Is iCloud HIPAA-Compliant?
iCloud cannot be considered HIPAA compliant and cannot be used to store, sync, or share media which include PHI due to Apple prohibiting the use of iCloud services for any purposes that would make it a business associate of a covered entity. However, healthcare providers and other covered entities may use iCloud for day-to-day operations, provided these operations do not impermissibly disclose PHI.
Cloud storage services make it very convenient for people to share and store data. People using different devices from different locations can access the uploaded files as long as they are connected to the internet. But the question is, can healthcare organizations use iCloud to store electronic protected health information? Is iCloud HIPAA compliant?
Many cloud storage services are available for use by healthcare providers. However, cloud services need to have strong access and authentication controls to be suitable for storing and sharing ePHI. Uploaded data must be encrypted and logs should provide information on who accessed the data and what they did with the data.
iCloud is a cloud storage service provided by Apple and may be accessed through Macs, iPads and iPhones. It features both strong authentication / access controls and data encryption during storage and transfer. These security features absolutely meet the minimum requirements of HIPAA. But does that make iCloud HIPAA-compliant?
Get the FREE
HIPAA Compliance
Email Checklist
Learn How To Prevent All Email Related HIPAA Violations
Immediate Access
Cloud storage services are classified as business associates because they are not covered by the HIPAA Conduit Exception Rule.ย As a business associate, signing a business associate agreement with covered entities is required before cloud services are used with ePHI. The BAA stipulates the responsibilities of the service provider when sharing, storing or transmitting ePHI. It also explains the allowed uses and disclosures of ePHI and the required notification in case a data breach occurs.
The question is will Apple sign a BAA with covered entities? It is clear in iCloudโs terms and conditions that HIPAA-covered entities are not allowed to use iCloud for storing, sharing or transmitting ePHI or use iCloud in any way that would suggest Apple is a third-party business associate. Doing so violates the HIPAA rules.
So even though a cloud storage service features HIPAA-approved security controls to secure ePHI, if it is not covered by the conduit exception rule and if it does not sign a business associate agreement, thereโs no way to allow the use of the service with any ePHI. In view of this, iCloud is not HIPAA-compliant and healthcare organizations cannot use it for sharing, storing or transmitting protected health information.