FaceTime & Telemedicine

Here's a Q&A regarding the use of FaceTime for telemedicine.

Q.   Hello: We had a situation at our organization where our secure telemedicine system went down. The provider wanted to use FaceTime instead. I stated it could not be used because of the security standards. I am being challenged on my position. Will appreciate the feedback from this group. I have mentioned that we could have the patient sign a notice/authorization that using this technology (e.g., FaceTime) is not secure and they waive their right to the protection of their information.

A.  FaceTime transmission are encrypted so from a security standpoint you're OK. You're not OK from a compliance standpoint, though. Apple has been reluctant to sign a BAA and if any of the data from a FaceTime session is stored on Apple's platform, they would be a business associate. Given OCR's enforcement activity not executing a BAA can be costly.

The only encryption exception noted in the Omnibus Rule and later in the HIPAA CLIA Rule preamble is email. FaceTime s not email so there is no clear exception that would permit you to inform the patient of the dangers associated with the lack of encryption with any telemedicine app/service and get the patient to sign off on an unsecure transmission. Since FaceTime sessions are encrypted, this comes down to the execution of a BAA.

An alternative would be to use the business version of Skype that is part of the Office 365 platform. Before using Skype for Business, though, you need to make sure to sign Microsoft's available Office 365 business associate agreement.