FaceTime be considered HIPAA compliant under certain conditions, as it uses end-to-end encryption to protect data transmission, but healthcare providers must ensure that they obtain appropriate patient consent, use the service only when necessary for patient care, and implement additional measures to secure PHI, such as verifying network security and ensuring the confidentiality of the conversation. It should be noted that Apple refuse to sign a business associate agreement (BAA).
Here, we will study the question of whether the security measures enacted to ensure the confidentiality of FaceTime communications are sufficient to align with those called for under the Health Insurance Portability and Accountability Act, more commonly known as HIPAA. As well as this protective aspect, we will also look at some of the required administrative aspects.
Apple’s stance on Business Associate Agreements
In order for use of a service or technology to be HIPAA compliant, the service provider normally has to enter into a Business Associate Agreement (BAA) with the HIPAA-covered entity engaging their services. It appears from online searches and official websites that Apple does not become a party to such BAAs. For example, Apple has officially noted in the past that one of their services, iCloud, should not be used by any HIPAA-covered organizations in the storage or processing or PHI and that they would not sign a BAA to cover its use.
We can therefore conclude that Apple will not enter into a BAA to cover the use of FaceTime, which may lead us to presume that FaceTime cannot be used in compliance with HIPAA. However, given the nature of FaceTime, this may not be entirely true.
Does Use of FaceTime Require a BAA?
Some methods of communication do not require BAAs to be signed between the service provider and the HIPAA-covered entity as the provider is not classed as a Business Associate. The is the case for things such as the US postal service. This type of service provider falls under the scope of the HIPAA Conduit Exception Rule, which exempts conduits of information from the administrative burden of BAAs. As well as the postal service, internet service providers and telephone line providers are exempt. Does this rule also apply to FaceTime?
Crucial to this determination is the question of whether the service provider stores, accesses, or has the means to decrypt any PHI that may pass through the conduit. Cloud storage providers, for example, while they may not access or be able to decrypt information stored on their servers, are not typically considered by the United States’ Department of Health and Human Services to be exempt from BAAs under the Conduit Exception Rule as this is for services that transmit information in a transient manner only.
There is some debate about whether FaceTime is a conduit. The United States’ Department for Veteran Affairs has used FaceTime to transit PHI, which would lead many to think that its use is therefore HIPAA compliant. Given the very delicate nature of this question, however, it may be preferable and more prudent to procure the services of one of the many other video call providers who will sign a BAA with HIPAA-covered entities.