Is FaceTime HIPAA Compliant?

FaceTime is a video call service offered by Apple between certain iOS devices, but is it HIPAA compliant? Would it be against HIPAA Rules to use FaceTime to share protected heath information (PHI)?

Below, we will review the security measures used by FaceTime; ask whether a business associate agreement (BAA) with Apple would be necessary; and explore whether Apple is willing to sign a BAA to cover FaceTime.

Would Apple Enter a BAA for FaceTime?

A thorough examination of Apple’s online resources did not find any evidence that Apple would be willing to sign a BAA with healthcare entities to use FaceTime or any of its services. HIPAA covered entities are directly mentioned once, but only to state that they should not use Apple’s iCloud to create, receive, maintain or transmit PHI.

As Apple will not sign a BAA to cover FaceTime, it would appear that FaceTime is not HIPAA compliant. There may be a way around this: if Apple does not need to be considered a business associate, then a BAA is not necessary.

The HIPAA Conduit Exception Rule

Some entities, such as postal services, couriers, and landline telephone providers, are not classified as business associates as their services are only used as conduits of information. Internet service providers and other electronic equivalents to these services are also classified differently. These services are covered by the HIPAA Conduit Exception Rule. Could FaceTime be classed as a conduit?

Opinions differ on whether FaceTime falls under the Conduit Exception Rule. Conduits must not store or access PHI and must not possess keys to bypass any encryption.

The Department of Health and Human Services’ Office for Civil Rights (OCR) has previously stated that cloud services, even those that cannot unlock encrypted information, are not exempt under the Rule. Exemptions are for transmission only services, where storage is only transient. Cloud services do not meet this requirement.

FaceTime calls are secured with end-to-end encryption which Apple says it cannot decrypt. No data is stored by Apple and Apple IDs prevent devices being used by unauthorized individuals.

According to Apple, “FaceTime uses Internet Connectivity Establishment (ICE) to establish a peer-to-peer connection between devices. Using Session Initiation Protocol (SIP) messages, the devices verify their identity certificates and establish a shared secret for each session. The cryptographic nonces supplied by each device are combined to salt keys for each of the media channels, which are streamed via Secure Real Time Protocol (SRTP) using AES-256 encryption.”

Is FaceTime HIPAA Compliant?

Knowing this, can we say that FaceTime is HIPAA compliant? While HIPAA compliance depends ultimately on the use and not the technology, FaceTime includes the necessary security measures for it to be used in compliance with HIPAA.

The issue revolves around whether FaceTime qualifies as a conduit or not. We believe it might, as does the US Department of Veteran Affairs, who permit it to be used.

Despite the possible exception, there are other video call service providers that will enter into BAAs. If video calls are necessary for your business, we would recommend taking a more cautious approach by using one of these services instead of FaceTime.