When it’s time for a telemedicine appointment with a patient, a quick FaceTime seems ideal. Everyone has an iPhone these days, and with FaceTime, no one has to install any special tech to meet with their doctor.
Apple utilizes top-notch security measures on all of its technology, but at the same time, medical practitioners will do anything to avoid any digital communications that will put the patients data at risk.
So, is FaceTime HIPAA compliant or not?
FaceTime is not usually HIPAA-compliant. Apple is unlikely to sign any BAAs (required by HIPAA), and its cloud storage may not be sufficiently secure. However, some individuals still argue that FaceTime is HIPAA-compliant when used properly because of its extensive security measures – and of course, there are the new pandemic exceptions to consider.
The HIPAA Privacy Rule requires all Covered Entities to have a signed Business Associate Agreement (BAA) with any Business Associate (BA) that may be handling PHI (Personal Health Information).In the BAA, the technology platform agrees to help you protect patient privacy.
Because of this HIPAA requirement, you would need Apple to sign a BAA with your healthcare business before using FaceTime. As a tech giant, Apple is unlikely to enter into a BAA with any healthcare facility.
Apple has also stated that their iCloud data storage service is not HIPAA compliant. Apple has warned physicians that iCloud may not store PHI data safely, and should not be used by healthcare companies, as reported in the HIPAA Journal.
Fortunately, there are dozens of other HIPAA compliant texting and video chat platforms that cater to medical professionals like you.
FaceTime is secured with the following privacy measures:
· End-to-end encryption
· User authorization via Apple ID
· Harsh format storage (so FaceTime information cannot be saved or retrieved)
It is reasonable for healthcare providers to believe it may still be possible to use FaceTime in a HIPAA-compliant way – but the user must take extreme care. Everything in view of the patient must be considered. For example, if medical charts of other patients are in plain view, or another physician is having a virtual meeting with another patient in the background, those would be considered HIPAA violations.
Some platforms advocate FaceTime as a HIPAA-compliant app through the conduit exemption of the typical BAA rule. The States Department of Veterans Affairs (VA), which disallows the use of Skype and other teleconferencing technology, actually gave FaceTime an “Approved w/ Constraints” rating, so long as technology is patched and operated in accordance with Federal and Department security policies.
The coronavirus pandemic has relaxed all HIPAA policies, especially those pertaining to telemedicine. The Office for Civil Rights (OCR) has been generally permissive of FaceTime and other technology as the need for telemedicine has exploded:
A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. [i]
This rule goes not only for COVID-19 related appointments but for all appointments, and is still in effect for the time being.
Here are two final reasons you might choose to avoid FaceTime in the medical sphere:
1. With so many teleconferencing solutions available and willing to sign a BAA, it may be best to cover your bases with a HIPAA compliant texting and video option.
2. The current HIPAA exemptions won’t last, which means you cannot rely on popular apps like FaceTime as long-term solutions.
You might do your own research about other HIPAA texting and video call options before making a decision on what’s best for your business.
[i] https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html