Cloud storage services are a convenient way for people to store and share data. Though people use diverse devices from varied places, they can gain access to the uploaded data files provided that they are hooked up to the internet. Does this technology support HIPAA compliance? Can healthcare organizations utilize iCloud to keep electronic protected health information (ePHI)?
Plenty of cloud storage services can be used by healthcare organizations. Nonetheless, cloud services must have solid access and authentication controls to make it acceptable for holding and sharing ePHI. Uploaded information ought to be encrypted and logs have information about the people who viewed the information and what they did to the information.
Apple provides a cloud storage service called iCloud and it could be accessed via Macs, iPhones and iPads. It offers solid authentication / access controls as well as encryption of stored and transmitted data. These security capabilities completely satisfy the minimum specifications of HIPAA. However are these enough to make iCloud HIPAA-compliant?
Cloud storage services are categorized as business associates since they aren’t covered by the HIPAA Conduit Exception Rule. Being a business associate, it is necessary to sign a business associate agreement (BAA) with covered entities before its cloud services are utilized with ePHI. The BAA states the duties of the service provider in sharing, keeping or sending ePHI. It additionally points out the permitted uses and disclosures of ePHI and the necessary notification should a data breach happens.
The issue is if Apple will sign a BAA with covered entities. It’s clearly stated in iCloud’s conditions and terms that HIPAA-covered entities cannot use iCloud for keeping, sharing or sending ePHI or use iCloud in ways that will imply Apple is a third-party business associate. To do so is a violation of the HIPAA rules.
Therefore, even if a cloud storage service offers HIPAA-compliant security controls for protecting ePHI, if the conduit exception rule does not cover it and if it is not willing to enter into a business associate agreement, the service cannot be used with any ePHI. Because of this, iCloud isn’t HIPAA-compliant and cannot be used by healthcare organizations for sharing, keeping or sending protected health information (PHI).