Is FaceTime HIPAA Compliant? Risks and Alternatives

FaceTime is not HIPAA compliant. While it uses strong end-to-end encryption, Apple does not sign a Business Associate Agreement (BAA), which is a legal requirement for any technology vendor handling protected health information. Without a BAA, healthcare providers who use FaceTime for patient consultations are violating HIPAA rules, even though the calls themselves are technically secure.

Why Encryption Alone Isn’t Enough

FaceTime’s security is genuinely impressive. Every call, including group calls with up to 33 participants, is protected by end-to-end encryption using AES-256, one of the strongest encryption standards available. Apple cannot decrypt the audio or video content of any FaceTime call. The system also provides forward secrecy, meaning that even if someone’s device were compromised, the contents of past calls would remain protected. When a new participant joins a group FaceTime call, the system generates entirely new encryption keys and never shares previously used keys with the new device.

None of that matters for HIPAA compliance, though. HIPAA requires covered entities (healthcare providers, insurers, and their partners) to use technology vendors that will sign a BAA. This is a legal contract that holds the vendor accountable for safeguarding patient health information. It spells out what the vendor can and cannot do with the data, requires them to report breaches, and makes them legally liable for mishandling protected information. Apple does not offer a BAA for FaceTime, and no amount of encryption substitutes for that contractual obligation.

The COVID Exception Is Over

During the pandemic, the Office for Civil Rights (OCR) at HHS temporarily relaxed enforcement of HIPAA’s telehealth rules. Starting March 17, 2020, healthcare providers could use consumer apps like FaceTime, WhatsApp video, and Google Hangouts for patient visits without risking penalties. OCR explicitly named FaceTime as an acceptable “non-public facing” communication tool during this period, since it limits participation to intended parties rather than broadcasting publicly.

That enforcement discretion expired at 11:59 p.m. on May 11, 2023, with a 90-day transition period that ended on August 9, 2023. Since then, OCR has resumed full enforcement of HIPAA rules for telehealth. Providers who continued using FaceTime for patient consultations after that date are no longer shielded from penalties.

What Happens If You Use It Anyway

HIPAA violations carry serious consequences. Civil penalties follow a tiered structure based on the severity and nature of the violation, with fines determined by the Secretary of HHS. Criminal penalties go further: knowingly obtaining or disclosing individually identifiable health information can result in fines up to $50,000 and one year in prison. If the offense involves false pretenses, that rises to $100,000 and five years. If health information is used for commercial advantage, personal gain, or malicious harm, penalties reach $250,000 and up to 10 years of imprisonment.

Even without intentional misuse, a data breach or patient complaint involving a non-compliant platform puts a practice at risk. The absence of a BAA means there’s no legal framework holding Apple responsible for any part of the data handling, leaving the healthcare provider fully exposed.

What Makes a Platform HIPAA Compliant

Two things must be in place for a video platform to meet HIPAA requirements. First, the platform needs appropriate security safeguards: encryption, access controls, and audit capabilities. Second, and critically, the vendor must sign a BAA with the healthcare provider. Both elements are mandatory. A platform with perfect security but no BAA fails HIPAA compliance, and a vendor willing to sign a BAA but lacking adequate security does too.

Platforms That Offer a BAA

Several video conferencing tools are designed for healthcare use and include a BAA as part of their service agreements. Your choice depends on budget, practice size, and how deeply you need the platform integrated with your workflow.

  • Doxy.me signs a BAA on every plan, including its free tier, making it the most accessible option for providers who just need a simple, compliant video call.
  • Zoom for Healthcare offers a BAA on all paid plans (Pro, Business, Enterprise). The free version of Zoom is not HIPAA compliant.
  • Google Meet includes a BAA with all paid Google Workspace accounts. The account administrator must review and accept it.
  • Microsoft Teams provides a BAA as part of most business and enterprise-level Microsoft 365 subscriptions.
  • SimplePractice includes a BAA for all paid subscribers, with telehealth built into the practice management platform.
  • Webex for Healthcare offers a BAA through Cisco’s healthcare-specific plans, which require contacting their sales team.

For smaller practices or solo providers, Doxy.me’s free plan with an included BAA is hard to beat. Larger organizations already using Microsoft or Google products can often activate a compliant telehealth setup within their existing subscriptions without adding new software.

When FaceTime Might Still Be Appropriate

FaceTime can be used in healthcare settings where no protected health information is exchanged. A quick call between colleagues about scheduling, or a non-clinical check-in that doesn’t reference a patient’s diagnosis, treatment, or identifying details, falls outside HIPAA’s scope. The moment a conversation involves anything that could identify a patient and their health condition, you need a platform backed by a BAA.

Some providers also use FaceTime in genuine emergencies where no other option is available and a patient’s health is at immediate risk. This isn’t a formal HIPAA exception, but OCR has historically considered context when evaluating enforcement actions. It is not a strategy to build a telehealth practice around.