Millions of people everyday use iCloud to store and backup important files and electronic information from their Apple devices. They love the ease of use and seamless integration, but is iCloud HIPAA compliant?
HIPAA Compliance 101
The Department of Health and Human Services Office for Civil Rights (OCR) is responsible for enforcing HIPAA Rules and Regulations. Those regulations are designed to safeguard every individual’s protected health information (PHI).
HIPAA’s Privacy Rule and Security Rule define the technical and administrative safeguards that govern how PHI is transmitted, stored, received, and maintained. End-users are responsible for ensuring that they are using the platform in a HIPAA compliant manner.
Healthcare practices and the companies that serve them must comply with all HIPAA provisions fully. HIPAA violations can result in substantial fines and penalties from OCR.
Security and Privacy: Is Apple iCloud HIPAA Compliant?
Key provisions of the HIPAA regulations require electronic PHI (ePHI) to be protected by 2-factor authentication and access controls. Data should also be encrypted at rest and while being transmitted.
Apple’s iCloud has outstanding authentication and access controls, and data is encrypted in storage and during transfer. The level of encryption used by Apple easily meets the minimum standard of compliance under HIPAA.
Business Associate Agreements: Is Apple iCloud HIPAA Compliant?
All businesses that create, transmit, process, store, receive, or maintain PHI or ePHI are required to be HIPAA compliant. Any vendors used for those purposes must also be HIPAA compliant.
In addition, there must be a signed Business Associate Agreement in place before PHI or ePHI is transferred between organizations. This agreement must clearly state the responsibilities of each company regarding PHI.
Transferring PHI without a BAA is a clear violation of HIPAA.
Apple does not sign Business Associate Agreements. Furthermore, they clearly state that storing PHI is not permitted and would violate HIPAA rules.
“If you are a covered entity, business associate, or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function, or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.”
Final Analysis: Is Apple iCloud HIPAA Compliant?
While its security measures meet or exceed the requirements of HIPAA regulations, Apple’s iCloud fails to meet the Business Associate Agreement standard and therefore is NOT HIPAA compliant. This example demonstrates that operating securely does not guarantee compliance.
If you would like to know more about the relationship between security and compliance, one of our HIPAA educators would be happy to explain how you can tick every box and be fully compliant.
