HIPAA Compliance & iCloud
Cloud storage services are a handy way of sharing and storing information. Since files saved to the cloud can be accessed from multiple devices in any location with an Internet connection, information is always at hand when it is required.
There are many cloud storage services to consider, many of which are suitable for use by healthcare supplier for storing and sharing ePHI. They include robust access and authentication controls and data uploaded to and saved in the cloud is encrypted. Logs are also kept so it is possible to tell who accessed data, when access occurred, and what users did with the data once access was given.
iCloud is a cloud storage service that Apple device users can simply access through their iPhones, iPads, and Macs. iCloud has robust authentication and access controls, and data is encrypted in storage and during transfer. The level of encryption used by Apple certainly meets the lowest standard demanded by HIPAA. iCloud certainly appears to tick all the right boxes in terms of security, but is iCloud HIPAA compliant?
Will Apple Complete a Business Associate Agreement with HIPAA Covered Groups?
Cloud storage services are not included in the HIPAA Conduit Exception Rule and are therefore classed as business associates. As a business associate, the service supplier is required to enter into a contract with a HIPAA covered group – in the form of a business associate agreement – before its service can be used in relation to any ePHI.
It is the responsibility of the covered group to ensure a BAA is obtained before implementing any cloud service for sharing, storing, or transmitting ePHI.
That business associate agreement must outline the responsibilities the service supplier has with respect to any ePHI uploaded to its cloud storage platform. The BAA should also outline the uses and disclosures of PHI, and the need to alert the covered group of any breaches that expose data.
If a BAA is not completed with Apple, its iCloud service cannot be used with any ePHI. So, will Apple sign a BAA with HIPAA covered groups?
Apple could not have made it any more obvious in its iCloud terms and conditions that the use of iCloud by HIPAA-covered groups or their business associates for storing or sharing ePHI is not allowed, and that doing so would be a breach of HIPAA Rules.
“If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.”
Conclusion: iCloud & HIPAA Compliance
It doesn’t matter what security measures are implemented to ensure ePHI cannot be viewed by unauthorized people. If a communications channel is not included in the conduit exception rule and the service provider will not complete a contract with a HIPAA covered entity in the form of a business associate agreement, the service cannot be implemented with any ePHI. So, is iCloud HIPAA compliant? Until such time as Apple decides to sign a BAA, iCloud is not a HIPAA compliant cloud service and should not be used by healthcare groups for sharing, storing, or transmitting ePHI.