FaceTime, Apple’s popular video communication application, has garnered attention for its ease of use and widespread availability. Video calling tools like Facetime may help provide faster and more accessible healthcare, as proven by the surge of telehealth services during the COVID-19 pandemic.
However, before healthcare professionals can use it for video consultations, they must first ask, is FaceTime HIPAA-compliant?
Here’s what you need to keep in mind:
Table of Contents
Understanding FaceTime’s Privacy Measures
Before delving into its HIPAA compliance, it’s essential to understand FaceTime’s privacy features. The proprietary video calling app offers end-to-end encryption for communication, which means only the intended participants in a FaceTime call can access the content.
Apple retains limited information about FaceTime usage, which gets stored in its servers for a maximum of 30 days. The following is Apple’s exact wording on the information it keeps on the said app:
- When you use FaceTime, Apple may store information about your use of the services in a way that doesn’t identify you.
- Apple may record and store information about FaceTime calls, such as who was invited to a call and your device’s network configurations, and store this information for up to 30 days. Apple doesn’t log whether your call was answered, and can’t access the content of your calls.
- Some apps on your device (including FaceTime) may communicate with Apple’s servers to determine whether other people can be reached by FaceTime. When this happens, Apple may store these phone numbers and email addresses associated with your account for up to 30 days.
Is FaceTime HIPAA-Compliant?
The short answer to that is no, FaceTime is not HIPAA-compliant.
To understand why, you must know the video calling app’s classification as either a conduit or a business associate under the Health Insurance Portability and Accountability Act (HIPAA). Only business associates are subject to HIPAA rules. Secondly, you must determine whether its developer, Apple, will sign a Business Associate Agreement (BAA).
Is Facetime a conduit or business associate?
FaceTime HIPAA compliance depends on its classification as a conduit or business associate. Typically, communication tools that only transmit and do not access or store protected health information (ePHI) are considered conduits, not subject to HIPAA compliance requirements. Conduits are transmission-only services for PHI and only handle PHI temporarily.
Some argue that FaceTime falls under the conduit exception. They say it can be considered HIPAA-compliant, given its security measures. The HIPAA Journal agrees with this view and mentions that even the US Department of Veteran Affairs allows its use as a conduit. However, the Compliancy Group has a different take on the matter. It considers Facetime a business associate, not a conduit.
According to the Department of Health and Human Services (HHS), cloud service providers (CSPs), even if they do not have access to ePHI due to encryption, are classified as business associates under HIPAA if they fall under these two conditions:
- The CSP is considered a business associate If the CSP stores and has persistent access to PHI, even if the CSP does not view it.
- In addition to maintaining PHI to store or process information, a CSP that provides transmission services for an organization considered a covered entity or business associate is still considered a business associate.
Even if FaceTime cannot access the content of calls, the app stores information, “such as who was invited to a call,” for up to 30 days. While we do not know the full extent of this information, this data could be considered PHI and is subject to HIPAA.
Moreover, Apple says it may store phone numbers and email addresses when apps (including Facetime) communicate with its servers. If these phone numbers and email addresses are tied to identifiable individuals and transmitted by healthcare organizations, they are subject to HIPAA rules. Given FaceTime’s lack of clarity regarding the information it stores, healthcare organizations should err on the side of caution and opt for other video-calling tools designed for HIPAA compliance.
The BAA requirement
A BAA is a legally mandated document stipulating the responsibilities of a business associate, in this case, Apple, concerning the protection and handling of PHI.
If FaceTime is considered a business associate under HIPAA, it should be willing to sign a BAA with healthcare organizations. However, various sources assert that Apple will not sign a BAA. Also, the multinational technology company is yet to release any official information about its willingness to sign a BAA for FaceTime.
The Risks of Using FaceTime in Healthcare
Data Security Concerns
Apple has had its share of privacy concerns, such as the FaceTime bug that allowed callers to listen and watch through a phone’s camera before the call was answered. As reported by The Verge, Apple’s slow response triggered questions from experts. Apple has since disabled the feature, but this incident underscores the importance of solid privacy measures in healthcare communication tools.
Potential HIPAA Violations
A BAA is legally mandated for FaceTime to be used in connection with PHI. If FaceTime transmits and stores PHI used by covered entities but will not sign a BAA, this could lead to HIPAA breaches. Therefore, healthcare providers using FaceTime for PHI communication risk potential HIPAA violations.
Using FaceTime Alternatives for HIPAA Compliance
The bottom line is using FaceTime for healthcare video calling poses risks. Instead, consider looking for alternatives designed for securely transmitting PHI and ensuring HIPAA compliance. Zoom for Healthcare is a good example. Not only does it help healthcare providers provide dynamic care delivery, but it also signs a BAA with its customers.
FaceTime is more suitable for business communications and making video calls that don’t involve exchanging or transmitting sensitive health details.