Question: “Hank, I have a client who wants to continue to use FaceTime after the Public Health Emergency (PHE) ends. Is this OK?”
As a covered entity under HIPAA, providers must have a Business Associate Agreement (BAA) with their telehealth platform. A BAA must be in place whenever a third-party service provider, organization, or individual is “creating, receiving, maintaining, or transmitting” a client’s (or prospective client’s) Protected Health Information (PHI). The waiver was granted during the Public Health Emergency (PHE). FaceTime is an Apple product, but Apple will not sign a BAA with a healthcare provider. Any telehealth platform vendor who will not sign a BAA cannot be used for telehealth when the provider is a covered entity.
Just to remind you, if your video platform, Electronic Health Record system, or another system sends out appointment reminders or email links to join the video session, your clients should be signing a request for non-secure communication. In contrast to the FaceTime issue, clients can request non-secure communications, such as text and email. Even though this is allowed, using encrypted systems and having a BAA in place is strongly recommended when applicable. HIPAA-secure systems for email and text are no longer costly and are easy to use. Providers and clients are both protected; better safe than sorry.