Is FaceTime HIPAA Compliant for Medical Clinics?

Verdict: No

FaceTime is not HIPAA compliant. Apple does not sign Business Associate Agreements for FaceTime. That single fact disqualifies it for any clinical use that involves PHI, regardless of how the call is framed or what information is discussed.

The COVID-era exception is over

During the COVID-19 public health emergency, HHS OCR issued a notice of enforcement discretion allowing covered entities to use certain consumer-grade video platforms — including FaceTime — for good-faith telehealth without facing OCR penalty. That discretion expired in May 2023 when the public health emergency ended.

Clinics that continued using FaceTime for patient care after May 2023 without a BAA are out of compliance. There is no current enforcement discretion that covers FaceTime use.

What the Security Rule requires from a video tool

Under 45 CFR § 164.312, covered entities must implement technical safeguards that include:

• Access control. Unique user identification and mechanisms to limit access to ePHI.
• Audit controls. Hardware, software, or procedural mechanisms that record and examine activity in systems containing ePHI.
• Transmission security. Technical measures to guard against unauthorized access to ePHI transmitted over networks.
• Integrity controls. Measures to confirm ePHI is not improperly altered or destroyed.

FaceTime provides encryption in transit — handling the transmission-security component — but it does not expose audit logs to covered entities, does not provide access control infrastructure, and cannot be administered to meet the HIPAA administrative safeguard requirements at 45 CFR § 164.308.

Apple’s position

Apple’s public documentation and terms of service do not include BAA provisions for FaceTime or position the service as a healthcare-compliant tool.

Apple does execute Business Associate Agreements for some enterprise Apple products. FaceTime is not among them.

What to use for clinic video calls

HIPAA-compliant video requires a vendor that:

1. Executes a signed BAA with the clinic
2. Provides audit logs accessible to the covered entity
3. Offers access controls by role
4. Documents security measures in writing

The risk of relying on the COVID exception

A clinic that adopted FaceTime during the COVID-19 public health emergency and did not remove it from clinical workflows after May 2023 is now operating without a covered tool. The enforcement discretion was published as a temporary measure, with HHS explicitly noting it would expire. Its expiration was publicly announced and does not constitute a gray area.

If a clinic used FaceTime for patient encounters after May 11, 2023, it should assess whether those encounters constitute reportable breaches under 45 CFR § 164.402. A breach risk assessment should document the likelihood that PHI was accessed by unauthorized persons, considering the nature of FaceTime’s encryption and Apple’s data practices.

Checklist for replacing FaceTime in a clinical workflow

When evaluating a compliant video replacement, confirm the following before routing patient calls through the platform:

1. BAA. Request and execute the BAA before the first patient call. Keep a signed copy in the clinic’s vendor records.
2. Session audit logs. The platform must log call participants, start and end times, and session identifiers. Confirm these logs are accessible to the clinic.
3. Access controls. Confirm that only authorized staff can initiate or join clinical video sessions. Role-based restrictions should prevent unauthorized access.
4. Waiting room or equivalent. The platform should allow clinical staff to control when a patient enters a session to prevent unauthorized joiners.
5. Data residency. Confirm where session data and any recordings are stored, and that the storage location is covered under the BAA.

What to use instead of FaceTime

Clinics that need HIPAA-compliant video for patient telehealth or care coordination must use a purpose-built platform that signs a BAA, provides session-level audit logs, and offers access controls by role. See best HIPAA-compliant secure messaging for evaluated communication alternatives, and review HIPAA-compliant telehealth platforms for vendor evaluation criteria.