888.437.3646
Contact Us
Free Consultation
#hipaa
#information security
#phi

Is FaceTime HIPAA compliant?

February 13, 2024

Is FaceTime HIPAA compliant?

Learn whether FaceTime is HIPAA compliant based on its security controls, functionalities, and relationships with covered entities. The COVID-19 pandemic, the increasing reliance on telehealth, and overall mobility forced the healthcare industry to look for secure app solutions to effectively deliver services and streamline communication among employees, vendors, and patients. The integration of video conferencing in healthcare services has emerged as a game-changer, providing numerous benefits that are transforming the way communication occurs. This requires more efforts from covered entities and app developers to make video conferencing secure, confidential, and compliant with the Health Insurance Portability and Accountability Act (HIPAA). There are many telehealth video conferencing apps that offer secure and compliant communication and information sharing. Yet, they have their constraints such as limited functionality, additional licensing costs, difficulties in integrating across different clinical systems, etc. In addition, users often feel frustrated with using an excessive amount of new communication channels and want to transfer their healthcare communication to more familiar video calling services. One of the most popular video chat services in the United States is FaceTime with more than 47% of adults using it to chat for family purposes, according to Statista. Given the popularity of FaceTime, there is a question of whether it is appropriate to use this tool for healthcare communication. This article further explores whether FaceTime is a HIPAA-compliant app and its suitability for use in healthcare services.

What safeguards a HIPAA-compliant video call app should have

There are many security controls that a HIPAA-compliant app should include. HIPAA regulations for video calling apps generally encompass the technical safeguards of the HIPAA Security Rule. These include robust access controls, audit controls, integrity controls, authentication, and transmission security to prevent unauthorized access to PHI. Overall, a HIPAA-compliant video calling app should ensure confidentiality by implementing strong access controls and end-to-end encryption. Specifically, the required security measures include: End-to-End Encryption. Malicious users and unauthorized third parties might try to gain access to data that is transmitted during your video call. HIPAA requires encrypting PHI both at rest and in transit by converting data into an unreadable format that can only be unlocked with a decryption key. Implementing robust encryption protocols safeguards sensitive health data during storage, transmission, and processing. Limited Access. Access to PHI should be restricted to authorized users. This emphasizes the principle of least privilege, ensuring that only those who need the information for their roles can access it. The video calling apps should support emergency access to PHI in situations where the account owner is unavailable. Secure User Authentication. Individuals with authorization to access PHI must authenticate their identities through a unique, centrally-issued username and password. It is necessary to use a two-step authentication to add an extra layer of security and prevent unauthorized access. Monitoring User Activity. A robust monitoring system must be in place to track the activities of authorized users accessing PHI. This allows organizations to promptly detect and respond to any unauthorized or suspicious activities. Access Logs. HIPAA compliance requires recording access logs and maintaining an audit trail to monitor user activity. This transparency is crucial for accountability and enables organizations to track who accessed what information and when. Automatic Logoff Additionally, automatic logoff features enhance security by ensuring that sessions are terminated after a specified period of inactivity. Protection Against Inappropriate Alteration or Destruction. Policies and procedures should be established to prevent the inappropriate alteration or destruction of PHI. These measures are essential for maintaining data integrity and ensuring that information remains accurate and unaltered. Protection in Case of Device Loss or Theft. Controls must be in place to secure PHI stored on devices, particularly in the event of loss or theft. This helps prevent unauthorized access to sensitive information. Business Associate Agreement. Video call service providers fall under the category of business associates according to HIPAA. Therefore, they must enter into a business associate agreement with covered entities, committing to compliance with HIPAA requirements. Most (if not all) consumer video call services fail in one or more of these areas, so they cannot be considered HIPAA-compliant, but, what about FaceTime?

What safeguards does FaceTime provide?

On their website Apple has committed to FaceTime security, saying all communications through FaceTime are protected by end-to-end encryption which Apple says it cannot decrypt. According to Apple, FaceTime functions as a peer-to-peer connection between devices through Internet Connectivity Establishment (ICE). Using Session Initiation Protocol (SIP) messages, the devices verify their identity certificates and establish a shared secret for each session. The cryptographic nonces supplied by each device are combined to salt keys for each of the media channels, which are streamed via Secure Real Time Protocol (SRTP) using AES-256 encryption. Access controls are in place, via Apple IDs, to ensure the service can only be used by authorized individuals. Two-factor authentication is available for Apple ID on Apple devices. Apple also states on its website that it never stores the content of FaceTime calls on any servers. Nevertheless, Apple won’t sign a business associate agreement (BAA) with organizations for FaceTime to process, store, or transmit PHI. However, is FaceTime a business associate?

The HIPAA Conduit Exception Rule and FaceTime

Based on what Apple states regarding FaceTime’s functionalities, the service may be potentially classified as a conduit. Conduits are service providers that act as channels through which PHI is sent. They do not store any PHI, access PHI, and must not have a key to unlock encrypted data. Internet providers, postal services, courier companies, and their electronic equivalents are considered conduits. Their work is regulated by the HIPAA Conduit Exception Rule that applies to organizations that act as conduits through which PHI is sent. Whether FaceTime is covered by the HIPAA Conduit Exception Rule is disputable and its use without BAA should be based on a legal opinion provided by trusted legal experts. However, other video conferencing platforms that handle video conferencing in a similar way still offer to sign BAAs with HIPAA-covered entities.

HIPAA-compliant video conferencing alternatives to FaceTime

The video conference market is saturated, with numerous tools tailored for compliance and seamless integration into current platforms. Here are some of the most widely used: Simple Practice Telehealth - Tailored for healthcare professionals, this video conferencing software provides virtual appointment capabilities and seamlessly integrates an insurance processing feature. It caters to the needs of medical and mental health practitioners or anyone requiring efficient insurance claims filing. Google Meet - can meet HIPAA compliance requirements by signing a BAA with Google and appropriately configuring the service’s settings. Unlike some competitors, Google Meet offers a seamless integration with various G Suite applications, providing a unified and familiar environment for healthcare professionals. Zoom for Healthcare is a widely used video conferencing tool, but it's important to note that the free version lacks HIPAA compliance. To ensure adherence to HIPAA standards, healthcare providers should consider opting for the Zoom for Healthcare plan, which provides a comprehensive set of features compliant with HIPAA regulations. VSee is an all-in-one tool for scheduling appointments, engaging in high-quality video calls, and managing patient forms. During sessions, patients can easily share photos. Healthcare providers can screen-share recent scan results, enhancing the overall functionality and efficiency of the platform.

Final Thoughts

No communication platform can be HIPAA compliant out of the box. HIPAA compliance is not only about technology but also about how it is configured and used. Users and developers must pay attention to whether their apps have end-to-end encryption, access controls, access logs, and other critical safeguards in place to ensure confidentiality, integrity, and availability of PHI. Having a BAA in place with the app provider is also a necessary element in ensuring HIPAA compliance. It is also worth mentioning that some service providers are exempt from qualifying as business associates providing they meet the criteria established in the HIPAA Conduit Exception Rule. Facing HIPAA compliance challenges with your applications or other security concerns? Contact Planet 9 for expert guidance. With a proven track record in data protection, we offer tailored solutions to ensure your organization's adherence to HIPAA regulations.

Book a Free Consultation

Schedule a free consultation today to explore how Planet 9 can help you achieve your security and compliance goals.
Book Free Consultation

FAQs

How does a PTCISO service differ from hiring a full-time CISO?
A part-time CISO offers the same strategic oversight and expertise as a full-time CISO but on a flexible, cost-effective basis. It’s ideal for small to mid-sized businesses that need executive-level guidance without the overhead.
Is a virtual CISO service suitable for regulated industries like healthcare or finance?
Yes, virtual CISOs (or fractional CISOs) are especially valuable for industries with strict compliance requirements such as HIPAA, PCI DSS, or GLBA. They help ensure your organization meets regulatory standards and is prepared for audits.
What can I expect during a vCISO engagement?
Our vCISO service typically includes cybersecurity assessments, program development, compliance planning, incident response strategy, vendor risk management, and ongoing executive reporting tailored to your business.
How do I know if my business needs a CISO-as-a-Service?
If you lack in-house security leadership, struggle with compliance, or face growing cyber risks, a vCISO can fill that gap, providing strategic direction, improving resilience, and helping you make smarter security investments.

Related blog posts

#compliance
Vendor Risk Assessment Guide
Read More
#cybersecurity
What is HIPAA Compliance Assessment
Read More
#compliance
HIPAA-Compliant Data Storage Practices for SMBs
Read More