The HIPAA Guide - Celebrating Over 15 Years Online

Is FaceTime HIPAA Compliant?

October 29, 2024HIPAA Advice Articles0

Facetime is not HIPAA compliant, and should not be used by a HIPAA covered entity to communicate Protected Health Information unless a patient has requested confidential communications via Facetime and has been warned of the risks associated with Facetime, but has still chosen to receive confidential communications via this channel.

Facetime is not HIPAA compliant due to the lack of administrative controls required by the HIPAA Security Rule for monitoring logins, maintaining audit trails, or terminating user access to Protected Health Information (PHI). It is also not possible to implement integrity controls to protect PHI from improper alteration or destruction when PHI is saved on an Apple device.

Because of the lack of controls, Apple will not enter into a HIPAA Business Associate Agreement with covered entities or business associates. This makes it impossible to disclose PHI in Facetime audio or video calls without violating HIPAA – unless a patient has requested confidential communications via Facetime and it is reasonable to accommodate the request.

The Confidential Communications Exception

The confidential communications exception is covered by §164.522(b) of the HIPAA Privacy Rule. The intention of this standard is to support individuals’ privacy protections by facilitating communications at non-standard locations or via non-standard channels of communication when the risk exists that the content of a communication may not remain confidential.

However, the final implementation specification of this standard (“Conditions on Providing Confidential Communications”) allows covered entities to condition the provision of reasonable accommodation on the receipt of a statement acknowledging “disclosure of all or part of the information to which the request pertains could endanger the individual”.

This implementation specification implies that the confidential communications standard permits communications of PHI via non-compliant channels of communication. Indeed, the standard requires covered entities to comply with a request when it is reasonable to accommodate. As most covered entities have access to Apple devices, it would be unreasonable to decline a request to communicate PHI via Facetime.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

Does the Exception Make Facetime HIPAA Compliant?

The exception does not make Facetime HIPAA compliant, but it does mean covered entities can communicate PHI with individuals without violating HIPAA. When utilizing the exception, covered entities are advised to:

  • Ensure the request to receive confidential communications via Facetime is made in writing.
  • Warn the individual that Facetime lacks the administrative controls to comply with HIPAA.
  • Request that the individual acknowledges the warning and that the lack of administrative controls could endanger the security of PHI.

It is also advisable to conduct Facetime calls from an Apple device that supports audio recording and transcription. This will make it possible to more easily account for PHI disclosed in the call and transfer PHI collected during the call to the individual’s health, treatment, or payment records. Thereafter, the transcription should be deleted from the Apple device.

Caveats and HIPAA Training Requirements

The first caveat of using the confidential communications exception to communicate via Facetime is that it should only be used to communicate between covered entities and the individual(s) requesting confidential communications. It must not be used to communicate between covered entities and/or members of covered entities’ workforces.

The second caveat is that is it reasonable to accommodate a request to communicate PHI via Facetime because Facetime supports end-to-end encryption, audio recording, and transcription. It would not be reasonable to accommodate a request to communicate via a public facing communication channel such as Facebook Live, Twitch, or TikTok.

With regards to the HIPAA training requirements, members of the workforce involved in receiving, administering, or actioning requests for confidential communications must be trained on how to verify the identity of the individual if they are not already known to them, conduct calls in a private location where neither party can be overheard, the procedures for recording calls, and the procedures for updating the individual’s health, treatment, or payment records from subsequently deleted transcriptions.

Covered entities who require more information about the confidential communications exception, determining what requests are reasonable, or training members of the workforce are advised to seek independent compliance advice.

About Daniel Lopez

Daniel Lopez is a HIPAA trainer, passionately committed to enhancing healthcare data protection and privacy standards. As a recognized expert in HIPAA compliance with over 10 years experience, he holds the role of HIPAA specialist at The HIPAA Guide. Holding a degree in Health Information Management, complemented by certifications in data privacy and security, Daniel's academic and professional credentials are a testament to his expertise. His approach to training is both engaging and educational, catering to a range of professional needs in the healthcare sector. For further information or to benefit from his expertise, Daniel is reachable through HIPAAcoach.com or https://twitter.com/DanielLHIPAA

The HIPAA Guide is a registered trademark. Copyright © 2007-2026 The HIPAA Guide. All rights reserved.