FaceTime is HIPAA compliant and encrypted, could change the way physicians and patients communicate

Healthcare communications is rapidly changing – patients now routinely email their physicians, physicians connect with each-other via mobile-based professional networks, and more. The introduction of Apple’s FaceTime video chat sparked excitement and discussion in the healthcare community about its possible use in telemedicine. However, many were wary about associated patient privacy issues and HIPAA compliance.

It seems that this question has now been answered. According to Apple, calls made via FaceTime can be HIPAA-compliant with the appropriate security configuration. The news that this ubiquitous, free communications platform meets these rigorous standards has potentially wide implications for how patients, physicians, and others in healthcare communicate.

To be fair, its not quite as simple as just opening FaceTime and calling your patient. Specifically, the WPA2 Enterprise configuration provides an extra level of authentication when establishing a wireless connection. WEP does not provide the appropriate level of security, and WPA and WPA2 personal settings are questionable. FaceTime calls are fully encrypted as well.

According to an email from Apple to ZDNet:

iPad supports WPA2 Enterprise to provide authenticated access to your enterprise wireless network. WPA2 Enterprise uses 128-bit AES encryption, giving users the highest level of assurance that their data will remain protected when they send and receive communications over a Wi-Fi network connection.

In addition to your existing infrastructure each FaceTime session is encrypted end to end with unique session keys. Apple creates a unique ID for each FaceTime user, ensuring FaceTime calls are routed and connected properly.

FaceTime has numerous potential applications in healthcare. Simple applications include a primary care provider communicating with his or her patients or a hospitalist checking in with a patient when they can’t get to the room. It also opens the door to more complex apps utilizing the iPad and iPhone 4 forward-facing cameras as part of telemedicine systems.

This is favorable from a financial standpoint, since only HIPAA-compliant devices are eligible for government grants. As such, the iPad may now find further use in telemedicine programs, particularly those seeking to back up their interventions with data. With the prospect of increased federal funding and the growing popularity of telemedicine, the timing of this announcement could prove to be particularly fortuitous.

One interesting question, particularly in light of the recent FDA meeting, is what kind of regulatory attention this may attract for FaceTime. Intended use, a heavily debated topic at that meeting, could prove to be particularly complex here – a consumer app with healthcare applications that are, to some extent, being promoted by Apple.

FaceTime has the potential to broaden the exchange of information among physicians, provide greater convenience to patients, and improve the quality of patient care. The assurance of a secure connection may prompt more physicians to adopt iPads in practice for communication as well as other uses, though it may be prudent to await confirmation from a regulatory body.




Brittany Chan

Click to view 15 Comments

15 Responses to FaceTime is HIPAA compliant and encrypted, could change the way physicians and patients communicate

  1. encryption September 27, 2011 at 10:20 pm #

    The data once it leaves your wifi – over the internet is not encrypted and it is apple to apple only. If I am using a lifesize or polycom device can’t talk to it. Does not register as a sip or h323 endpoint in a enterprise network setting so now you have nat issues to deal with along with qos problems, etc… So as long as I am apple to apple and willing to have all my video even internal to internal conversations go on have to go out to the cloud unencrypted (post my wifi)…

    • Doug May 1, 2012 at 9:32 pm #

      I don’t foresee the h323 endpoint as a necessity as hospitals migrate away from expensive dedicated networks towards secure “off the shelf” devices – It would be relatively simple to resolve encryption over the web if they haven’t already (we’re already seeing that done with several compliant vendors.)
      The component I don’t understand with Facetime is how auditors can ensure that the far side (patient) is compliant when according to apple “, calls made via FaceTime can be HIPAA-compliant with the appropriate security configuration.” If they are using a token that is only issued with both ends are compliant – then go to town (once to back-end to audit such visits suffices).

      • Jeremy October 29, 2012 at 8:18 pm #


        I share your confusion. If FaceTime itself is encrypted, why on earth should it matter whether or not your WiFi meets the required standards? In theory, you should be able to securely FaceTime over a WiFi hotspot at Starbucks without worrying.

    • Jeremy October 29, 2012 at 8:15 pm #

      You should read the article above more carefully. Apple specifically stated: “each FaceTime session is encrypted end to end with unique session keys.” In other words, once it leaves your wifi, the conversation is encrypted and viewable only to its intended recipient.

  2. Wayne Coburn October 7, 2011 at 12:35 pm #

    There is no way I’m going to sit around and wait for my doctor to give me a call 90+ minutes late. At least when you’re sitting in the examination room you can always stick your head out and ask what is going on.

    • Kay Jennings March 31, 2014 at 7:52 am #

      If I don’t see my patients within 10 minutes of their scheduled time, I have a problem!! You should think about finding a practice that values timeliness!

  3. Jeremy Green February 13, 2013 at 4:55 pm #

    All our telemedicine video streams are run over our HIPAA compliant server. HIPAA compliance is just the type of security level of the server passing data…

  4. Leong Ng March 11, 2013 at 5:54 pm #

    @ Wayne, you have a point but as doctors we do have issues with ppl not missing their appointment or turning up late etc and insisting on being seen next..thus disrupting everything. Telehealth, which I practise in Australia faces the same old problems – of doctors and patients connecting late, or doctors using their ill-informed receptionists to set up all aspects of the video consult including the tech bits.

    I too as a specialist can be waiting in frustrations for a prolonged time and sometimes not having a video consult at all! An agreed protocol and a code of practice needs to be in place. As I am in private practice, I set my own ‘rules’ If patients want my service, they abide by these guidelines – deviations may be tolerated up to a certain point…….www.drlng.com

    I am happy to report that FaceTime is my preferred platform as a non third party platform with VPN connections on both sides and this works very well for us. FT is simple and effective but not every person has an Apple device.

Leave a Reply