We look at HIPAA compliance and iCloud because, as more and more businesses take advantage of cloud computing, an important question for Covered Entities to consider is, are cloud storage services such as iCloud HIPAA compliant? If so, Apple´s cloud storage products – iCloud and iCloud+ – could be a convenient and user-friendly option for storing and saving electronic PHI (ePHI).
Apple´s iCloud and iCloud+ services are available on iPhones, iPads, MacBook computers and via most web browsers. The services allow users to upload files and folders to the cloud in order to free space on their physical devices. Once uploaded, the files and folders can be accessed from any of the user´s devices and shared with “invited participants”.
In the context of HIPAA compliance and iCloud, it is possible to secure accounts with Multi Factor Authentication and request logs to review account activity. All transmissions between devices and the iCloud storage service are encrypted; and, while data is stored in Apple´s cloud servers, it is encrypted to the minimum HIPAA requirements.
Consequently, iCloud and iCloud+ comply with many of the Technical Safeguards of the Security Rule relating to access, audit, and integrity controls, and also to transmission security. However, as a third-party service provider to a Covered Entity, Apple is required to sign a Business Associate Agreement before it is possible to store ePHI in the cloud – something Apple is not prepared to do.
The Issue with Apple and Business Associate Agreements
The issue with Apple and Business Associate Agreements manifests in the iCloud Legal Agreement. Under the Limitations of Use clause, Apple states:
“You agree that you will not use any component, function, or other facility of iCloud to create, receive, maintain, or transmit any protected health information (as defined at 45 CFR § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) your or any third party’s business associate.”
This clause makes it quite clear that Apple will not allow Covered Entities and Business Associates to store ePHI in the iCloud and iCloud+ services; and, as neither service qualifies for a conduit exception, it is not possible to temporarily store ePHI in iCloud or iCloud+ for the purpose of sharing it (permissibly) with another Covered Entity or Business Associate.
Various commentators have offered opinions about why Apple will not sign a Business Associate Agreement – some suggesting that, as Apple maintain the decryption keys to data stored in iCloud, storing ePHI in iCloud makes the company more of a target for hackers. This seems to be a solid reason considering the already increasing volume of attacks on Apple software.
However, it may also be the case that, if Apple was to ease its position on storing ePHI in iCloud, the company may also come under pressure to sign Business Associate Agreements with Covered Entities wishing to offer ApplePay as a payment option to patients. This could result in the administrative nightmare of Apple having to manage a Business Associate Agreement with every Covered Entity in the country depending what information is disclosed in the payment process!
Conclusion: HIPAA Compliance and iCloud – Look Elsewhere!
If your organization is considering iCloud or iCloud+ as a HIPAA compliant storage solution, it is advisable to look elsewhere. Although iCloud has many of the Technical Safeguards that would support compliance with HIPAA, the service´s Limitations of Use clause mean that you are not permitted to store ePHI in iCloud and consequently Apple will not enter a Business Associate Agreement with you as required by 45 CFR §164.502(e) and 45 CFR §164.314(a).