Using FaceTime for therapy sessions might actually be HIPAA compliant

Basics of California Law 5th edition coverWith so many therapists and clients owning iPhones, some therapists have started experimenting with doing sessions via Apple’s FaceTime videoconferencing. While Apple does not provide a Business Associate Agreement (typically required under HIPAA) for use of FaceTime, there is an interesting legal argument that suggests FaceTime may still be safe for therapists to use.

HIPAA contains a small exception, called the Conduit Exception, that was intended to protect companies like your cell phone provider and your internet service provider. In a technical sense, these companies do transmit protected health information on your behalf, which would bring them under HIPAA’s authority. However, these companies do not store or maintain any protected health information on your behalf. They merely carry it from one point to another. For this reason, they can be considered conduits, and not business associates, under HIPAA’s definitions.

Since FaceTime provides end-to-end encryption, and creates a peer-to-peer connection (don’t worry if you don’t know the technical definitions of these terms), there is no way for Apple to decrypt the data going from one end of a FaceTime connection to the other. Even if they wanted to gather and store the content of your FaceTime calls, they couldn’t. In this way, Apple appears to be a simple data conduit – and thus you would not need to get a BAA to use FaceTime for client sessions.

Bear in mind here that no particular platform, in and of itself, is HIPAA compliant. It is the health care providers using technology who can be compliant or non-compliant. So a platform like FaceTime, which seems as though it could be used in a HIPAA-compliant manner, could still also be used in a non-compliant manner, depending on how you used it. The fact that it’s a secure platform would not matter much if you were conducting sessions from a Starbucks, where other customers could see and hear the conversation. That wouldn’t be compliant with HIPAA, regardless of what software you were using.

Interestingly, some of the same arguments in favor of FaceTime could also be applied to iMessage, which similarly uses strong encryption. But Apple stores those encrypted messages on its servers temporarily until your devices download them. So it would be at least a little tougher to make a case for the Conduit Exception applying there.

Ed note: This post is a lightly-edited excerpt from Basics of California Law for LMFTs, LPCCs, and LCSWs. Just a reminder: We’re therapists around here, not lawyers or computer cryptography experts. It’s always good when weighing such questions for your own practice to consult with people who are. Here’s a more technical analysis that comes to the same conclusion I reached.