Is FaceTime HIPAA compliant?
Due mainly to this coronavirus pandemic, 91 percent of healthcare professionals are anticipated to provide telehealth services at the end of 2020. Working with individuals in a digital setting necessitates video programs and chat software, such as Apple’s FaceTime. Comparable for Skype and Google Hangouts, FaceTime lets you run one-on-one video calls involving newer iPhones, iPads, iPod touchscreen apparatus, and Mac laptops and desktops. But before utilizing FaceTime for individual communication, it is essential to inquire, Is Apple Facetime Hipaa Compliant?
So, is it?
So as for FaceTime — or another instrument — to become HIPAA compliant, the business that makes that instrument has to sign a business associate arrangement (BAA) before discussing, transmitting, storing, or maintaining protected health information (PHI).
In other words, that a BAA is a contract involving the company partner — in this situation, Apple — along with the health care supplier, like the practice which uses FaceTime to get telehealth functions. Both parties need to agree to undertake specific duties in handling PHI. Among the stipulations in HIPAA says the BAA must guarantee that “the business associate won’t use or disclose the protected health information other than as required or permitted by the contract as required by legislation.” To put it differently, the builder working with the health care provider won’t use PHI whatsoever apart from what’s stated in their arrangement or required for authorized use.
In Apple’s event, this makes very little difference as the technology giant does not appear to intend to enter a BAA with health care businesses. Not only that, but it even claims that its iCloud info storage support isn’t HIPAA compliant and shouldn’t be used by health care organizations.
Since Apple will not signal a BAA to get FaceTime, it implies that FaceTime is not HIPAA-compliant support. Nevertheless, it is not relatively that easy. Entities that are described as “business partners” for the goal of HIPAA should signal BAAs. However, things described as conduits” are all cheated. In case FaceTime is a conduit rather than a business partner, then health care organizations may utilize FaceTime with no BAA. What is it?
What is the HIPAA Conduit Exception Rule?
The HIPAA Conduit Exception Rule essentially says that when a company acts as a conduit into PHI — which is, it merely transfers health information but does not have access to it or keep it. It’s exempt in the BAA necessity.
Unfortunately, Apple is a cloud hosting supplier (CSP). Also, CSPs usually are not believed conduits. Under HHS advice on HIPAA and cloud calculating systems, cloud hosting providers that get or store PHI has been, in reality, business partners. This is true even if the CSP can not see the information since it is encrypted.
If it comes to utilizing PHI on FaceTime, Apple is a business partner and isn’t insured with the conduit exception principle.
All messages delivered through FaceTime are procured with end-to-end encryption, and only authorized users may get an account with their Apple ID. Apple also does not keep any information given through FaceTime — that might suggest FaceTime may be utilized in a HIPAA compliant way –. Still, it’s likely to utilize FaceTime in a non-compliant manner. It is based much more on the consumer compared to the tech.
Additionally, as stated previously, because Apple is known as a business partner, the corporation should sign a BAA before discussing, transmitting, storing, or maintaining PHI utilizing Apple services. Since Apple will not signal a BAA and is not covered under the HIPAA Conduit Exception Rule, FaceTime isn’t HIPAA compliant — under ordinary conditions.
A HIPAA exemption
On the other hand, that the coronavirus pandemic has caused anything but ordinary conditions. Beneath the shadow of COVID-19, enforcement of HIPAA rules had been relaxed, especially about telemedicine — such as FaceTime. The Office for Civil Rights (OCR) deemed it essential to relax the rules to permit much-needed telehealth skills nationally.
Providers will not be punished for using such solutions, even when they are not entirely HIPAA compliant, provided that they notify their patients regarding the potential privacy risks and protect sensitive individual data.
However, this present exemption will not last, so you can not rely on popular customer programs like FaceTime as a long-term alternative. It is essential to prepare HIPAA-compliant video-conferencing application choices whenever possible.
Ensure your software supplier will signal a BAA to make certain you’re complying with all HIPAA criteria. And make sure that you and your patients can use the applications now and later on.