Is iCloud HIPAA Compliant?

Can iCloud be considered HIPAA compliant? Can iCloud be used by healthcare organizations for keeping or sharing files that contain electronic protected health information (ePHI)? This article answers the question if iCloud is a HIPAA compliant?

It’s very convenient to use Cloud storage services for sharing and storing information. Uploaded files to the cloud are accessible from anywhere using any device connected to the internet. Information may be viewed whenever it is needed.

There are a lot of cloud storage services available. Many may be used by healthcare providers to store and share ePHI. They feature reliable access and authentication controls. Uploaded and stored data in the cloud are encrypted. There are logs maintained to monitor what and when data was accessed and what users did when given access to the data.

iCloud is a cloud storage service provided to owners of Apple devices through their Macs, iPhones and iPads. iCloud features include reliable authentication and access controls, and encryption of data in storage and in transit. Apple uses a level of encryption that absolutely complies with the minimum standard required by HIPAA. iCloud seems to have all the security requirements, but is it HIPAA compliant?

The HIPAA Conduit Exception Rule does not cover cloud storage services. Therefore cloud storage providers are not classified as business associates. A business associate must sign a business associate agreement with a HIPAA covered entity prior to the use of its service in association with any ePHI.

The covered entity is responsible to make sure to get a BAA before using any cloud service to share, store or transmit ePHI.

In the business associate agreement, there must be an explanation of the service provider’s responsibilities with regard to the upload of ePHI to its cloud storage system. The BAA must likewise state the uses and disclosures of PHI, as well as the notification of the covered entity in case of a data breach.

If Apple does not sign a BAA, it’s not allowed to use its iCloud service with any ePHI. Apple has stated very clearly in its iCloud terms of service that HIPAA-covered entities or their business associates cannot use iCloud for storing or sharing ePHI. Doing so would violate HIPAA Rules.

So, is iCloud considered HIPAA Compliant?

It doesn’t matter how good security controls Apple has in place to keep unauthorized individuals from accessing data uploaded to iCloud. The conduit exception rule does not cover the iCloud service. Apple likewise will not enter into a BAA with a HIPAA covered entity. So, any HIPAA-covered entity cannot use iCloud with any ePHI because it is not HIPAA compliant. Until Apple decides to enter into a BAA, iCloud will remain not in compliance with the HIPAA and any healthcare organizations cannot use it to share, store, or transmit ePHI.