25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Is iCloud HIPAA Compliant?

Posted By on Feb 13, 2025

iCloud is not HIPAA compliant and cannot be used to store, sync, or share media containing Protected Health Information (PHI) as – in its Terms of Service – Apple prohibits any use of iCloud services that would make it a business associate of a covered entity. However, covered entities can still use iCloud for other purposes than storing, syncing, or sharing media containing PHI.

Cloud storage services are a convenient way of sharing and storing data. Since files uploaded to the cloud can be accessed from multiple devices in any location with an Internet connection, information is always at hand when it is needed.

There are many cloud storage services to choose from, many of which are suitable for use by healthcare providers for storing and sharing ePHI. They include robust access and authentication controls and data uploaded to and stored in the cloud is encrypted. Logs are also maintained so it is possible to tell who accessed data, when access occurred, and what users did with the data once access was granted.

iCloud is a cloud storage service that owners of Apple devices can easily access through their iPhones, iPads, and Macs. iCloud has robust authentication and access controls, and data is encrypted in storage and during transfer. The level of encryption used by Apple certainly meets the minimum standard demanded by HIPAA. iCloud certainly appears to tick all the right boxes in terms of security, but is iCloud HIPAA compliant?

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Will Apple Sign a Business Associate Agreement with HIPAA Covered Entities?

Cloud storage services are not covered by the HIPAA Conduit Exception Rule and are therefore classed as business associates. As a business associate, the service provider is required to enter into a contract with a HIPAA covered entity – in the form of a business associate agreement – before its service can be used in connection with any ePHI.

It is the responsibility of the covered entity to ensure a BAA is obtained prior to the use of any cloud service for sharing, storing, or transmitting ePHI.

That business associate agreement must explain the responsibilities the service provider has with respect to any ePHI uploaded to its cloud storage platform. The BAA should also explain the uses and disclosures of PHI, and the need to alert the covered entity of any breaches that expose data.

If a BAA is not obtained from Apple, its iCloud service cannot be used with any ePHI. So, will Apple sign a BAA with HIPAA covered entities?

Apple could not have made it any clearer in its iCloud terms and conditions that the use of iCloud by HIPAA-covered entities or their business associates for storing or sharing ePHI is not permitted, and that doing so would be a violation of HIPAA Rules.

“If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.”

Is iCloud HIPAA Compliant?

It doesn’t matter what security controls are in place to ensure ePHI cannot be accessed by unauthorized individuals. If a communications channel is not covered by the conduit exception rule and the service provider will not enter into a contract with a HIPAA covered entity in the form of a business associate agreement, the service cannot be used with any ePHI. It is important that all members of the workforce are alerted to these requirements during HIPAA security training. So, is iCloud HIPAA compliant? Until such point that Apple agrees to sign a BAA, iCloud is not a HIPAA compliant cloud service and should not be used by healthcare organizations for sharing, storing, or transmitting ePHI.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist