As Macs have become more popular in industries beyond the traditional creative niches, Apple and its services like iCloud are increasingly being scrutinized for compliance with legal standards, especially in sectors like healthcare. One critical requirement is HIPAA (Health Insurance Portability and Accountability Act), which regulates how electronic protected health information (ePHI) is stored, accessed, and transmitted. But is iCloud HIPAA compliant, and can it be used for ePHI? Let’s break it down.

What is HIPAA?

The Health Insurance Portability and Accountability Act is a piece of US legislation that covers the way personal health records are managed and protected by healthcare providers and insurers. It prohibits the disclosure of protected health information (PHI) without the consent of the patient or their authorized representative.

HIPAA compliance

There are several conditions that cloud storage service providers must meet for their service to be HIPAA compliant. These include:

  • Signing a business associates agreement (BAA) to confirm compliance with HIPAA rules.
  • Taking all possible precautions to protect personal health data, including encrypting that data both while it is stored and in transit to and from the cloud storage. Only by using strong encryption can data be secured to the standard required by HIPAA.
  • Using strict access controls and logging security incidents. This includes identifying incidents and their causes, taking steps to mitigate future occurrences, and reporting the incident to relevant parties.

iCloud and HIPAA compliance

One of the key requirements for HIPAA compliance is signing a business associate agreement. Apple does not sign business associate agreements.

With regard to the other requirements, the end-to-end encryption Apple uses for iCloud does meet the standard necessary for compliance. However, Apple retains encryption keys for some data, which could cause problems for HIPAA compliance.

The failure to sign a business associate agreement renders iCloud non-compliant. And in fact, in Apple’s iCloud terms and conditions, it explicitly prohibits using it to store personal health information.

Risks of using iCloud for ePHI

There are several risks associated with using iCloud to store and transfer ePHI. The first, but perhaps the least serious, is that it would put your organization in breach of Apple’s iCloud terms and conditions, meaning Apple could take action for breaching the agreement. Other risks of failing to comply with HIPAA include:

  • The imposition of civil monetary penalties ranging from a few hundred dollars to over $1m
  • Criminal penalties for deliberate violation
  • Loss of reputation among stakeholders and clients
  • The requirement to take corrective action for data that is subject to a breach

For smaller organizations, these penalties can have devastating effects, often outweighing the cost of compliance measures in the first place. Healthcare organizations might be forced to divert resources to legal fees, compliance audits, and potential settlements, severely affecting their operations and growth potential.

☝️The cost of non-compliance

In 2015, a Boston hospital faced a $218,000 HIPAA fine after leaking patient health information through a cloud-based file-sharing platform. Just as important, the medical center failed to identify and respond to a known security incident and didn't take steps to reduce its impact.

Alternatives to iCloud for HIPAA-compliant cloud storage

While iCloud is not compliant with HIPAA, there are several cloud storage services from well-known providers that are.

  1. Microsoft OneDrive for Business is HIPAA compliant, provided you sign up for a business or enterprise plan that includes the necessary security measures. Microsoft provides a business associates agreement. However, it is up to you to make sure that the plan you subscribe to has the necessary security and that it is configured and used in accordance with HIPAA.
  2. Google Workspace is also HIPAA compliant as long as the Google services used have what Google calls ‘included functionality’. You can see a list of the services that comply with HIPAA here. In addition to using only those services where HIPAA compliance is required, customers must sign a business associate agreement with Google. Google has also published an implementation guide for Google Workspace to provide guidance on how to handle PHI when using Workspace.
  3. Amazon Web Services is widely used for HIPAA-compliant services, including large companies like Philips, Orion Health, and Siemens. Customers must sign a BAA with AWS to use it to store or transfer PHI. The BAA specifies which AWS tools can be used to store and transmit PHI. If AWS customers offer software-as-a-service (SaaS) products to their own customers, those customers must also sign a BAA with the AWS customer.

Each of these providers offers solutions that can accommodate the needs of smaller organizations, with pricing and features that scale as your business grows. Whichever service you choose, you should ensure that you sign a BAA that covers the storage and transmission of PHI and that you use the services in the way set out in the agreement.

Best practices for healthcare organizations using cloud services

To ensure best practices when using cloud services with ePHI, healthcare organizations should do the following.

  • Verify HIPAA compliance. It’s the duty of the organization to ensure that any cloud service it uses is HIPAA compliant and the service provider signs a BAA before ePHI is transmitted or stored.
  • Implement additional security measures. ePHI data should be encrypted at every stage and logs should be kept for auditing purposes. Strict access controls, including two-factor authentication, should be put in place.
  • Staff should be trained to use cloud services in a way that is compliant with HIPAA and trained to handle data securely.

Conclusion

Apple’s refusal to sign BAAs means it cannot comply with HIPAA and should not be used to transmit or store ePHI. If your business relies on storing or transmitting ePHI, start evaluating potential cloud solutions now. Before signing up with a cloud provider, ensure they have a dedicated compliance team and can provide a signed BAA. This will get you legally covered in the event of a data breach.