Is Apple’s iMessage HIPAA Compliant on the iPhone?
iMessage is a built-in instant messaging (IM) service offered by Apple for all its devices. It lets you send text, picture, video, sound, and location quickly and easily to anyone else using iMessage on iPhone, iPad, Mac, or Apple Watch. It is launched when anyone asks their iPhone to send a mesage, and asks to whom the message should be sent.
The question of whether or not Apple’s iMessage is HIPAA compliant comes up often in the medical field, especially because it 1) meets an immediate need for easy health care communication and 2) easily integrates into so many health care office cultures. Using iMessage for internal communication between iPhones can facilitate quick conversations between staff members, but when it comes to sharing patient data does this ease of use translate into HIPAA compliance?
With the exception of third party apps and some Apple Watch functionality, Apple has been decidedly quiet on the issue of HIPAA. There are a number of HIPAA compliant messaging and data storage apps that have long been popular with iPhone and Mac users in the health care field, but Apple’s iMessage messaging service remains unsecure and non-compliant.
HIPAA regulation demands that messaging services must be fully secure in order to protect patient data. iMessage uses end-to-end encryption, meaning that only the intended sender and recipient can view each message. However, Apple keeps a cached version of messages sent using iMessage, which can be accessed either by warrant or by a potential hacker.
Sending patient data over iMessage is a breach of HIPAA regulation. Doing so will put your practice at risk of a data breach and may make you vulnerable to accompanying fines from the HITECH Act.
Apple, Business Associates, and HIPAA Compliance
HIPAA regulation requires health care providers to execute contracts with their business associates to keep health data secure. These contracts are known as business associate agreements (BAAs) and are mandated by the HIPAA Omnibus Rule.
A business associate is any organization hired by a health care provider who stores, transmits, or in any way handles protected health information (PHI) over the course of services they’ve been paid to provide. PHI is any demographic information that can be used to identify a patient, including name, address, date of birth, or social security number, to name a few.
Because iMessage can be used to store and transmit health data, health care organizations are legally mandated to execute a Business Associate Agreement (BAA) with Apple before using iMessage in their practices.
At this point, Apple has yet to sign HIPAA business associate agreements with health care providers and HIPAA-beholden entities using iMessage. The number one takeaway for behavioral health specialists should be that PHI cannot be legally transmitted via iMessage.
Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with The Guard™. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.
Compliancy Group’s team of expert Compliance Coaches™ field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, including fully automated documentation of policies, procedures, employee training, and remediation plans. The Guard includes policies and procedures that are uniquely tailored to the needs of your organization so you’ll never have to worry about the headaches that come with generic policy binders again.
With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure.
For more information about what you can do to protect your behavioral health practice, see these upcoming HIPAA educational webinars.
Find out more about how Compliancy Group and the HIPAA Seal of Compliance can help simplify your HIPAA compliance today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.