We recently filmed an episode of HIPAA Center with Roger Cohen, Life Sciences Partner at Goodwin Proctor. He is also our HIPAA attorney.
Roger Cohen: Apple FaceTime and the HIPAA Conduit Rule
Here’s the transcript from our conversation:
UPDATE: In April 2020, in connection with the COVID-19 pandemic, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) announced the Notification of Enforcement Discretion, which allows healthcare providers to use widely available communication apps, such as [name of the app], for telehealth services without the risk of incurring HIPAA fines. For more information, check out this recent Paubox blog post.
Hoala Greevy: Lately we’ve been covering the HIPAA Conduit Rule Exception in our own blog posts and content. One of the questions one of our customers had was, “say something like Apple FaceTime, does that apply for the HIPAA Conduit Rule or not?”
It’s kind of an opaque area, as I understand it.
Roger Cohen: The HIPAA Conduit Exception is a reasonably narrow exception. Sort of the traditional example of a HIPAA Conduit is the Post Office, or FedEx, or UPS. And either the phone company, setting aside voicemail, which is a slightly more complicated issue, in tech ISPs.
I would want to understand how FaceTime works and what happens to data, if any data is stored. That’s really the key in the application of the Conduit Exception.
Does the Conduit, or the Entity that may be a Conduit, does it have only transitory access to the possession of health information, or is it storing health information over a longer period of time?
Hoala Greevy: That’s what my conclusion was on my layman’s research on it because you know you’ve got, I’m sure they’re logging IP address, date, time, maybe a person’s name. I mean Apple doesn’t sign Business Associate Agreements for their consumer grade services and I felt like this didn’t fit the HIPAA Conduit Rule.
Roger Cohen: I would advise talking to your HIPAA lawyer prior to concluding that Apple FaceTime can be a conduit.
Hoala Greevy: Got it!
Roger Cohen is a Partner in Goodwin’s nationally recognized Life Sciences Practice. He counsels healthcare services, life sciences, and healthcare IT clients concerning compliance with the myriad laws and regulations governing the delivery of healthcare services such as the Anti-Kickback Statute, the Physician Self-Referral Law (the Stark Law), the False Claims Act, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Medicare and Medicaid rules and regulations, and laws governing reimbursement, licensure and certification.
Mr. Cohen’s experience also includes extensive work on healthcare transactions. He has represented clients in acquisitions and financings involving a wide variety of healthcare providers including hospitals, ambulatory surgery centers, physician groups, skilled nursing facilities, rehabilitation and physical therapy facilities, behavioral health and substance abuse treatment providers, dental clinics, home healthcare providers, clinical laboratories, pharmacies, and care management companies, among others.
Mr. Cohen also has deep experience assisting clients in transactions involving and providing counsel to health IT companies such as telemedicine providers and electronic health record, mobile health (mHealth), and digital health companies.