Apple FaceTime, Telemedicine, and HIPAA

Doctors want to provide the best care for their patients. Being able to check in with them more frequently and in a meaningful way allows them to provide that care. Many providers in small practices are interested in telemedicine.

Can you use FaceTime for telemedicine?

I wouldn’t and I want to show how I formed that choice. It’s largely due to three reasons:

1. There is no central management or accountability for FaceTime

The only management or accountability comes from the owner of the FaceTime account. If you’re thinking of how to manage an Apple ID please keep in mind that Apple IDs are not required for FaceTime. You can use it with only a phone number and an iOS device.

No management means no policy enforcement. You can’t enforce password requirements for a FaceTime account or Apple ID. You can’t audit FaceTime account behavior. We are unable to detect a compromised account or deviant behavior.

2. Apple won’t sign a Business Associate Agreement

Apple will not sign a Business Associate Agreement (BAA) for their FaceTime service. There seems to be a misconception that Apple falls under the Conduit Exception Rule. The main article promoting this idea fails to test the hypothesis that your FaceTime session is routed through Apple. In reality, FaceTime audio and video data is never sent to Apple. The Conduit Exception Rule does not apply to Apple in this context. The Conduit Exception rule would instead apply to the Internet Service Provider (ISP) that your FaceTime session is traveling over, such as Time Warner, Level 3, etc. Again – The FaceTime audio and/or video data is never sent to Apple. You can test this by capturing network data and analyzing it in Wireshark or a similar program. You will find that while the notifications and coordination for FaceTime originate from Apple (17.0.0.0/8) the FaceTime session data is encrypted and between the two endpoints only.

Does this help the case of making Apple FaceTime HIPAA compliant? Yes and no. The whole “Apple falls under the conduit exemption rule” argument is moot but we still have the previous hurdle – which is a big one – to overcome. If it’s not possible to centrally manage FaceTime accounts, audit them, or apply policy to them, then count me out. This doesn’t pass the sniff test.

It also doesn’t get us past the fact that Apple will not sign a BAA for FaceTime.

3. FaceTime leads to Apple IDs, Apple IDs lead to iCloud, iCloud leads to the dark side

Have you ever asked for trouble? Using iCloud in a HIPAA environment is just that. iCloud has many storage features such as iCloud Drive and Photos – none of which are HIPAA compliant. If you have an iCloud account it’s insanely easy to accidentally enable these features. What I would really like is a way to manage or restrict Apple IDs and iCloud features for use in the enterprise. I do not anticipate Apple having these. Ever.

As an administrator I wouldn’t want to inadvertently encourage or endorse the use of iCloud accounts in a HIPAA environment. I love using my personal iCloud account for contacts, calendars, and other features. In the medical environment iCloud accounts should be avoided.

Compliance is not security

Let’s get something straight – Compliance and security are two completely different things. This post is me listing out why I would not recommend FaceTime. The problems that I have with FaceTime are not technical in nature. FaceTime appears to be incredibly secure and not HIPAA compliant.

I use and recommend FaceTime for personal calls and video chats. I would not use it for telemedicine.

Am I willing to change my mind?

Absolutely. I would want support from legal in the form of review and approval of FaceTime in a HIPAA setting and from Apple by accepting and signing a BAA.

Final Thoughts

I believe that you take on an unfair amount of risk by using FaceTime for telemedicine. My hangups largely have to do with accountability and management and not with the technology or security measures used. If Apple would sign a BAA, or if the issue is discussed with legal council familiar with HIPAA and given the thumbs-up, I would recommend it’s use for telemedicine.

It’s worth noting that the U.S. Department of Veterans Affairs (VA) approved the use of FaceTime with constraints. The constraint in question:

Users should check with their supervisor, Information Security Office (ISO) or local OIT representative for permission to download and use this software.

From http://www.va.gov/trm/ToolPage.asp?tid=7953

I would not grant that permission and I would not look to the VA for HIPAA compliance guidance. (See Privacy Violations Rising At Veterans Affairs Medical Facilities and Few Consequences For Health Privacy Law’s Repeat Offenders.)

Apple FaceTime, Telemedicine, and HIPAA