Is FaceTime HIPAA Compliant? No — And the COVID Exception Is Over

FaceTime is not HIPAA compliant. This is not a gray area.

Apple does not sign a Business Associate Agreement for FaceTime — not for personal accounts, not for Apple Business accounts, not for enterprise deployments. Because HIPAA requires a BAA with every vendor that handles PHI, and because Apple will not sign one for FaceTime, there is no configuration or account type that makes FaceTime usable for telehealth involving patient information.

What the COVID Exception Actually Was

During the COVID-19 pandemic, HHS Office for Civil Rights (OCR) exercised enforcement discretion that allowed covered healthcare providers to use non-public-facing video communication technologies for telehealth without risk of HIPAA penalties. The notice, issued March 17, 2020, explicitly listed FaceTime among the platforms that could be used during this period.

This was enforcement discretion — not a rule change. OCR was choosing not to penalize providers for a specific violation under specific circumstances. The underlying HIPAA requirement did not change. FaceTime still lacked a BAA throughout this period. OCR was simply declining to act on it during the public health emergency.

The enforcement discretion ended May 11, 2023, when the COVID-19 public health emergency ended. OCR issued advance notice of the end date to give providers time to transition to compliant platforms.

Any telehealth visit conducted over FaceTime after May 11, 2023, falls outside the enforcement discretion. The BAA requirement applies in full.

Apple’s Business Programs Do Not Help

Some practices have asked whether Apple Business Connect, Apple Business Essentials, or enterprise Apple device management programs change FaceTime’s compliance status.

They do not. None of Apple’s business programs include a HIPAA BAA for FaceTime. The platform does not have a healthcare compliance pathway. This is Apple’s choice — they have not pursued it, likely because the consumer use case and FaceTime’s architecture do not align with the documentation and security configuration requirements that BAA signing requires.

No amount of MDM configuration, Apple Business enrollment, or enterprise licensing changes the fundamental problem: Apple will not sign the BAA.

Why Patient Preference Does Not Change the Analysis

Patients often prefer FaceTime for telehealth. It is already on their phone, they know how to use it, and it works reliably. This is a legitimate operational consideration — patient friction with new tools affects appointment completion rates.

It does not change the legal requirement.

HIPAA’s BAA requirement exists to protect patients. The regulation does not include a patient-preference exception. A patient preferring FaceTime is analogous to a patient preferring that their records not be locked — the preference does not override the protection requirement.

The practical answer for patients: most HIPAA compliant alternatives impose less friction than practices expect. Doxy.me, for example, is entirely browser-based. Patients receive a link, click it, and join the video call in their browser. No download. No account creation. The experience is close to following a link in a text message, which most patients already do for appointment reminders.

The OCR Enforcement Discretion Timeline

For practices that used FaceTime during the COVID period and want clarity:

March 17, 2020: OCR issues enforcement discretion notice. FaceTime, standard Zoom, Skype, Google Hangouts allowed for telehealth.
May 11, 2023: Enforcement discretion ends with the COVID-19 public health emergency. Standard HIPAA BAA requirements fully resume.
Today: No active discretion or exception. FaceTime for telehealth is a violation.

For visits conducted between March 17, 2020, and May 11, 2023, the enforcement discretion provides protection. For visits after May 11, 2023, it does not. OCR has not provided blanket amnesty for post-discretion period violations.

Compliant Alternatives

The three most practical replacements for FaceTime in small practice settings:

Doxy.me provides a BAA on all plans including the free tier. Patients join via browser link — no app required. For solo practitioners and small practices doing straightforward one-on-one video visits, this is the lowest-friction compliant option.

Zoom for Healthcare is the right choice for practices where staff familiarity with Zoom is important or where group video sessions are needed. Verify the contract explicitly says “Zoom for Healthcare” — standard Zoom plans do not include a BAA.

SimplePractice is the right choice for therapy and mental health practices that want telehealth bundled with scheduling, notes, and billing under one BAA.

A full comparison of these platforms with pricing, pros and cons, and feature differences is at /resources/best/hipaa-compliant-telehealth-platforms.

The One-Sentence Answer

Apple does not sign a HIPAA BAA for FaceTime, the COVID enforcement discretion that temporarily allowed it ended May 11, 2023, and there is no workaround — switch to a platform that signs the BAA.

Like what you're reading?

Try PHIGuard free — no credit card required.

Business Associate Agreement (BAA): A written contract required by HIPAA between a covered entity and a vendor that creates, receives, maintains, or transmits protected health information on the entity's behalf. The BAA requires the vendor to use appropriate safeguards and report breaches. A covered entity cannot use any third-party service for PHI without a signed BAA — no exceptions.

OCR Enforcement Discretion: A formal decision by HHS Office for Civil Rights to temporarily refrain from imposing HIPAA penalties for specific violations under defined circumstances. Enforcement discretion is not a rule change or waiver — it is prosecutorial restraint. It applies only during the defined period and to the defined circumstances. OCR can still investigate and impose penalties for violations outside those bounds.

Covered Healthcare Provider: Any healthcare provider that transmits health information in electronic form in connection with a HIPAA-covered transaction. This includes physicians, nurses, psychologists, dentists, chiropractors, pharmacies, and other healthcare providers regardless of practice size. Solo practitioners are covered entities if they submit electronic claims or otherwise transmit PHI electronically.

Non-Public-Facing Video Platform: OCR's term during the COVID enforcement discretion period for video applications that are not open to the general public — meaning they have authentication controls rather than allowing anyone to join without credentials. FaceTime, standard Zoom, Skype, and Google Hangouts were listed as examples. This category no longer provides HIPAA protection following the end of enforcement discretion.

Q&A

Is FaceTime HIPAA compliant for telehealth?

No. FaceTime is not HIPAA compliant for telehealth. Apple does not sign a Business Associate Agreement for FaceTime on any account type. OCR's COVID-era enforcement discretion that temporarily allowed FaceTime for telehealth ended May 11, 2023. Using FaceTime for patient visits involving PHI after that date is a HIPAA violation.

Q&A

When did the FaceTime telehealth exception end?

OCR's COVID-19 enforcement discretion, which allowed the use of non-public-facing video platforms like FaceTime for telehealth without HIPAA penalties, ended May 11, 2023, coinciding with the end of the COVID-19 public health emergency. There is no active exception or discretion period that permits FaceTime for telehealth today.

Q&A

What should I use instead of FaceTime for HIPAA compliant telehealth?

Switch to a platform that provides a signed HIPAA BAA. Doxy.me offers a BAA on its free plan and requires no patient app download. Zoom for Healthcare includes an explicit BAA for providers already familiar with Zoom. SimplePractice bundles telehealth with a BAA for mental health and therapy practices. See the full comparison at /resources/best/hipaa-compliant-telehealth-platforms.

Want to learn more?

Learn More

Is FaceTime HIPAA compliant?

No. Apple does not sign a Business Associate Agreement for FaceTime. Without a BAA, no covered entity can legally use FaceTime for telehealth involving protected health information. This applies to all Apple account types — there is no enterprise or business tier of FaceTime that changes this.

Was FaceTime ever allowed for telehealth?

During COVID-19, OCR exercised enforcement discretion starting March 17, 2020, that allowed covered healthcare providers to use non-public-facing video communication technologies — including FaceTime, Zoom (standard), Skype, and Google Hangouts — for telehealth without imposing HIPAA penalties. This discretion explicitly ended on May 11, 2023, when the COVID-19 public health emergency ended.

What happens if I used FaceTime for telehealth during COVID?

For telehealth conducted between March 17, 2020, and May 11, 2023, OCR's enforcement discretion provided protection from penalties. Visits conducted after May 11, 2023, are not protected by that discretion. OCR has not issued blanket amnesty for post-discretion period violations.

Can Apple Business Connect or Apple Business Essentials make FaceTime HIPAA compliant?

No. Neither Apple Business Connect nor Apple Business Essentials includes a HIPAA BAA for FaceTime. Apple has not offered a BAA for FaceTime through any of its business programs. The product simply does not have a compliance pathway for healthcare use.

My patients prefer FaceTime — what do I tell them?

Patient preference does not override the BAA requirement. Explain to patients that your practice uses a HIPAA compliant video platform because their health information is protected that way. Most compliant alternatives (Doxy.me, Zoom for Healthcare) require no app download and work in any browser, which removes much of the friction patients associate with non-FaceTime alternatives.

What is the right alternative to FaceTime for telehealth?

Doxy.me offers a free plan with a BAA and requires no patient app download — patients join via a browser link. Zoom for Healthcare includes an explicit BAA for providers already in the Zoom ecosystem. SimplePractice bundles telehealth with a BAA for therapy practices. Any of these replaces FaceTime with a compliant option.

Keep reading

5 HIPAA Compliant Telehealth Platforms for Small Medical Practices (2026)

Comparing the best HIPAA compliant telehealth platforms for small clinics. Every option includes a signed BAA, encryption, and access controls required under the Security Rule.

Is Google Meet HIPAA Compliant? What Medical Practices Need to Know

Google Meet can be HIPAA compliant — but only through a paid Google Workspace account with a signed BAA. Free personal accounts have no HIPAA coverage whatsoever.

What Is a Business Associate Agreement (BAA)? HIPAA Explained

A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.

Best HIPAA Compliance Software for Small Medical Practices (2026)

We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.