Is FaceTime HIPAA Compliant?

Is FaceTime HIPAA compliant? Can FaceTime be used by HIPAA covered entities to communicate electronic protected health information (ePHI) without violating HIPAA Rules?

In this article we will examine the protections in place to keep transmitted information secure, whether Apple will sign a business associate agreement for FaceTime, and if a BAA is necessary.

Will Apple Sign A BAA for FaceTime?

An extensive search of the Apple website has revealed no indication that Apple will sign a business associate agreement with healthcare organizations for any of its services. The only mention of its services in relation to HIPAA-covered entities is in relation to iCloud, which Apple clearly states should not be used by healthcare providers or their business associates to create, receive, maintain or transmit PHI.

Since Apple is not prepared to sign a business associate agreement for FaceTime, that would indicate FaceTime is not a HIPAA compliant service. However, business associate agreements only need to be signed by business associates. So, is Apple a business associate?

The HIPAA Conduit Exception Rule

The HIPAA Conduit Exception Rule applies to organizations that act as conduits through which PHI or ePHI is sent. The HIPAA Conduit Exception Rule covers entities such as the US Postal Service, some courier companies, and their electronic equivalents. Internet Service Providers (ISPs) fall under the description of “electronic equivalents,” as do telephone service providers such as AT&T. But what about FaceTime?

There is some debate about whether FaceTime is covered by the HIPAA Conduit Exception Rule. In order to be considered as a conduit, the service provider must not store any ePHI, must not access ePHI, and must not have a key to unlock encrypted data.

The Office for Civil Rights has confirmed on its website that cloud service providers (CSPs) are generally not considered conduits, even if the CSP does not access ePHI, or cannot view the information because ePHI is encrypted and no key is held to unlock the encryption. That is because the HIPAA Conduit Exception Rule only applies to transmission-only services, where any ePHI storage is only transient. That is not the case with CSPs.

Apple has confirmed that all communications through FaceTime are protected by end to end encryption. Access controls are in place, via Apple IDs, to ensure the service can only be used by authorized individuals. Apple also does not store any information sent via FaceTime. FaceTime is a peer-to-peer communication channel, and voice and audio communications are transmitted between the individuals involved in the session. Apple also cannot decrypt sessions.

Apple says, “FaceTime uses Internet Connectivity Establishment (ICE) to establish a peer-to-peer connection between devices. Using Session Initiation Protocol (SIP) messages, the devices verify their identity certificates and establish a shared secret for each session. The cryptographic nonces supplied by each device are combined to salt keys for each of the media channels, which are streamed via Secure Real Time Protocol (SRTP) using AES-256 encryption.”

Is FaceTime HIPAA Compliant?

So, is FaceTime HIPAA compliant? No communications platform can be truly HIPAA compliant as HIPAA compliance is about users, not technology. It would be possible to use FaceTime in a noncompliant way, such as communicating ePHI with an individual who is not authorized to have the information. However, protections are in place to ensure FaceTime can be used in a HIPAA compliant fashion between authorized users who comply with the HIPAA Minimum Necessary Standard.

The question is FaceTime HIPAA compliant depends entirely on whether it is classed as a conduit, since Apple will not sign a BAA. In our opinion, FaceTime could be classed as a conduit. The US Department of Veteran Affairs also believes FaceTime is HIPAA compliant and allows its use, which shows it is confident that the service is classed as a conduit.

However, other companies that provide video conferencing platforms do not feel the same way, and offer to sign BAAs with HIPAA-covered entities. Therefore, our advice is to use one of those business solutions rather than the consumer-focused FaceTime and err on the side of caution.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.