Is FaceTime HIPAA Compliant?

by

FaceTime can be used for HIPAA regulated communications only in limited circumstances because Apple does not offer a business associate agreement for FaceTime, so permissibility depends on whether FaceTime is treated as a conduit and on whether the HIPAA Covered Entity applies controls required by the HIPAA Privacy Rule and HIPAA Security Rule.

A business associate agreement is required when a vendor creates, receives, maintains, or transmits protected health information on behalf of a HIPAA Covered Entity and the vendor is a Business Associate. Apple provides no indication that it will sign a business associate agreement with healthcare organizations for FaceTime. Apple has also stated that iCloud should not be used by healthcare providers or Business Associates to create, receive, maintain, or transmit protected health information.

Use without a business associate agreement turns on the HIPAA Conduit Exception Rule. A conduit transmits protected health information, does not store the information other than transiently, does not access the information, and does not have a key to unlock encrypted content. The Office for Civil Rights has stated that cloud service providers are generally not conduits, even when the provider does not access encrypted information, because the conduit exception applies to transmission only services where any storage is transient. There is debate about whether FaceTime falls within that exception.

Accredited HIPAA Certification

Apple states that FaceTime communications are protected by end to end encryption and that FaceTime uses Internet Connectivity Establishment to establish a peer to peer connection between devices. Apple states that devices verify identity certificates and establish a shared secret for each session. Apple states that media channels are streamed via Secure Real Time Protocol using AES 256 encryption and that Apple cannot decrypt sessions. Apple also states it does not store information sent via FaceTime. Access controls rely on Apple IDs, which restrict use to authenticated account holders.

Technical safeguards do not prevent noncompliant disclosures. A workforce member can initiate a call with an unauthorized recipient, disclose more than permitted by the HIPAA Minimum Necessary Rule, or conduct a session where conversations can be overheard. Use requires internal procedures, workforce training, and administrative oversight that address identity verification, approved use cases, device security, and session privacy. The US Department of Veterans Affairs permits FaceTime use, reflecting a view that FaceTime can be treated as a conduit. Other vendors offering comparable video platforms sign business associate agreements for healthcare use, and selecting such a business solution avoids reliance on a conduit classification.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]