In addition, as mentioned above, since Apple is considered a business associate, the company must sign a BAA before sharing, transmitting, storing, or maintaining PHI using Apple services. It depends much more on the user than on the technology. Apple also doesn’t retain any information delivered via FaceTime - which would suggest FaceTime can be used in a HIPAA compliant manner - but it is possible to use FaceTime in a non-compliant way. When it comes to using PHI on FaceTime, Apple is indeed a business associate, and is not covered by the conduit exception rule.Īll messages sent via FaceTime are secured by end-to-end encryption, and only authorized users can access an account using their Apple ID. This is the case even if the CSP can’t view the data because it’s encrypted. According to HHS guidance on HIPAA and cloud computing, cloud service providers that receive or store PHI are in fact business associates. Unfortunately, Apple is a cloud service provider (CSP), and CSPs are generally not considered conduits. The HIPAA Conduit Exception Rule basically says that if an organization acts only as a conduit to PHI - that is, it only transfers health data but doesn’t have access to it or store it - then it is exempt from the BAA requirement.
So which is it? What is the HIPAA Conduit Exception Rule? If FaceTime is a conduit, and not a business associate, then healthcare organizations can use FaceTime without a BAA. Entities that are defined as “business associates” for the purpose of HIPAA must sign BAAs, but entities defined as “conduits” are exempt. Furthermore, it even states that its iCloud data storage service is not HIPAA compliant and should not be used by healthcare organizations.īecause Apple won’t sign a BAA for FaceTime, that seems to indicate that FaceTime isn’t a HIPAA-compliant service. In the case of Apple, this makes little difference as the tech giant doesn’t seem to have any intention of entering into a BAA with healthcare companies. One of the stipulations in HIPAA states that the BAA must ensure that “the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.” In other words, the contractor working with the healthcare provider will not use PHI in any way besides what is stated in their contract or necessary for legal use. Both parties must agree to undertake certain responsibilities in managing PHI. Simply put, a BAA is a contract between the business associate - in this case, Apple - and the healthcare service provider, such as the clinic that uses FaceTime for telehealth purposes.
In order for FaceTime - or any other tool - to be HIPAA compliant, the company that makes that tool must sign a business associate agreement (BAA) before sharing, transmitting, storing, or maintaining protected health information (PHI). But before using FaceTime for patient communication, it’s important to ask, Is FaceTime HIPAA compliant? So, is it?
#Facetime template mac#
Similar to Skype and Google Hangouts, FaceTime allows you to conduct one-on-one video calls between newer iPhones, iPads, iPod touch devices, and Mac notebooks and desktops. Working with patients in a virtual setting demands the help of video tools and chat applications, like Apple’s FaceTime. Due in large part to the coronavirus pandemic, 91 percent of medical practitioners are expected to offer telehealth services by the end of 2020.