Can you store protected health information on iCloud?

Jeffrey Segal, MD, JD
Female physician looking at patient information on laptop and tablet
Medical Justice solves doctors' complex medico-legal problems.

Learn how we help doctors with...

Doctor-Patient Conflicts

Meritless Litigation

Online Defamation

Medical Board Complaints

Sham Peer Review

Unethical Expert Witnesses

Schedule a consultation

Can You Store Protected Health Information on iCloud? 

No.  

The information stored on a cloud provider must be transported to and stored securely. How secure? Reasonably secure. iCloud likely meets that test. 

In addition, there must be a signed Business Associate Agreement (BAA) in place before Protected Health Information PHI is transferred between organizations. This agreement must clearly state the responsibilities of each company regarding PHI.  

Transferring PHI without a BAA is a clear violation of HIPAA. 

Apple does not sign Business Associate Agreements. Furthermore, they clearly state that storing PHI is not permitted and would violate HIPAA rules. 

“If you are a covered entity, business associate, or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function, or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.” 

While its security measures meet or exceed the requirements of HIPAA regulations, Apple’s iCloud fails to meet the Business Associate Agreement  standard and therefore is NOT HIPAA compliant. This example demonstrates that operating securely does not guarantee compliance. 

Sorry, don’t kill the messenger. 

The following cloud providers do have plans with HIPAA Business Associate Agreements (paid accounts) according to https://www.paubox.com/blog/the-hipaa-compliant-cloud-services-checklist:

Can you store PHI on iCloud if you encrypt the document before sending it up? Possibly. In that situation, the primary security is you and your encryption protocol. So, for example, you could encrypt an Adobe pdf or a Microsoft Word document. Then, you could store it anywhere. Here, the security would have been addressed before transferring it anywhere else. Still, it would not be considered best practices. 

So, there you have it. iCloud is secure. But likely not compliant for storage of Protected Health Information. 

What do you think? 

2 thoughts on “Can you store protected health information on iCloud?”

  1. Why would anyone want to store medical information in iCloud a platform clearly not set up for that purpose.
    If it is for physician convenience then that is profoundly stupid in today’s environment of necessary cyber security protocols, such as zero trust.
    Plenty of other entities can do the appropriate encryption, and security and provide the Business Associate Agreement.

    One other question would be, do we need a BAA at all, or is it merely something that pleases government regulators.
    Okay what about HIPAA? Is that necessary?
    I could not get a holter monitor report and the actual print out of tracings without a)going to the doctors office, and b) signing a release that it was okay to release records to myself.
    This was a hospital owned physician office, so those policies are hospital driven. Yes they may be above and beyond what the HIPAA law intended, but that is due to the rule of unintended consequences.
    Can your spouse get your records or find out about your care. Nope. Not unless you authorize it.
    Even if you filed a durable healthcare power of attorney, and all of the other attendant forms with the hospital, is that information available to the point of care providers. Of course not .
    Is HIPAA truly achievable? No. Not unless you have a cone of silence when patients go to your front desk.
    Could HIPAA be replaced with a simple 1 page sheet, spelling out that physicians and hospitals can only give out healthcare information to immediate family, without special authorization, and to others with authorization. These regulatory burdens interfere with care.
    My chart doesn’t contain all of the records in my EHR record. So even I as the patient cannot access my anesthesia record, or other aspects of my healthcare record, that the courts repeatedly indicate that I own and should have access to.
    We need a better, cheaper ,easier to understand system that allows all patient medical information to be disclosed easily and promptly to the patient and immediate family, in full, and also in full electronically. The system we have now doesn’t work and needs to be fixed.

    Reply

Leave a Comment

Jeffrey Segal, MD, JD
Chief Executive Officer & Founder

Jeffrey Segal, MD, JD is a board-certified neurosurgeon and lawyer. In the process of conceiving, funding, developing, and growing Medical Justice, Dr. Segal has established himself as one of the country's leading authorities on medical malpractice issues, counterclaims, and internet-based assaults on reputation.

Meet our medico-legal experts
Subscribe to Dr. Segal's weekly newsletter »
Latest Posts from Our Blog
Frowning male physician in a dark room after filing for bankruptcy
Physicians and Bankruptcy
Male doctor having conversation with new patient
When a New Patient Asks You About an Old Malpractice Lawsuit
Young male physician showing his mother how to leave him a positive review on Google
So, My Mother Can’t Review Me Online?
Close up of comma key on black and white keyboard
Reporting Settlements to the Board of Medicine: The Role of the Oxford Comma
Contact Us

We’re here to provide assistance to doctors in need of guidance. Fill out this online form to start the conversation, or schedule a 15-minute consultation using our online appointment manager.

Name(Required)
Are you the doctor?(Required)
Newsletter
This field is for validation purposes and should be left unchanged.