An thorough search of the Apple website has shown no evidence that Apple will sign a business associate agreement with healthcare organizations for any of its services. The only referral to it is in relation to HIPAA-covered entities is in relation to iCloud, which Apple clearly states should not be implemented by healthcare providers or their business associates to create, receive, maintain or send PHI.
Since Apple is not willing to sign a business associate agreement for FaceTime, that would suggest FaceTime is not a HIPAA compliant service. However, business associate agreements only need to be completed by business associates. So, is Apple a business associate?
Conduit Exception Rule in HIPAA
The HIPAA Conduit Exception Rule applies to groups that act as conduits through which PHI is shared. The HIPAA Conduit Exception Rule covers entities such as the US Postal Service, some courier firms, and their electronic equivalents. Internet Service Providers (ISPs) fall under the description of “electronic equivalents,” as do telephone service suppliers such as AT&T. But what about FaceTime?
There is some discussion in relation to whether FaceTime is covered by the HIPAA Conduit Exception Rule. In order to be thought of as a conduit, the service provider must not hold any PHI, must not access PHI, and not have the key to release encryption.
The Office for Civil Rights has stated on its website that cloud service providers are generally not thought of as conduits, even if the CSP does not access ePHI, or cannot view the data because ePHI is encrypted and no key is held to release the encryption. That is because the HIPAA Conduit Exception Rule only applies to transmission-only services, where any ePHI storage is only transient. That is not so with CSPs.
Apple has stated that all communications through FaceTime are secured by end to end encryption. Access controls are implemented, through Apple IDs, to ensure the service can only be used by authorized people. Apple also does not store any data sent through FaceTime. FaceTime is a peer-to-peer communication channel, and voice and audio communications are sent between the individuals involved in the session. Apple is also unable to decrypt sessions.
Apple states: “FaceTime uses Internet Connectivity Establishment (ICE) to establish a peer-to-peer connection between devices. Using Session Initiation Protocol (SIP) messages, the devices verify their identity certificates and establish a shared secret for each session. The cryptographic nonces supplied by each device are combined to salt keys for each of the media channels, which are streamed via Secure Real Time Protocol (SRTP) using AES-256 encryption.”
So can FaceTime be Deemed HIPAA Compliant?
So, can FaceTime be deemed HIPAA compliant? No communications platform can be completely HIPAA compliant as HIPAA compliance is about users, not the technology involved. It would be possible to use FaceTime in a noncompliant way, such as sending PHI with an individual who is not authorized to have the data. However, safeguards are in place to ensure FaceTime can be used in a HIPAA compliant way.
It depends entirely on whether it is classified as a conduit, since Apple will not complete a BAA. In our opinion, FaceTime could be classified as a conduit. The US Department of Veteran Affairs also believes FaceTime is HIPAA compliant and permits its use, which shows it is confident that the service is classified as a conduit.
However, other firms that provide video conferencing platforms do not feel similarly, and offer to complete BAAs with HIPAA-covered entities. Therefore, our counsel is to use one of those business solutions rather than the consumer-focused FaceTime and use caution.