Can iCloud Be Considered HIPAA-Compliant?

Cloud Storage

iCloud cannot be considered HIPAA compliant and cannot be used to store, sync, or share media which include PHI due to Apple prohibiting the use of iCloud services for any purposes that would make it a business associate of a covered entity. However, healthcare providers and other covered entities may use iCloud for day-to-day operations, provided these operations do not impermissibly disclose PHI.

Cloud storage services make it very convenient for people to share and store data. People using different devices from different locations can access the uploaded files as long as they are connected to the internet. But the question is, can healthcare organizations use iCloud to store electronic protected health information? Is iCloud HIPAA compliant?

Many cloud storage services are available for use by healthcare providers. However, cloud services need to have strong access and authentication controls to be suitable for storing and sharing ePHI. Uploaded data must be encrypted and logs should provide information on who accessed the data and what they did with the data.

iCloud is a cloud storage service provided by Apple and may be accessed through Macs, iPads and iPhones. It features both strong authentication / access controls and data encryption during storage and transfer. These security features absolutely meet the minimum requirements of HIPAA. But does that make iCloud HIPAA-compliant?

Cloud storage services are classified as business associates because they are not covered by the HIPAA Conduit Exception Rule.  As a business associate, signing a business associate agreement with covered entities is required before cloud services are used with ePHI. The BAA stipulates the responsibilities of the service provider when sharing, storing or transmitting ePHI. It also explains the allowed uses and disclosures of ePHI and the required notification in case a data breach occurs.

The question is will Apple sign a BAA with covered entities? It is clear in iCloud’s terms and conditions that HIPAA-covered entities are not allowed to use iCloud for storing, sharing or transmitting ePHI or use iCloud in any way that would suggest Apple is a third-party business associate. Doing so violates the HIPAA rules.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

So even though a cloud storage service features HIPAA-approved security controls to secure ePHI, if it is not covered by the conduit exception rule and if it does not sign a business associate agreement, there’s no way to allow the use of the service with any ePHI. In view of this, iCloud is not HIPAA-compliant and healthcare organizations cannot use it for sharing, storing or transmitting protected health information.

About Daniel Lopez
Daniel Lopez is a HIPAA trainer, passionately committed to enhancing healthcare data protection and privacy standards. As a recognized expert in HIPAA compliance, he holds the role of HIPAA specialist at The HIPAA Guide. Holding a degree in Health Information Management, complemented by certifications in data privacy and security, Daniel's academic and professional credentials are a testament to his expertise. His approach to training is both engaging and educational, catering to a range of professional needs in the healthcare sector. For further information or to benefit from his expertise, Daniel is reachable through or