iMessage is a built-in instant messaging (IM) service offered by Apple for all its devices. It lets you send text, picture, video, sound, and location quickly and easily to anyone else using iMessage on iPhone, iPad, Mac, or Apple Watch. It is launched when anyone asks their iPhone to send a mesage, and asks to whom the message should be sent.
The question of whether or not Apple’s iMessage is HIPAA compliant comes up often in the medical field, especially because it 1) meets an immediate need for easy health care communication and 2) easily integrates into so many health care office cultures. Using iMessage for internal communication between iPhones can facilitate quick conversations between staff members, but when it comes to sharing patient data does this ease of use translate into HIPAA compliance?
With the exception of third party apps and some Apple Watch functionality, Apple has been decidedly quiet on the issue of HIPAA. There are a number of HIPAA compliant messaging and data storage apps that have long been popular with iPhone and Mac users in the health care field, but Apple’s iMessage messaging service remains unsecure and non-compliant.
HIPAA regulation demands that messaging services must be fully secure in order to protect patient data. iMessage uses end-to-end encryption, meaning that only the intended sender and recipient can view each message. However, Apple keeps a cached version of messages sent using iMessage, which can be accessed either by warrant or by a potential hacker.
Sending patient data over iMessage is a breach of HIPAA regulation. Doing so will put your practice at risk of a data breach and may make you vulnerable to accompanying fines from the HITECH Act.
Apple, Business Associates, iMessage and HIPAA Compliance
HIPAA regulation requires health care providers to execute contracts with their business associates to keep health data secure. These contracts are known as business associate agreements (BAAs) and are mandated by the HIPAA Omnibus Rule.
A business associate is any organization hired by a health care provider who stores, transmits, or in any way handles protected health information (PHI) over the course of services they’ve been paid to provide. PHI is any demographic information that can be used to identify a patient, including name, address, date of birth, or social security number, to name a few.
Because iMessage can be used to store and transmit health data, health care organizations are legally mandated to execute a Business Associate Agreement (BAA) with Apple before using iMessage in their practices.
At this point, Apple has yet to sign HIPAA business associate agreements with health care providers and HIPAA-beholden entities using iMessage. The number one takeaway for behavioral health specialists should be that PHI cannot be legally transmitted via iMessage.