Is FaceTime HIPAA Compliant?
This article first appeared on LinkedIn Pulse 05/20/15 by Jon Taylor of Bayon IT. In the first part of this series we wanted to address one of the most common questions we get asked; “Is FaceTime a HIPAA compliant solution?” If one was to search the internet for this answer, you’d come across a lot of mixed answers and confusion. FaceTime is such an easy tool to use when it comes to video conferencing, so it’s only natural for us to want to use it, but with all the rules and regulations regarding HIPAA, healthcare professionals want to make sure they are compliant. We decided to do a deep dive into FaceTime, looking for any information that not only answers this question, but gives us resourceful information to make a conclusion ourselves. In this report, we are going to cover what it means to be HIPAA compliant, how FaceTime works under the hood, and how FaceTime is currently being used in the healthcare industry.
Before one can determine if FaceTime is HIPAA compliant, one must first understand what it means to be HIPAA compliant. The first thing that must be realized is that not one piece of technology can make you compliant, because HIPAA compliance really falls at the feet of people. Only people can be HIPAA compliant, and how you use that technology ultimately determines if you are compliant or not. With that said, while no piece of technology can make you compliant, use of certain technology can make you non compliant. To better explain this, let’s use a car as an analogy, with laws associated with driving being the equivalent of HIPAA. Let’s say you purchase a brand new car from a dealership and bring it home. Everything about that car meets the laws necessary to drive on the road. For all intents and purposes, you have a street legal car that poses no problems. Despite the car being compliant with the laws, how you drive the car could allow you to break those laws. Even something as simple as speeding with your car could immediately make you non-compliant with the law and result in a fine. This would be the same as having an HIPAA compliant product, but how the user uses that product ultimately determines if you are HIPAA compliant or not.
Now let’s take a look at the other scenario with a different car. Let’s take that same new car, but you decide not to get insurance for it. You could drive that car around town, following all the laws regarding driving, but the mere fact you don’t have insurance on the car means you aren’t following the law. This would be similar to someone using technology in what they think is compliant, but the technology itself has a certain quality or feature that makes it non-compliant no matter how you use it. Now that we have a better understanding of what it means to be HIPAA compliant, we can look more closely at FaceTime to determine if there is anything about the technology itself that is non compliant. Also keep in mind that HIPAA compliance goes beyond just choosing compliant technology. HIPAA compliance is an ongoing commitment and is never completed with one product or choosing a particular technology to use. Many things, including documenting your decisions regarding HIPAA and training employees, are all requirements in creating a compliant culture inside your business and among your peers. The purpose of this article is determine if Apple’s FaceTime is compliant and whether it is appropriate to use in your own scenarios, so please seek out additional information for other areas of compliance within your organization.
What does Apple say about FaceTime and HIPAA?
If you were to type in FaceTime and HIPAA into a search engine, you will likely come across some statements from Apple that give clarity into this issue. When FaceTime first came out in 2010, many speculated that FaceTime was unencrypted and potentially sends details back to Apple. Apple responded to these allegations in 2010 with the following email to Jason O’Grady of ZDnet:
“The site you mention is alleging that FaceTime is sending user names and locations back to Cupertino after each FaceTime call. That is incorrect.
Apple creates a unique ID for each FaceTime user, ensuring FaceTime calls are routed and connected properly. No other user information is stored for FaceTime and Apple cannot retrieve the data for any other purpose (it is stored in a hash format). No location information is ever used or stored during FaceTime registration or a FaceTime conversation. Additionally, the entire FaceTime conversation stream itself is encrypted.”
This is an informative email from Apple and gives us clarity into how FaceTime works, but it still doesn’t address the questions regarding HIPAA compliance. In 2011, when someone was asking if the iPad is eligible for government funds regarding healthcare, an Apple spokesperson responded to the same author, Jason O’Grady of ZDnet with the following response:
“iPad supports WPA2 Enterprise to provide authenticated access to your enterprise wireless network. WPA2 Enterprise uses 128-bit AES encryption, giving users the highest level of assurance that their data will remain protected when they send and receive communications over a Wi-Fi network connection. In addition to your existing infrastructure each FaceTime session is encrypted end to end with unique session keys. Apple creates a unique ID for each FaceTime user, ensuring FaceTime calls are routed and connected properly.”
Once again, this is an informative email and gives more insight into how FaceTime works. This information really just shows how secure the iPad can be, but doesn’t address any parts of HIPAA specifically. People often times refer to this email when vouching for FaceTime being HIPAA compliant, but is it enough? For some people it is, but many healthcare providers require much more rigorous information, and not always taking a vendor’s opinion for face value. We also have to look at the date of this response, which is from 2011. In 2013, HIPAA was updated with the OmniBus Rule, which includes many changes to the Privacy Rule and new rules regarding the Breach Notification portions of HIPAA. The reason this is important is that certain technology that may have been compliant before the OmniBus Rule, could potentially be non-compliant after its introduction. Now that we have more information on how FaceTime works, let’s look at the various ways FaceTime could or could not be compliant to help us reach our conclusion.
Business Associate Agreements and the Conduit Exception Rule
One of the big things that changed with the OmniBus Rule of 2013 was that it clarified who is considered a “Business Associate.” The following is the definition of who a Business Associate (BA) is:
On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or
Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
In a nutshell, any vendor to a covered entity that creates, receives, maintains, or transmits protected health information is a Business Associate. In order for a covered entity to work with a Business Associate and remain compliant, they need what is called a Business Associate Agreement (BAA) with that vendor. At first glance you might think that Apple qualifies as a BA, thus needing a BAA, but there is one exemption that requires further investigation, and that is the Conduit Exception rule.
The Conduit Exception rule was further explained in the OmniBus Final Rule, giving clarity on who is and who isn’t considered a conduit. Below are two excerpts from the rule:
“The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services.”
“We note that the conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission. In contrast, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information. We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the protected health information. However, the difference between the two situations is the transient versus persistent nature of that opportunity.”
As you can see, the conduit rule is designed for vendors like your Internet Service Provider (ISP) or your phone company, both of whom include companies like Comcast, CenturyLink, Time Warner, Cox, and AT&T. In order for a company to qualify as a conduit, they must only be transmitting the data and have zero access to that information. To satisfy these requirements, it is required that these vendors do not store any of the data that is being transmitted, nor do they have access to the encryption key that is used to secure the information. Now that we know what HIPAA requires from Business Associates, and who qualifies as a conduit, we can see what category FaceTime falls under which will help us make our ultimate conclusion.
How does FaceTime work under the hood?
Based on the previous emails from Apple earlier in the article, we have a small glimpse into how FaceTime works, but we never knew a full understanding of how the service works as a whole. In October of 2014, Apple updated their iOS Security guide, giving us the most in depth explanation of many of Apple’s services, one of those being FaceTime. This guide had the following information to say about FaceTime:
“FaceTime is Apple’s video and audio calling service. Similar to iMessage, FaceTime calls also use the Apple Push Notification service to establish an initial connection to the user’s registered devices. The audio/video contents of FaceTime calls are protected by end-to-end encryption, so no one but the sender and receiver can access them. Apple cannot decrypt the data.
FaceTime uses Internet Connectivity Establishment (ICE) to establish a peer-to-peer connection between devices. Using Session Initiation Protocol (SIP) messages, the devices verify their identity certificates and establish a shared secret for each session. The cryptographic nonces supplied by each device are combined to salt keys for each of the media channels, which are streamed via Secure Real Time Protocol (SRTP) using AES-256 encryption.“
With this explanation, the FaceTime session is protected via end-to-end protection and is also a peer-to-peer connection. Apple provides the technology for both FaceTime users to find each other via their Apple ID, but once that connection is established, all communication is between both recipients, and does not pass through Apple’s servers. The sessions are also encrypted in such a way that the only people that can decrypt the FaceTime transmission are the two parties who are conducting the call.
Because FaceTime is peer-to-peer, and uses end-to-encryption, Apple does not store any FaceTime sessions on their servers, nor do they have the ability to decrypt live FaceTime sessions. With this information, we are confident that Apple’s FaceTime is an HIPAA compliant solution. We arrive at this decision via the conduit rule, and would not classify Apple as a Business Associate, thus not requiring a Business Associate Agreement for this technology to be compliant.
Is Anyone in Healthcare Using FaceTime?
We’ve concluded that FaceTime is a compliant solution, but with many teleconferencing solutions out there that are willing to sign a BAA, is anyone really using FaceTime in the healthcare space? While doing our research, we found one of the largest healthcare providers in the United States weighing in on their opinion regarding FaceTime. During the final quarter of 2014, the United States Department of Veterans Affairs (VA) came out and gave FaceTime an “Approved w/ Constraints” rating. The one constraint that was given is listed below:
“Technology must remain patched and operated in accordance with Federal and Department security policies and guidelines in order to mitigate known and future security vulnerabilities.”
This is a ringing endorsement for FaceTime, especially considering other teleconferencing technology like Skype are listed as “Unapproved” on the VA website. Based on the timing of their conclusion, one could expect that Apple’s iOS Security guide helped give the clarity and additional information that the VA needed to mark this approved. Having the VA endorse FaceTime gives us extra confidence that our own conclusions on FaceTime’s compliance is accurate and backed up with evidence.
Is FaceTime Always Compliant?
Now that we know that FaceTime is a HIPAA compliant solution for teleconferencing, is there anything else to know? Just like our car analogy at the beginning of the article, it is possible to use FaceTime in a non compliant way.
The U.S. Department of Health and Human Resources has said that information that did not exist before transmission is not considered as electronic private health information (ePHI), which FaceTime partly falls under. The big thing to consider with FaceTime is you also have video alongside oral communication. Because video is involved, there are many mistakes that could be made that would make a person’s use of FaceTime non-compliant.
For example, if a healthcare provider was having a FaceTime chat with someone else, and had medical charts of other patients in plain view during the chat, that would be a clear violation of HIPAA. If a healthcare provider was having a FaceTime session and in the background you could see patients in a waiting room, that would be a clear violation of HIPAA. If a healthcare provider were to record the FaceTime session on a Mac or with some other device, that recording would then be considered ePHI and would then be subjected to HIPAA rules since it must be stored and maintained.
As you can see, when dealing with FaceTime, your environment becomes very important when having these sessions. You must be aware of your surroundings; who is in the background of your video, what information is viewable in the background, can other people hear you when talking about ePHI? When taking these precautions into consideration, it is possible to use FaceTime securely and safely in the healthcare industry.
Concluding this article, we have covered what it means to be HIPAA compliant, how FaceTime works, how FaceTime is categorized in regards to a Business Associate and conduit, and who in the healthcare space is currently using FaceTime. HIPAA Compliance is never something you are finished with and is always an ongoing issue. Like with the OmniBus Final Ruling, changes can be made to HIPAA that will require revisiting technologies and everyday practices within your organization. HIPAA requires covered entities and business associates to conduct a risk analysis and assessment to determine what is reasonable and appropriate for your business. We hope this information will give you the information necessary to determine if FaceTime is a reasonable an appropriate solution for your healthcare practice.
About The Author: Jon Taylor
Jon Taylor is the President and Founder of Bayon Health (www.BayonHealth.com), the leading provider in healthcare solutions for Apple products. Currently based out of Minneapolis – St. Paul, MN, Jon’s focus is to help change the world of healthcare by leveraging technology to improve efficiencies and the patient experience.
He is also the author of Hassle Free Apple IT Support for Healthcare, which arms healthcare providers will valuable information when seeking out top notch, healthcare centric Apple IT support.
SimpleVisit is a video service which allows patients and providers to connect over the video platform of their choice. With SimpleVisit providers are able to deliver on-demand visits to patients over any device or platform they have available to them. For more information on SimpleVisit and on how we are enabling providers to host virtual visits check out www.SimpleVisit.com
State Policy Update The first few weeks of 2019 bring hope and progress for state telehealth reimbursement! The Center for Connected Health Policy tracks policy changes year-round for everything telehealth. Below is an update on states who proposed new regulations and...read more
The Center for Connected Health Policy recently pushed out another one of their helpful 50-state policy reviews, this time on physical and occupational therapy through virtual care. Published in the fall 2018 volume of the International Journal of Telerehabilitation,...read more
This past week it was announced that the federal Health Resources and Services Administration (HRSA), along with the Nicholson Foundation, awarded the New Jersey State Department of Health $2.3 million to expand access to their Pediatric Psychiatry Collective (PPC)...read more