Is FaceTime HIPAA Compliant?

Can HIPAA covered entities use FaceTime for communicating protected health information (PHI) without breaking the HIPAA Rules? Are there protective features in Face Time that will keep information transmission secure? Will Apple will sign a business associate agreement (BAA) for FaceTime? These are important questions when it comes to knowing if FaceTime is HIPAA compliant.

A comprehensive look up of the Apple website showed no sign that Apple will enter into a business associate agreement with healthcare companies for any service it offers. The only reference to its services in connection with HIPAA-covered entities is in the use of iCloud, which Apple clearly mentions shouldn’t be utilized by healthcare organizations or their business associates to create, collect, store or transmit PHI.

Because Apple will not sign a BAA for FaceTime, that would suggest FaceTime isn’t a HIPAA compliant service. But, business associate agreements are only required by business associates. Is Apple considered  a business associate?

The HIPAA Conduit Exception Rule is applicable to organizations that work as conduits by which PHI is delivered. The HIPAA Conduit Exception Rule applies to entities like the US Postal Service, a number of courier firms, and their electronic equivalents. Internet Service Providers (ISPs) and telephone service providers like AT&T come under the category of “electronic equivalents.” But how about FaceTime, is it covered by the HIPAA Conduit Exception Rule?

Service providers that are regarded as a conduit should not store nor access PHI; and they should not have the key to unlock encryption. The Office for Civil Rights has stated on its website that cloud service providers are not regarded as conduits, though CSPs do not access ePHI, nor view the data because the ePHI is encrypted and there’s no key to unlock the encryption. The HIPAA Conduit Exception Rule is merely applicable to transmission-only services, where ePHI storage is just transient. CSPs do not work that way.

Apple has affirmed that all sent messages via FaceTime are secured by end to end encryption. The use of Apple IDs controls access and ensures that only authorized individuals can access an account. Apple additionally doesn’t retain any information delivered via FaceTime. FaceTime is a peer-to-peer channel for communication. Voice and sound communications are accessible only to the persons engaged in a chat session. Apple furthermore could not decrypt sessions.

Apple states the availability of the following technical features for FaceTime:

  • Internet Connectivity Establishment (ICE) that allow a peer-to-peer connection between devices.
  • Session Initiation Protocol (SIP) messages, which verify the user’s identity certificates and create a shared secret for every session.
  • Cryptographic nonces from each device combine with salt keys for every media channel, which are streamed through Secure Real Time Protocol (SRTP) using AES-256 encryption

So, can FaceTime be considered as HIPAA compliant? Although security controls are in place so that FaceTime can be utilized in a HIPAA compliant manner, it is very possible to use FaceTime in a non-compliant way. That is because HIPAA compliance is about users, not just technology.

There are different views on the issue of categorizing FaceTime as a conduit or not. The answer to this question is important because Apple will not sign a BAA. Some, like the US Department of Veteran Affairs, believe that FaceTime is classed as a conduit and could be regarded as HIPAA compliant. But, others do not feel the same way. They recommend using business solutions that offer to sign BAAs with HIPAA-covered entities instead of using FaceTime.