Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.
FaceTime HIPAA Privacy Concerns
Apple’s FaceTime has recently been revealed to contain a major bug that significantly impacts the privacy of iPhone users everywhere. Among these concerns are issues specifically regarding FaceTime HIPAA compliance for health care providers across the country.
The FaceTime bug allows callers to hear audio picked up by the recipient’s phone before they have accepted or declined the call. That means that regardless of whether a FaceTime call is answered or not, the caller can eavesdrop on anything picked up by the microphone within the recipient’s phone.
Apple has already stated that they are looking for a fast solution to this major privacy issue. However when it comes to HIPAA compliance concerns, even a solution from Apple does not eliminate potential HIPAA privacy and security violations.
HIPAA Compliant FaceTime?
For telehealth professionals who rely on third-party telehealth communications platforms to treat patients, using FaceTime or similar videochat clients may seem enticing.
Simply put, FaceTime is not HIPAA compliant and using it in a setting where telehealth or telebehavioral health professionals are treating clients is a major violation of federal regulation.
HIPAA regulation demands that providers contracting with vendors must execute a contract known as a business associate agreement before any health information can be shared, exchanged, or transmitted via their services. Business associate agreements serve a few purposes. The first, is to ensure that the entity with which a provider choses to do business is HIPAA compliant, with all the necessary security standards in place to safeguard health information. And the second is to actually protect the provider from liability in the event of a data breach that is caused by a vendor–which is exactly what this FaceTime bug illustrates.
Apple is notorious for refusing to sign business associate agreements with providers, meaning there is no way to use their services to communicate with patients and maintain FaceTime HIPAA compliance.
Additionally, any time a patient is communicated with in an electronic manner, the means of communication must be encrypted. HIPAA encryption helps to protect data that is being transferred between parties and to prevent that data being intercepted by malicious third-parties. FaceTime calls are hosted by Apple and do not meet HIPAA encryption requirements. That means that patient communication may not be carried out via FaceTime for risk of exposing their data to a potential breach.
In the interim before Apple fixes this FaceTime bug, it is highly recommended that iPhone users disable Facetime on their devices to protect their privacy.
Introduction to Telehealth Theory & Practice
Enjoy a fast-moving overview of telebehavioral and telemental health. Understand the key points related to telehealth clinical, legal, ethical, technology, reimbursement, social media and other pivotal issues.
Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.
Interesting article and incorrect.
HIPAA deals with the use of the data, not the technology. If the ability to for anyone listen in surreptitiously to a conversation was a **feature** rather than a bug, then FaceTime would be an inappropriate tool as it would be a *broadcast* tool, not a video conferencing tool. Again HIPAA defines the end user usage of data parameters, not the technology parameters.
As it sits, HIPAA stipulates one technical criterion: data in transit must be encrypted. FaceTime was one of the first video telephony products to provide full end to end encryption with NIST certified FIPS 140-2 compliant encryption.
William,
Thank you for taking the time to correct our article.