Is FaceTime HIPAA Compliant?

Facetime is not HIPAA compliant because it lacks the administrative controls required by covered entities to manage user access to the service and ensure the confidentiality, integrity, and availability of electronic PHI (ePHI). Consequently, Facetime should not be used by covered entities or business associates to collect, receive, store, or transmit ePHI.

A comprehensive look up of the Apple website showed no sign that Apple will enter into a business associate agreement with healthcare companies for any service it offers. The only reference to its services in connection with HIPAA-covered entities is in the use of iCloud, which Apple clearly mentions shouldn’t be utilized by healthcare organizations or their business associates to create, collect, store or transmit ePHI.

Because Apple will not sign a BAA for FaceTime, that would suggest FaceTime isn’t a HIPAA compliant service. But, business associate agreements are only required by business associates. Is Apple considered  a business associate?

The HIPAA Conduit Exception Rule is applicable to organizations that work as conduits by which PHI is delivered. The HIPAA Conduit Exception Rule applies to entities like the US Postal Service, a number of courier firms, and their electronic equivalents. Internet Service Providers (ISPs) and telephone service providers like AT&T come under the category of “electronic equivalents.” But how about FaceTime, is it covered by the HIPAA Conduit Exception Rule?

Service providers that are regarded as a conduit should not store nor access PHI; and they should not have the key to unlock encryption. The Office for Civil Rights has stated on its website that cloud service providers (CSPs) are not regarded as conduits, although CSPs do not access ePHI, nor view the data because the ePHI is encrypted and there’s no key to unlock the encryption. The HIPAA Conduit Exception Rule is merely applicable to transmission-only services, where ePHI storage is just transient. CSPs do not work that way.

Apple has affirmed that all sent messages via FaceTime are secured by end to end encryption. The use of Apple IDs controls access and ensures that only authorized individuals can access an account. Apple additionally doesn’t retain any information delivered via FaceTime. FaceTime is a peer-to-peer channel for communication. Voice and sound communications are accessible only to the persons engaged in a chat session. Apple furthermore could not decrypt sessions.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Apple states the availability of the following technical features for FaceTime:

  • Internet Connectivity Establishment (ICE) that allow a peer-to-peer connection between devices.
  • Session Initiation Protocol (SIP) messages, which verify the user’s identity certificates and create a shared secret for every session.
  • Cryptographic nonces from each device combine with salt keys for every media channel, which are streamed through Secure Real Time Protocol (SRTP) using AES-256 encryption

So, can FaceTime be considered as HIPAA compliant? Although security controls are in place so that FaceTime can be utilized in a HIPAA compliant manner, it is very possible to use FaceTime in a non-compliant way. That is because HIPAA compliance is about users, not just technology.

There are different views on the issue of categorizing FaceTime as a conduit or not. The answer to this question is important because Apple will not sign a BAA. Some, like the US Department of Veteran Affairs, believe that FaceTime is classed as a conduit and could be regarded as HIPAA compliant. But, others do not feel the same way. They recommend using business solutions that offer to sign BAAs with HIPAA-covered entities instead of using FaceTime.

About Daniel Lopez
Daniel Lopez is a HIPAA trainer, passionately committed to enhancing healthcare data protection and privacy standards. As a recognized expert in HIPAA compliance, he holds the role of HIPAA specialist at The HIPAA Guide. Holding a degree in Health Information Management, complemented by certifications in data privacy and security, Daniel's academic and professional credentials are a testament to his expertise. His approach to training is both engaging and educational, catering to a range of professional needs in the healthcare sector. For further information or to benefit from his expertise, Daniel is reachable through HIPAAcoach.com or https://twitter.com/DanielLHIPAA