on the technology.
In addition, as mentioned above, since Apple is considered a business associate, the company must sign a BAA before sharing, transmitting, storing, or maintaining PHI using Apple services. Since Apple won’t sign a BAA and isn’t covered under the HIPAA Conduit Exception Rule, FaceTime is not HIPAA compliant — under normal circumstances.
A HIPAA exemption
However, the coronavirus pandemic has brought about anything but normal circumstances. In March 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced that it would relax enforcement of HIPAA regulations during the COVID-19 epidemic, specifically relating to telemedicine — including FaceTime.
Providers won’t be penalized for using these services, even if they’re not fully HIPAA compliant, as long as they inform their patients about the potential privacy risks and protect sensitive patient information.
But this current exemption won’t last, which means you can’t rely on popular consumer applications like FaceTime as a long-term solution. It’s important to set up HIPAA-compliant video conferencing software options as soon as possible.
Make sure that your software provider will sign a BAA to ensure you’re complying with HIPAA standards. And ensure that you and your patients can easily use the software — now and in the future.