There are many providers of cloud storage services to opt for, many of which are suitable for use by healthcare providers for saving and sharing ePHI. They include strong access and authentication controls and data uploaded to and stored in the cloud is encrypted. Logs are also kept so you can tell who accessed data, when access occurred, and what users did with the data once access was given.
iCloud is a cloud storage service that Apple devices owners can easily access via their iPhones, iPads, and Macs. iCloud has robust authentication and access controls, and data is encrypted in storage and while it is being sent. The level of encryption used by Apple certainly adheres to the minimum standard demanded by HIPAA. iCloud certainly appears to tick all the right boxes in relation to security, but is iCloud HIPAA compliant?
Is a Business Associate Agreement with HIPAA Covered Entities & Apple Available?
Cloud storage services are not included by the HIPAA Conduit Exception Rule and are therefore classified as business associates. As a business associate, the service provider must enter into a contract with a HIPAA covered entity – known as a business associate agreement – before its service can be used in relation to any ePHI.
It is the charge of the covered entity to make sure a BAA is completed before the use of any cloud service for sharing, storing, or sharing ePHI.
That business associate agreement must list the obligations the service provider has with respect to any ePHI uploaded to its cloud storage service. The BAA should also outline the uses and disclosures of PHI, and the need to alert the covered entity of any violation that make data accessible.
If a BAA is not complete with Apple, its iCloud service cannot be be implemented in relation to any ePHI. So, will Apple sign a BAA with HIPAA covered groups?
Apple could not have stated any more clearly in its iCloud terms and conditions that the use of iCloud by HIPAA-covered entities or their business associates for storing or sharing ePHI is not allowable, and that doing so would be an obvious breack of HIPAA Rules.
“If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.”
It makes no difference what security controls are established to make sure ePHI cannot be obtained by unauthorized individuals. If a communications channel is not included in the conduit exception rule and the service provider will not complete into a contract with a HIPAA covered group in the form of a business associate agreement, the service cannot be implemented in relation to any ePHI.