Telehealth may have gotten much more attention since COVID-19, but in reality, it has been around for many years with steadily growing popularity. Since the recent pandemic did so much to popularize telehealth services¹, healthcare providers are turning to telehealth companies for the convenient online services that patients now appreciate and expect². Providers are also asking if prominent video conferencing software products such as Apple FaceTime® can be considered HIPAA compliant telehealth software.
Is Apple FaceTime® a Conduit or a Business Associate?
Before we can determine whether Apple FaceTime® is HIPAA compliant telehealth software, we must ascertain if it is responsible for keeping electronic protected health information (ePHI) safe.
HIPAA compliance normally pertains to covered entities (health plans and providers, health care clearinghouses), which Apple FaceTime® obviously is not. It could be argued that Apple FaceTime® may be considered a conduit or a business associate in the eyes of HIPAA. A conduit is a service that transmits ePHI but does not store it or access encrypted data. Telephone and internet service providers are considered conduits, but cloud service providers are not. A conduit is not required to sign a Business Associate Agreement (BAA).
Recommended: Is Skype® is HIPAA Compliant?
Business associates are organizations or persons that create, transmit, receive, or maintain PHI on behalf of any covered entity. Cloud service providers (CSP) that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining ePHI meet the definition of a business associate, even if the CSP cannot view the ePHI.
Apple® does not store any information sent via FaceTime®, which is a peer-to-peer communication channel that transmits voice and audio communications between users and cannot decrypt sessions. Apple® is therefore considered a business associate and is required to sign a BAA.
Will Apple Sign a BAA?
A BAA is a contract between a covered entity and a business associate that requires both parties to protect personal health information under the rules and regulations of HIPAA. Apple® is not willing to sign a BAA; therefore, its services, including FaceTime®, are not technically HIPAA compliant.
HIPAA Discretion During COVID-19
Under the good faith provision of telehealth during the COVID-19 national emergency period, covered healthcare providers can use Apple FaceTime®³ to provide telehealth without the risk of HIPAA non-compliance penalties. Apple FaceTime® could potentially introduce security risks, and providers should enable all available encryption and privacy modes when using such applications. Other popular applications are witnessing a rise in usage for telehealth purposes including Whatsapp®, Zoom®, and Skype™. Healthcare providers should notify patients that third-party applications such as Apple FaceTime® are not HIPAA compliant and that there are other telehealth apps that have declared themselves HIPAA compliant⁴, such as:
- Skype for Business™
- Google Hangouts™
- Zoom for Healthcare®
- Cisco® Webex Meetings / Webex Teams
- Amazon Chime™
- Spruce Health Care Messenger™
- Bridge Video Visits, powered by Zoom for Healthcare®
To successfully implement a HIPAA compliant telehealth software platform, providers must require patients to complete necessary patient consent forms and agreements. Commonly used consent forms and agreements for online patient portals and telehealth platforms include:
Any software leveraged by covered entities that transmits ePHI must comply with certain HIPAA regulations. Because Apple FaceTime® will not sign a BAA, we can deduce that Apple FaceTime® is NOT a HIPAA Compliant Telehealth Software Platform. Any healthcare provider that continues to use the non-compliant software recommended during the COVID-19 national emergency period must still strive to provide patients with the most secure/safe environment possible, and should transfer to a truly HIPAA compliant software solution as soon as possible.
Since Apple Facetime™ is not HIPAA compliant, we do not recommend using it as part of any telehealth solution. If you need a HIPAA-compliant video chat tool that integrates with your existing EHR, consider Bridge. Bridge offers a comprehensive platform to engage patients along the digital care journey outside of just telehealth, with features like self-scheduling, appointment reminders, and mobile chat. Contact us to learn more about how we can help with your telehealth needs.
DISCLAIMER: All product and company names are trademarks™ or registered® trademarks of their respective holders. Bridge Patient Portal is not endorsed or sponsored by or affiliated in any way with the service providers mentioned in this article.
- Koonin, L., Hoots, B., Tsang, CA., et al. (2020) Trends in the use of telehealth during the emergence of the COVID-19 pandemic — united states, january–march 2020. MMWR. Morbidity and Mortality Weekly Report. [online] Available at: https://doi.org/10.15585/mmwr.mm6943a3.
- Tanya, H. (2021) Patients, doctors like telehealth. Here’s what should come next.American Medical Association. [online] Available at: https://www.ama-assn.org/practice-management/digital/patients-doctors-telehealth-here-s-what-should-come-next.
- Office for Civil Rights (OCR) (2020). Notification of Enforcement Discretion for telehealth. [online] HHS.gov. Available at: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.
- telehealth.hhs.gov. (2022). HIPAA flexibility for telehealth technology | Telehealth.HHS.gov. [online] Available at: https://telehealth.hhs.gov/providers/policy-changes-during-the-covid-19-public-health-emergency/hipaa-flexibility-for-telehealth-technology.