Lately, we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. iMessage is an encrypted instant messaging service developed by Apple.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
- Amazon CloudFront
- Apple iCloud
- Citrix ShareFile
- Google Calendar
- Google Docs
- Google Drive
- Google Forms
- Google Hangouts
- Google Slides
- Google Voice
- Office 365
Today, we will determine if Apple iMessage offers HIPAA compliance or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
About Apple iMessage
Apple iMessage is an instant messaging service developed by Apple. It was launched in 2012 with iOS 5 and OS X Mountain Lion.
iMessages are texts, photos, or videos that are sent to other iOS devices and Macs over Wi-Fi or cellular-data networks. iMessages are encrypted and appear in blue text bubbles.
Apple iMessage and the Business Associate Agreement
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.
We checked Apple’s corporate site and found an important piece of information on the iCloud Terms and Conditions page.
On that page, Apple states:
“If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.”
Although we could not find a specific mention of iMessage and Apple’s stance on it for HIPAA compliance, we can infer several things:
- We could not find any cloud-based products or services for which Apple offers to sign a BAA for.
- In June 2017, Apple announced it’s bringing iMessage to its iCloud platform.
- If iCloud is specifically not HIPAA compliant, then we know that by bundling iMessage into it natively that iMessage is also not HIPAA compliant.
Does Apple iMessage Offer HIPAA Compliant Service?
The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.
Apple’s corporate site quickly yielded the information we were looking for.
First of all, their site clearly states iCloud is not HIPAA compliant. By virtue of iMessage being folded into iCloud this year, we can conclude iMessage is also not HIPAA compliant.
In addition, Apple makes zero mention anywhere on its site of its ability to sign a BAA for any of its cloud-based services.
Apple iMessage is not HIPAA compliant.
Do not use Apple iMessage if you are bound by HIPAA regulations.