Can I use FaceTime and be HIPAA compliant?

Lately, we've been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. FaceTime is Apple's video and audio calling service that's available for free on their devices. We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector. UPDATE: In April 2020, in connection with the COVID-19 pandemic, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) announced the  Notification of Enforcement Discretion, which allows healthcare providers to use widely available communication apps, such as [name of the app], for telehealth services without the risk of incurring HIPAA fines. For more information, check out  this recent Paubox blog post.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

• Amazon CloudFront
• Apple iCloud
• Box
• Citrix ShareFile
• Dropbox
• Google Drive
• Google Forms
• Google Hangouts
• GoToMeeting
• Microsoft 365
• OneDrive
• SharePoint
• Slack
• WhatsApp
• Yammer
• Zoho
• Zoom

Today, we will determine if Apple's FaceTime offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About FaceTime

FaceTime is Apple's video and audio calling service that's available on mobile devices that run on iOS and Macintosh computers that run Mac OS X 10.6.6 and on. It launched in June 2010 when then Apple CEO Steve Jobs announced it in conjunction with the iPhone 4 at the annual Apple Worldwide Developers Conference.

FaceTime and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance. We checked Apple's corporate site and eventually found the FaceTime Software License Agreement. We could not find any mention of HIPAA, Business Associate Agreement, Business Associate or Covered Entity in it. Next, we checked Apple Legal for reference to HIPAA or Business Associate Agreement. We found an important piece of information on the iCloud Terms and Conditions page. On that page, Apple states: "If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate." While FaceTime is technically not a part of iCloud, Apple makes it very clear they are not in the business of signing Business Associate Agreements or being classified as a Business Associate.

Does the HIPAA Conduit Exception Rule Apply to FaceTime?

The HIPAA Conduit Exception states that certain organizations like the US Postal Service and Internet Service Providers (ISPs) act merely as conduits for protected health information (PHI). Due to the transient nature of PHI being transmitted, the HIPAA Conduit Exception Rule does not require a Covered Entity to enter into a BAA with such organizations. So the question arises, does FaceTime also fall under the HIPAA Conduit Exception Rule? We found a page on the U.S. Department of Health and Human Services website called Guidance on HIPAA & Cloud Computing. Question #3 states: Can a CSP [Cloud Service Provider] be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules? HHS gives the following answer: Generally, no. CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key. As explained in previous guidance,[ 14] the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission. Any access to PHI by a conduit is only transient in nature. In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI. Further, where a CSP provides transmission services for a covered entity or business associate customer, in addition to maintaining ePHI for purposes of processing and/or storing the information, the CSP is still a business associate with respect to such transmission of ePHI. The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.

We believe the guidance is clear from HHS: A cloud-based service like FaceTime does not qualify under the HIPAA Conduit Exception Rule.

SEE ALSO: HIPAA Cloud Computing: Top Ten Frequently Asked Questions

Does Apple's FaceTime Offer HIPAA Compliant Service?

The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a Covered Entity and a Business Associate. While there was a lot of confusing information on Apple's discussion forums on FaceTime and HIPAA compliance, we can infer from Apple Legal ( https://www.apple.com/legal) that Apple is not in the business of signing BAA's for their consumer-facing products like FaceTime.

Conclusion

FaceTime is not HIPAA compliant. Do not use FaceTime if you are bound by HIPAA regulations.