Is Apple’s iMessage HIPAA Compliant on the iPhone?


February 5, 2017 | Reading Time: 2 Minutes

Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

iMessage is a built-in instant messaging (IM) service offered by Apple for all its devices. It lets you send text, picture, video, sound, and location quickly and easily to anyone else using iMessage on iPhone, iPad, Mac, or Apple Watch. It is launched when anyone asks their iPhone to send a mesage, and asks to whom the message should be sent.

The question of whether or not Apple’s iMessage is HIPAA compliant comes up often in the medical field, especially because it 1) meets an immediate need for easy health care communication and 2) easily integrates into so many health care office cultures. Using iMessage for internal communication between iPhones can facilitate quick conversations between staff members, but when it comes to sharing patient data does this ease of use translate into HIPAA compliance?

With the exception of third party apps and some Apple Watch functionality, Apple has been decidedly quiet on the issue of HIPAA. There are a number of HIPAA compliant messaging and data storage apps that have long been popular with iPhone and Mac users in the health care field, but Apple’s iMessage messaging service remains unsecure and non-compliant.

HIPAA regulation demands that messaging services must be fully secure in order to protect patient data. iMessage uses end-to-end encryption, meaning that only the intended sender and recipient can view each message. However, Apple keeps a cached version of messages sent using iMessage, which can be accessed either by warrant or by a potential hacker.

Sending patient data over iMessage is a breach of HIPAA regulation. Doing so will put your practice at risk of a data breach and may make you vulnerable to accompanying fines from the HITECH Act.

Apple, Business Associates, iMessage and HIPAA Compliance

HIPAA regulation requires health care providers to execute contracts with their business associates to keep health data secure. These contracts are known as business associate agreements (BAAs) and are mandated by the HIPAA Omnibus Rule.

A business associate is any organization hired by a health care provider who stores, transmits, or in any way handles protected health information (PHI) over the course of services they’ve been paid to provide. PHI is any demographic information that can be used to identify a patient, including name, address, date of birth, or social security number, to name a few.

Because iMessage can be used to store and transmit health data, health care organizations are legally mandated to execute a Business Associate Agreement (BAA) with Apple before using iMessage in their practices.

At this point, Apple has yet to sign HIPAA business associate agreements with health care providers and HIPAA-beholden entities using iMessage. The number one takeaway for behavioral health specialists should be that PHI cannot be legally transmitted via iMessage.

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Telehealth 101: Essential Telehealth Technology Orientation

In this 2.5 hour, basic technology training, you will find a well-organized discussion of relevant basic research along with practical suggestions for making foundational decisions about your digital practice with cloud storage, backups systems, security software such as VPNs, HIPAA compliance and software purchasing, synchronous and asynchronous technologies, and much more.

Ethics of Texting: Do’s and Don’ts

Explore clinical, legal & ethical requirements for text messaging with clients & patients.

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Was this article helpful?

Please share your thoughts in the comment box below.

Notify of
Newest Most Voted
Inline Feedbacks
View all comments
Kit Kaplan
Kit Kaplan
5 years ago

I have Auditory Processing and have difficulty understanding words and don’t process numbers at all difficulty understanding words and don’t process numbers at all.
including gift Cal cool young and dysgraphia. I also have auditory processing problems. So I don’t process numbers of all and I don’t process things I hear very well and need to do things in writing. Do you know any Hyppa compliant methods of communicating through text or email?

Marlene Maheu, Ph. D.
Marlene Maheu, Ph. D.
5 years ago
Reply to  Kit Kaplan

Hello Kit,
Thank you for your inquiry. See the TBHI Buyer’s Guide for HIPAA-complaint text messaging and email platforms. Let us know if you find one that is particularly helpful to you.

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...