Is FaceTime HIPAA Compliant?

September 11, 2025

FaceTime is everywhere these days – built right into iPhones, iPads, and Macs – making it incredibly easy to hop on a video call with friends, family, or even colleagues. Its convenience and simplicity have made it a go-to option for everything from casual conversations to virtual job interviews.

But when we shift into the world of healthcare, where patient privacy is strictly protected, ease of use isn’t enough. In 2023, over 100 million individuals were affected by healthcare data breaches, underscoring why providers must carefully choose telehealth tools. That’s where a big question arises: Is FaceTime compliant with HIPAA regulations?

In this guide, we’ll break down everything healthcare providers need to know about using FaceTime in a clinical setting. We’ll look at what HIPAA expects from video communication tools, why Business Associate Agreements (BAAs) are non-negotiable, what Apple’s position is, and whether FaceTime can be safely used for telehealth today.

What HIPAA Requires for Video Communication

When healthcare professionals connect with patients over video, they’re often discussing Protected Health Information (PHI). This could include anything from medical conditions and treatment plans to billing details. For example, a therapist uses a free video app without encryption. During a session, a third party intercepts the connection. Without end-to-end encryption, the provider has no way to prove patient privacy was protected — a clear HIPAA violation. HIPAA lays out very specific guidelines to ensure this type of data stays private and secure.

To meet HIPAA standards, a video communication platform must offer:

1. End-to-end encryption to prevent unauthorized access to the conversation.
2. Access controls such as strong passwords and limited user permissions.
3. Audit logs that track who accessed data, when, and how.
4. Integrity controls to prevent the accidental or malicious alteration of PHI.
5. A signed Business Associate Agreement between the provider and the video platform vendor.

These elements work together to make sure PHI stays protected at every stage.

Why Business Associate Agreements Matter

The Business Associate Agreement (BAA) is one of the most crucial parts of HIPAA compliance. It’s a legal document that outlines how a third-party service provider will protect PHI. If a company may have any access to PHI – even indirectly – a BAA must be in place.

Here’s where FaceTime falls short: Apple does not sign BAAs for FaceTime, as confirmed by sources like the HIPAA Journal. That alone makes FaceTime unsuitable for most HIPAA-regulated environments, no matter how secure the platform may seem from a tech standpoint.

Is FaceTime Secure from a Technical Standpoint?

Technically speaking, FaceTime does offer end-to-end encryption, which means your call is protected from eavesdropping – even Apple can’t listen in. On the surface, that sounds ideal for confidential conversations.

However, HIPAA compliance requires more than just encryption. Reports from sources like iFax reveal that FaceTime stores metadata, such as timestamps and contact information. Depending on the context, this metadata could be considered PHI.

The bigger issue? FaceTime doesn’t provide audit trails or allow healthcare providers to manage or monitor this metadata. So, while FaceTime may be secure enough for general use, it doesn’t provide the level of control and documentation needed in healthcare.

Does FaceTime Qualify for the Conduit Exception?

Some providers have argued that FaceTime falls under the “conduit exception,” which allows certain service providers (like internet providers or phone companies) to transmit PHI without needing a BAA. But this is a risky assumption.

To meet the definition of a conduit, a service must only transmit information – not store, modify, or access it in any way. Because FaceTime retains metadata and offers no way for healthcare providers to control or review it, it fails to meet this narrow definition, and therefore requires a BAA if used in healthcare..

This is echoed by industry sources like Best Medical Billing, which confirms: FaceTime does not qualify as a conduit. And because Apple still won’t sign a BAA, the use of FaceTime in HIPAA-covered settings remains out of bounds.

The COVID-19 Exception: What Changed and What Didn’t

During the COVID-19 pandemic, the Department of Health and Human Services (HHS) temporarily relaxed HIPAA enforcement rules. This allowed healthcare providers to use popular video apps – including FaceTime – to deliver care, even if those platforms weren’t fully HIPAA-compliant. Providers who relied on FaceTime during the pandemic need to transition to compliant platforms now — using the COVID exception as justification will no longer hold up under OCR scrutiny.

This emergency policy was meant to expand access to care during an unprecedented time. However, the policy was always intended to be temporary. According to HHS.gov, the enforcement discretion officially ended in 2023. That means HIPAA rules are now back in full effect – and FaceTime no longer qualifies under the relaxed standards.

Can You Use FaceTime for Telemedicine Today?

As of today, the answer is clear: No, you generally shouldn’t use FaceTime for telemedicine.

Despite its convenience and encrypted technology, FaceTime misses the mark on several HIPAA requirements:

• Apple refuses to sign BAAs
• There are no audit logs
• User access controls are limited
• Metadata is stored with no provider oversight
• The platform doesn’t integrate with Electronic Health Record (EHR) systems

There may be rare exceptions, such as within certain government agencies like the Department of Veterans Affairs (VA), which may have their own security frameworks. But for most providers, especially in private practice or hospital systems, FaceTime is not an option that meets compliance.

What’s at Stake? The Risks of Using FaceTime in Healthcare

It might be tempting to use FaceTime for quick patient check-ins, especially since it’s readily available and free. But doing so comes with serious risks. Could you prove compliance if audited? Could you show audit logs, BAAs, and access records? If not, FaceTime won’t protect you legally even if it feels secure technically. 

HIPAA isn’t just about preventing data breaches – it’s also about being able to prove that your systems, vendors, and internal policies meet the law’s privacy and security requirements.

If your organization uses FaceTime and there’s a complaint or breach, you could face:

• Hefty fines from HHS for non-compliance
• Investigations prompted by patient complaints
• Loss of trust from your patients and community
• Potential lawsuits or regulatory audits

In short, using non-compliant tools like FaceTime could cost you far more than the time saved on setup.

HIPAA-Compliant Alternatives to FaceTime

The good news is that plenty of video platforms are built with HIPAA compliance in mind. These services offer all the features FaceTime lacks – plus more tools that make virtual care easier and more efficient:

1. Zoom for Healthcare – Comes with a BAA, audit logs, encryption, and user role management
2. Doxy.me – Simple, browser-based, no downloads required
3. VSee – Ideal for both solo practitioners and larger care teams
4. Updox – Combines video calls, messaging, and appointment scheduling
5. TheraNest – Tailored for behavioral health, including integrated notes and billing tools

Not only do these platforms keep you compliant, but many also connect directly with EHRs and offer patient check-in queues, making your workflow smoother.

Best Practices to Ensure HIPAA-Compliant Telehealth

Choosing a compliant platform is only the first step. To stay on the right side of HIPAA, it’s essential to build strong privacy practices into your entire telehealth routine:

• Always use password-protected devices
• Secure your Wi-Fi connections – both at work and at home
• Train your staff regularly on HIPAA, phishing, and patient privacy
• Get patient consent before every video session
• Review audit logs to monitor access

Security isn’t a one-time task – it should be part of your day-to-day operations.

Other Things You Need to Consider for Full HIPAA Compliance

HIPAA compliance is about more than the video platform you use. It’s about creating a complete ecosystem that supports patient privacy across all channels.

Here are some additional pieces you’ll need to think about:

• Work only with vendors who sign BAAs
• Encrypt your cloud storage and devices
• Grant access based on specific job roles and responsibilities
• Keep all software and hardware up to date
• Maintain clear, written telehealth policies and review them annually

Final Thoughts: Is FaceTime HIPAA Compliant?

To wrap it all up: FaceTime is not HIPAA compliant for use in healthcare.

Even though it’s encrypted and easy to use, it lacks the core features HIPAA requires – like audit trails, administrative controls, and most importantly, a signed BAA from Apple. While it was temporarily allowed during the COVID-19 emergency, that exception has ended.

If you’re serious about protecting your patients and your practice, the safest move is to switch to a platform that’s specifically built for telehealth and backed by the legal agreements that HIPAA demands.