Can FaceTime Be Considered HIPAA Compliant?

Before answering the question whether FaceTime is HIPAA compliant, it has to be acknowledged at the outset that no communications platform will be completely HIPAA compliant basically because the law deals with users and not technology. That being said, two things need to be considered to be able to tell if the app adheres to HIPAA regulations: 1.) Will the maker of FaceTime sign a BAA? 2.) Is FaceTime considered a conduit in order to be covered by the exception rule?

As of the moment, there are no indications that Apple will be signing a business associate agreement with healthcare organizations for any of its services as revealed through a thorough search of their website. But then, as the name indicates, business associate agreements must be entered into by business associates. The question then would be, “Is Apple regarded as one?”

Given that Apple shows no signs of entering into an agreement, the app might then fall under the HIPAA Conduit Exception Rule. This exception rule can be applied to organizations that transmit protected health information (PHI) such as the US postal service, couriers, and telephone service providers. This rule may include FaceTime if it is considered a conduit.

For a service provider to be regarded as a conduit it must not store or have access to any PHI and must not hold the key to unlock encryption. Despite the fact that these conditions are met by cloud service providers (CSP), the Office of Civil rights still does not deem CSPs as conduits. The reason behind this is that ePHI storage is only temporary and the HIPAA Conduit Exception Rule pertains to transmission-only services.

Apple explains that Facetime is a peer-to-peer communication channel that is protected by end to end encryption where communication is transferred only between those who are part of the conversation. Individuals have Apple IDs that control and regulate use. Furthermore, it has no system that stores information sent using the app.

The US Department of Veteran Affairs recognizes that FaceTime is HIPAA compliant and should be considered a conduit. As such, the app can be covered by the conduit exception rule thereby making it HIPAA compliant.

Despite this and despite having protections that may guarantee that FaceTime can be applied in a way that is compliant with HIPPA regulations, it is still best to be prudent and sure. Use video conferencing platforms that offer to sign BAAs with entities protected by HIPAA.