HIPAA compliant telehealthAs more providers turn to telehealth, they are looking to new technologies. Since many providers weren’t previously offering telehealth services they have opted for an easy solution, using their iPhones to conduct sessions. The downside to using any mobile phone for telehealth is that iPhone screens are relatively small, making it difficult to use for an extended period of time. The visual and emotional strain of connecting with, understanding, and working with a clinical population on such a limited screen can quickly lead to zoom fatigue and burnout. See Zoom Fatigue: What You Can Do About It.

As discussed in Should I Use My iPhone for Telehealth?  tools such as Apple AirPlay allow iPhone users to “mirror” their screen so that they can view their phone screen on a larger TV screen. However, before using any technology, healthcare providers must ensure that its use is HIPAA compliant. HIPAA compliant telehealth and Apple AirPlay are discussed below. 

HIPAA Compliant Telehealth: Apple TV Security Configurations

To use Apple AirPlay, users need to purchase an Apple TV. An Apple TV is a relatively inexpensive device that connects to a user’s regular TV via an HDMI cable. With an Apple TV, iPhone users can project their phone screen (“mirror”) onto their TV screen. To be able to use the AirPlay feature, users must connect their Apple TV and iPhone to the same wifi connection.

For more information on how to use AirPlay, please click here.

To prevent unauthorized users from accessing AirPlay, users need to enable certain security settings within the Apple TV device. The following security configurations can be enabled for an Apple TV using tvOS 11 or later for HIPAA compliant telehealth.

  • Choose who can AirPlay to the Apple TV

Go to Settings > AirPlay. There are several options listed for how to choose who connects to Apple TV. These include Everyone, Anyone on the Same Network, Only People Sharing This Home, or Require Password. For HIPAA compliant telehealth, users should select the Require Password option.

  • Security type

Under AirPlay > Security > Require Code, users can select when a password is required. The options include None, Passcode Once, Passcode Always, and Password. For HIPAA compliant telehealth, users should Password or Passcode Always.

  • Set password

To set a password, select Settings > AirPlay > Set Password. Passwords should use a combination of uppercase, lowercase, numbers, and symbols for increased security.

  • AirPlay codes

In addition to a password, users can also implement AirPlay codes. An AirPlay code randomly generates a 4 digit code on the TV screen that the Apple TV is connected to. To be able to use AirPlay, users have to enter the code on the TV screen on their iPhone. To enable this setting select Settings > AirPlay > Onscreen Code.

HIPAA Conduit Rule and Business Associate Agreements

Apple has stated that it will not sign a business associate agreement (BAA) with its healthcare clients. Generally, service providers are required to sign BAAs with their covered entity clients. However, there is an exception to this requirement. The HIPAA Conduit Exception Rule applies to service providers that cannot be considered business associates since they don’t have any way of accessing or storing electronically protected health information (ePHI) transmitted through their platform.
The Department of Health and Human Services states:

We do not require a covered entity to enter into a business associate contract with a person or organization that acts merely as a conduit for protected health information A conduit transports information but does not access it other than on a random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law. Since no disclosure is intended by the covered entity and the probability of exposure of any particular protected health information to a conduit is very small, we do not consider a conduit to be a business associate of the covered entity.

As AirPlay does not access ePHI, Apple is considered a conduit in this case, and therefore can be used for HIPAA compliant telehealth without the need for a BAA.