Is FaceTime HIPAA compliant?

FaceTime, a method of making video calls between devices made by Apple, has become more and more popular since its introduction and with the large number of Apple devices on the market, but is its use HIPAA compliant? Could organizations that are subject to HIPAA rules use FaceTime to share or transfer protected heath information (PHI)?

Here, we will study the question of whether the security measures enacted to ensure the confidentiality of FaceTime communications are sufficient to align with those called for under the Health Insurance Portability and Accountability Act, more commonly known as HIPAA. As well as this protective aspect, we will also look at some of the required administrative aspects.

Apple’s stance on Business Associate Agreements

In order for use of a service or technology to be HIPAA compliant, the service provider normally has to enter into a Business Associate Agreement (BAA) with the HIPAA-covered entity engaging their services. It appears from online searches and official websites that Apple does not become a party to such BAAs. For example, Apple has officially noted in the past that one of their services, iCloud, should not be used by any HIPAA-covered organizations in the storage or processing or PHI and that they would not sign a BAA to cover its use.

We can therefore conclude that Apple will not enter into a BAA to cover the use of FaceTime, which may lead us to presume that FaceTime cannot be used in compliance with HIPAA. However, given the nature of FaceTime, this may not be entirely true.

Does Use of FaceTime Require a BAA?

Some methods of communication do not require BAAs to be signed between the service provider and the HIPAA-covered entity as the provider is not classed as a Business Associate. The is the case for things such as the US postal service. This type of service provider falls under the scope of the HIPAA Conduit Exception Rule, which exempts conduits of information from the administrative burden of BAAs. As well as the postal service, internet service providers and telephone line providers are exempt. Does this rule also apply to FaceTime?

Crucial to this determination is the question of whether the service provider stores, accesses, or has the means to decrypt any PHI that may pass through the conduit. Cloud storage providers, for example, while they may not access or be able to decrypt information stored on their servers, are not typically considered by the United States’ Department of Health and Human Services to be exempt from BAAs under the Conduit Exception Rule as this is for services that transmit information in a transient manner only.

There is some debate about whether FaceTime is a conduit. The United States’ Department for Veteran Affairs has used FaceTime to transit PHI, which would lead many to think that its use is therefore HIPAA compliant. Given the very delicate nature of this question, however, it may be preferable and more prudent to procure the services of one of the many other video call providers who will sign a BAA with HIPAA-covered entities.