Is Apple’s iMessage HIPAA Compliant on the iPhone?

iMessage is a built-in instant messaging (IM) service offered by Apple for all its devices. It lets you send text, picture, video, sound, and location quickly and easily to anyone else using iMessage on iPhone, iPad, Mac, or Apple Watch. It is launched when anyone asks their iPhone to send a mesage, and asks to whom the message should be sent.

The question of whether or not Apple’s iMessage is HIPAA compliant comes up often in the medical field, especially because it 1) meets an immediate need for easy health care communication and 2) easily integrates into so many health care office cultures. Using iMessage for internal communication between iPhones can facilitate quick conversations between staff members, but when it comes to sharing patient data does this ease of use translate into HIPAA compliance?

With the exception of third party apps and some Apple Watch functionality, Apple has been decidedly quiet on the issue of HIPAA. There are a number of HIPAA compliant messaging and data storage apps that have long been popular with iPhone and Mac users in the health care field, but Apple’s iMessage messaging service remains unsecure and non-compliant.

HIPAA regulation demands that messaging services must be fully secure in order to protect patient data. iMessage uses end-to-end encryption, meaning that only the intended sender and recipient can view each message. However, Apple keeps a cached version of messages sent using iMessage, which can be accessed either by warrant or by a potential hacker.

Sending patient data over iMessage is a breach of HIPAA regulation. Doing so will put your practice at risk of a data breach and may make you vulnerable to accompanying fines from the HITECH Act.

Apple, Business Associates, iMessage and HIPAA Compliance

HIPAA regulation requires health care providers to execute contracts with their business associates to keep health data secure. These contracts are known as business associate agreements (BAAs) and are mandated by the HIPAA Omnibus Rule.

A business associate is any organization hired by a health care provider who stores, transmits, or in any way handles protected health information (PHI) over the course of services they’ve been paid to provide. PHI is any demographic information that can be used to identify a patient, including name, address, date of birth, or social security number, to name a few.

Because iMessage can be used to store and transmit health data, health care organizations are legally mandated to execute a Business Associate Agreement (BAA) with Apple before using iMessage in their practices.

At this point, Apple has yet to sign HIPAA business associate agreements with health care providers and HIPAA-beholden entities using iMessage. The number one takeaway for behavioral health specialists should be that PHI cannot be legally transmitted via iMessage.

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Read More

Telehealth 101: Essential Telehealth Technology Orientation

In this 2.5 hour, basic technology training, you will find a well-organized discussion of relevant basic research along with practical suggestions for making foundational decisions about your digital practice with cloud storage, backups systems, security software such as VPNs, HIPAA compliance and software purchasing, synchronous and asynchronous technologies, and much more.

Read More

Ethics of Texting: Do’s and Don’ts

Explore clinical, legal & ethical requirements for text messaging with clients & patients.

Read More