Business Associate Agreements: Is Apple iCloud HIPAA Compliant?
All businesses that create, transmit, process, store, receive, or maintain PHI or ePHI are required to be HIPAA compliant. Any vendors used for those purposes must also be HIPAA compliant.
In addition, there must be a signed Business Associate Agreement in place before PHI or ePHI is transferred between organizations. This agreement must clearly state the responsibilities of each company regarding PHI.
Transferring PHI without a BAA is a clear violation of HIPAA.
Apple does not sign Business Associate Agreements. Furthermore, they clearly state that storing PHI is not permitted and would violate HIPAA rules.
“If you are a covered entity, business associate, or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function, or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.”
Final Analysis: Is Apple iCloud HIPAA Compliant?
While its security measures meet or exceed the requirements of HIPAA regulations, Apple’s iCloud fails to meet the Business Associate Agreement standard and therefore is NOT HIPAA compliant. This example demonstrates that operating securely does not guarantee compliance.
If you would like to know more about the relationship between security and compliance, one of our HIPAA educators would be happy to explain how you can tick every box and be fully compliant.