Telehealth may seem like a new concept fueled by COVID-19, but in reality, telehealth companies have been around for many years and are growing in popularity. Due to the outbreak of COVID-19, healthcare providers and patients are turning to telehealth companies to fill the void. Providers are also asking if other prominent video conferencing software such as Apple FaceTime® can be considered a HIPAA compliant telehealth software platform.
Is Apple FaceTime® a Conduit or a Business Associate?
Before we can determine whether Apple FaceTime® is a HIPAA compliant telehealth app or not we must ascertain if it is responsible for keeping electronic protected health information (ePHI) safe. HIPAA compliance normally pertains to covered entities (health plans, health care clearinghouses, and health care providers) which Apple FaceTime® obviously isn’t. It could be argued that Apple FaceTime® may be considered a conduit or a business associate in the eyes of HIPAA. A conduit is a service that transmits ePHI and does not store it, or have the ability to access encrypted data. Telephone service providers and internet service providers are considered conduits, but cloud service providers are not. A conduit is not required to sign a Business Associate Agreement (BAA).
Recommended: Is Skype® is HIPAA Compliant?
Business associates are organizations or persons that create, transmit, receive, or maintain PHI on behalf of any covered entity. Cloud service providers (CSP) that provide cloud services to a covered entity or business associate that involves creating, receiving, or maintaining ePHI meet the definition of a business associate, even if the CSP cannot view the ePHI.
Apple® does not store any information sent via FaceTime®, which is a peer-to-peer communication channel where voice and audio communications are transmitted between individuals and can not decrypt sessions. Apple® is considered a business associate, therefore, is required to sign a BAA.
Will Apple Sign A BAA?
Because Apple® is considered a business associate it is required to sign a BAA (Business Associate Agreement). A BAA is a contract between a covered entity and a business associate that requires both parties to protect personal health information under the rules and regulations of HIPAA. Apple® is not willing to sign a BAA, therefore its services including FaceTime®, are not technically HIPAA compliant.
HIPAA Discretion During COVID-19
Under the good faith provision of telehealth during COVID-19, covered health care providers can use Apple FaceTime®, to provide telehealth without the risk of HIPAA non-compliance penalties. Apple FaceTime® could potentially introduce security risks, and providers should enable all available encryption and privacy modes when using such applications. Other popular applications are witnessing a rise in usage for telehealth purposes including Whatsapp®, Zoom®, and Skype™. It is advisable that healthcare providers notify patients that third-party applications such as Apple FaceTime® are not HIPAA compliant and that there are other HIPAA compliant telehealth apps such as:
- Skype for Business™
- Google Hangouts™
- Zoom for Healthcare®
- Cisco® Webex Meetings / Webex Teams
- Amazon Chime™
- Spruce Health Care Messenger™
- Bridge Video Visits, powered by Zoom for Healthcare®
Any application leveraged by covered entities that transmit ePHI needs to comply with certain HIPAA regulations. Given the fact that Apple FaceTime® will not sign a BAA, we can deduce that Apple FaceTime® is NOT a HIPAA Compliant Telehealth Software Platform. Any healthcare provider using non-compliant software during the leniency of COVID-19 must still strive to provide their patients with the most secure/safe environment possible.
DISCLAIMER: All product and company names are trademarks™ or registered® trademarks of their respective holders. Bridge Patient Portal is not affiliated, endorsed, or sponsored in any way to the service providers mentioned in this article.