FaceTime HIPAA Privacy Concerns
Apple’s FaceTime has recently been revealed to contain a major bug that significantly impacts the privacy of iPhone users everywhere. Among these concerns are issues specifically regarding FaceTime and HIPAA compliance for health care providers across the country.
The FaceTime bug allows callers to hear audio picked up by the recipient’s phone before they have accepted or declined the call. That means that regardless of whether a FaceTime call is answered or not, the caller can eavesdrop on anything picked up by the microphone within the recipient’s phone.
Apple has already stated that they are looking for a fast solution to this major privacy issue. However when it comes to HIPAA compliance concerns, even a solution from Apple does not eliminate potential HIPAA privacy and security violations.
HIPAA Compliant FaceTime?
For telehealth professionals who rely on third-party telehealth communications platforms to treat patients, using FaceTime or similar videochat clients may seem enticing.
Simply put, FaceTime is not HIPAA compliant and using it in a setting where telehealth or telebehavioral health professionals are treating clients is a major violation of federal regulation.
HIPAA regulation demands that providers contracting with vendors must execute a contract known as a business associate agreement before any health information can be shared, exchanged, or transmitted via their services. Business associate agreements serve a few purposes. The first, is to ensure that the entity with which a provider choses to do business is HIPAA compliant, with all the necessary security standards in place to safeguard health information. And the second is to actually protect the provider from liability in the event of a data breach that is caused by a vendor–which is exactly what this FaceTime bug illustrates.
Apple is notorious for refusing to sign business associate agreements with providers, meaning there is no way to use their services to communicate with patients and maintain HIPAA compliance.
Additionally, any time a patient is communicated with in an electronic manner, the means of communication must be encrypted. HIPAA encryption helps to protect data that is being transferred between parties and to prevent that data being intercepted by malicious third-parties. FaceTime calls are hosted by Apple and do not meet HIPAA encryption requirements. That means that patient communication may not be carried out via FaceTime for risk of exposing their data to a potential breach.
In the interim before Apple fixes this FaceTime bug, it is highly recommended that iPhone users disable Facetime on their devices to protect their privacy.
If you need assistance with HIPAA compliance, consider working with our TBHI affiliate, the HIPAA Compliancy Group. (When you purchase services from them, TBHI will be paid a small commission.) They can help you support your HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance. The Guard is built to address the HIPAA regulations, including guided walkthroughs of HIPAA Risk Assessments. With The Guard, you can focus on running your practice while keeping your patients’ data protected and secure.Compliancy Group’s team of expert Compliance Coaches® can also field questions and guide you through the implementation process, taking the stress out of managing compliance. Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!
Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too?
Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.