As more healthcare providers are choosing to meet with patients virtually, it is important to determine whether or not the tools they are using are HIPAA compliant. A popular tool for video communication is FaceTime. Before using FaceTime for patient communication, is FaceTime HIPAA compliant, should be asked.
Is FaceTime HIPAA Compliant: Conduit or Business Associate?
There is some confusion on whether or not FaceTime is considered a conduit as it does not have access to ePHI. Generally, a tool that doesn’t access ePHI is considered a conduit; however, since Apple is a cloud service provider (CSP) it may be held to different standards.
According to the Department of Health and Human Services (HHS):
CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.
Therefore, Apple is considered a business associate under HIPAA.
Is FaceTime HIPAA Compliant: Signing a BAA
When using FaceTime to communicate protected health information (PHI), Apple is considered a HIPAA business associate. As a business associate, before it is permitted for a covered entity to share, transmit, store, or maintain PHI using Apple services, there must be a signed business associate agreement (BAA). Apple is not willing to sign a BAA, and therefore Apple services, including FaceTime, are not HIPAA compliant.
HIPAA Compliant Video Calling: Security Features
Although FaceTime is not HIPAA compliant, since Apple is not willing to sign a BAA, there are other video calling services that will. However, to be HIPAA compliant, the video calling services must also have security features safeguarding PHI. These security features include end-to-end encryption (E2EE) and access controls.
E2EE masks sensitive data when it is sent and received, making it unreadable without a decryption key. Access controls are another form or protection that enables only authorized users to access information with unique login credentials. Employees are designated different levels of access to PHI based on their job function.
Both of these features prevent unauthorized access to PHI.
Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.
Using HIPAA Compliant Video Calling
The following are some popular video conferencing tools that are HIPAA compliant when used properly:
- Skype for Business
The above tools are willing to sign BAAs and have adequate security features, enabling HIPAA compliant video calling. However, HIPAA compliance comes down to the end user; no software can be considered HIPAA compliant if users do not know how to use it in a HIPAA compliant manner. When implementing new tools, it is essential to train employees.