Is iCloud HIPAA compliant?

As more and more people adopt cloud storage and computing services in their everyday lives and as the iPhone and iPads continue to command an enormous share of their respective markets, many organizations have noticed the iCloud service offered by Apple and are asking themselves whether iCloud is compliant with the Health Insurance Portability and Accountability Act, more commonly known as HIPAA, and whether iCloud can be used by HIPAA covered entities to treat patients’ protected health information (PHI).

Cloud computing and storage has many benefits such as the ability to access files from almost anywhere using almost any smart device. Apple’s cloud storage service, iCloud, is well known as many people use it on their personal devices to share photographs, documents, and other information. As with many things, such tools must meet a higher standard of use when considered from a business perspective and the level of rigour only increases when dealing with business or enterprise use in a heavily regulated sector such as healthcare.

For cloud storage to be compliant with HIPAA, some of the elements which must be considered relate to how the data will be accessed, stored and transferred. Users must prove that they are who they say they are by providing authentication controls such as a username and password combination. Data must be encrypted while in storage as well as when it is being shared or sent. Strict and detailed audit functions must also be included so that activity can be tracked, such as who accessed a file, when, from where, and what they did with it. Apple’s iCloud includes features that ensure users must be authenticated before accessing files. Encryption standards used by Apple also rise to the necessary standard. What else must we consider before we can declare iCloud HIPAA compliant or not?

Business Associate Agreements under HIPAA

A service cannot be used by a HIPAA-covered entity to treat, share or store PHI in compliance with HIPAA, even if all the required configurations of the service are in place and activated, unless they first have a Business Associate Agreement (BAA) in place with the service provider, unless the service provider is exempt through the HIPAA Conduit Exception. A BAA explains each party’s responsibilities in terms of HIPAA, data protection, and any other area where duties may not be clear or ambiguity may exist. Things such as the Postal Service are covered under Conduit Exception.

To date, Apple has not shown itself to be willing to enter into BAAs to cover its iCloud service for use with PHI. Indeed, in the iCould terms and conditions, Apple specifically mentions that iCloud is not to be used in relation to PHI. The relevant paragraph, from the most recently revised version (September 17, 2018) can be found in Section I, Requirements for use, Part C, Limitations on Use, and states: If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.

Is iCloud HIPAA compliant?

As Apple refuse to enter into a BAA with HIPAA-covered entities to back-up their iCloud service, use of iCloud with PHI is not HIPAA compliant. Apple’s position may change given the opportunities, even though there is a lot of competition in the cloud storage space for HIPAA-covered entities.