Is FaceTime HIPAA compliant?

Video conferencing offers a very convenient method of furnishing communication between healthcare providers and patients. FaceTime is a video and audio calling service developed by Apple. 

While originally intended for use with Apple devices, it can be used in Windows and Android environments using the latest Chrome or Edge browsers. 

But is FaceTime HIPAA compliant? The short answer is no, FaceTime is not HIPAA compliant. Below, we’ll explore FaceTime from a compliance perspective and discuss the biggest obstacles to HIPAA compliance when using the platform. 

In this article: 

• How is HIPAA compliance determined?
• Exceptions for HIPAA compliance during the COVID-19 pandemic
• Potential issues with FaceTime HIPAA compliance
• Why FaceTime is not recommended for telemedicine
• HIPAA-complaint video calling services 
• Implementing a data loss prevention solution for HIPAA compliance
• Frequently asked questions

Ho‎w is HIPAA compliance determined?

‎Organizations in the U.S. healthcare sector need to comply with the Health Insurance Portability and Accountability Act (HIPAA) to protect the privacy and security of patients’ protected health information (PHI). PHI includes information about an individual’s mental and physical health conditions, treatments, and payments for those treatments. 

Examples of PHI are test results, insurance claims, eligibility approvals, and physician’s notes. PHI may contain a patient’s name, email address, insurance policy number, and other identifying information.

Determining if a software solution complies with HIPAA is a critical concern for healthcare companies and providers. HIPAA violations can be very expensive and put sensitive patient information at risk. Reputable healthcare organizations strive to maintain HIPAA compliance by addressing the major HIPAA Privacy and Security Rules.

The Privacy Rule pertains to all PHI, while the Security Rule focuses on electronic protected health information (ePHI) such as the data processed in an IT environment. The Privacy Rule establishes national standards to protect individuals’ medical records and other types of PHI. It requires organizations to apply appropriate safeguards to protect the privacy of PHI. The rule also gives individuals certain rights over their PHI such as the ability to examine health records and make necessary corrections.

The HIPAA Security Rule defines physical, administrative, and technical guidelines that need to be followed to maintain regulatory compliance. Compliance is a coordinated effort between the capabilities of a software solution and how it is used by an organization. The following examples illustrate some of the most impactful safeguards.

• Risk analysis must be conducted to identify potential threats to collected, stored, and processed PHI.
• Data transmission needs to be protected by implementing robust end-to-end encryption.
• The workforce must be trained to comply with HIPAA standards and policies have to be in place to address employee violations.
• Physical security must be provided for all facilities containing systems that process or store PHI.
• Access controls need to ensure that only authorized personnel access PHI.
• Audit controls have to record and examine access and other activity on systems processing PHI.

Ex‎ceptions for HIPAA compliance during the COVID-19 pandemic

‎The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is responsible for enforcing certain HIPAA regulations. During the COVID-19 pandemic, the OCR announced it would exercise enforcement discretion and would not impose penalties against healthcare facilities that used non-compliant video conferencing solutions to provide telehealth services.

The OCR took this action to stem to transmission of COVID-19. The exception affected non-public-facing communication platforms such as FaceTime, Google Meet, Microsoft Teams, Zoom, and Skype. The exception expired in May 2023, leaving FaceTime and other solutions subject to the same HIPAA requirements as other software products.

Po‎tential issues with FaceTime HIPAA compliance

‎‎One of the biggest problems with designating FaceTime as a HIPAA-compliant solution is Apple’s refusal to sign Business Associate Agreements (BAAs) with companies that plan on using the service to engage in conversations involving PHI. Companies need to enter into a BAA with third-party business associates that process PHI for them.

This point brings up a distinction in HIPAA regulations that define the difference between a business associate and a conduit. A conduit simply transports PHI and does not store it. An example of a conduit is the U.S. Postal Service which transfers PHI in physical form.

Apple claims it does not store FaceTime data and should be exempt from signing a BAA. Some other video conferencing platforms do offer customers a BAA to comply with HIPAA regulations.

Companies choosing to use FaceTime to communicate HIPAA-related data need to be aware of this distinction. In the case of a data breach affecting FaceTime communication, there may be additional complications in addressing violations. The lack of a BAA makes FaceTime non-compliant with strict HIPAA regulations.

Wh‎y FaceTime is not recommended for telemedicine

‎Using FaceTime for telemedicine is not recommended due to several reasons. As previously mentioned, FaceTime is not considered a HIPAA-compliant telehealth software platform because Apple, the company behind FaceTime, is not willing to sign a Business Associate Agreement (BAA).

Additionally, FaceTime lacks secure communication and does not have access and authentication controls in place. It also does not offer the functionality and professionalism of healthcare-specific telehealth platforms.

FaceTime is inadequate for multi-provider appointments as it is only available on Apple devices, excluding patients who do not own such devices. Furthermore, FaceTime does not allow for the replication of established workflows, such as checking in and out with medical staff or collecting payments.

Healthcare providers should consider using a HIPAA-compliant telemedicine platform that offers the necessary features and security measures.

HI‎PAA-complaint video calling services

‎Various video communication services, such as Skype for Business, Zoom, and others, offer HIPAA-compliant options and are willing to sign Business Associate Agreements (BAAs) with covered entities. These service providers understand the importance of protecting sensitive healthcare data and have implemented the necessary security controls to meet the strict requirements of HIPAA.

For example, Zoom offers Zoom for Healthcare, which is specifically designed for covered entities and includes administrative, technical, and physical safeguards for protected health information (PHI). By signing a BAA with Zoom, organizations can ensure that the platform understands its responsibilities regarding the privacy and security of PHI.

It's important for users to be aware of their responsibilities in terms of patient privacy and to only share PHI with authorized individuals. However, it's important to remember that FaceTime is not an ideal solution for telemedicine.

Im‎plementing a data loss prevention solution for HIPAA compliance

‎HIPAA compliance requires that companies protect PHI from unauthorized access. Data loss prevention (DLP) software is a perfect fit for healthcare providers and other organizations that need to restrict access to sensitive information.

It automatically enforces the company’s data handling policy to prohibit any deliberate or accidental misuse that could risk HIPAA compliance. DLP solutions are especially effective at controlling and managing insider threats which can result in extremely damaging data leaks.

The Reveal Platform by Next is an advanced DLP platform that employs next-gen agents and machine learning to identify and categorize data at the point of risk. The software prevents users from violating the data handling policy and offers training through instructive messages when a potential violation is detected. Reveal helps build a more security-conscious workforce while keeping sensitive data safe.

Get in touch with us today and start protecting your HIPAA-regulated and other sensitive data. You can see Reveal in action by booking a free demo.

Fr‎equently asked questions

How does a data handling policy protect HIPAA-regulated data?

A data handling policy protects HIPAA-regulated data by categorizing data and determining which resources need to be protected. The policy defines access levels and roles that determine who can use specific data resources and how they can be used. A data handling policy forms the foundation of a data loss prevention platform such as Reveal.

Why do telehealth video conferences need to be protected?

Telehealth video conferences need to be protected because confidential information or PHI can be involved in the communication. Threat actors need to be prohibited from accessing the conference feeds to avoid exposing regulated data. Data should always be encrypted and multi-factor authentication enforced to protect sensitive data and ensure patient confidentiality.

What is the purpose of a HIPAA Business Associate Agreement?

The purpose of a HIPAA Business Associate Agreement is to define the responsibilities of a third party when processing regulated data for a covered entity. The absence of a BAA is a HIPAA violation, and companies should be reluctant to work with third parties that will not enter into a BAA to protect themselves from potential violations.