25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Is iMessage HIPAA Compliant?

Posted By on Mar 30, 2025

iMessage is not HIPAA compliant and should not be used to communicate Protected Health Information (PHI) because iMessages are backed up in the iCloud, which prohibits the creation, receipt, storage, or transmission of PHI in its Terms of Service. This means it is not possible to accommodate “reasonable requests” to receive communications containing PHI via iMessage.

iMessage is a popular messaging service available to users of Apple devices. All messages sent through the service are protected by end-to-end encryption, which theoretically would make iMessage HIPAA compliant. However, there are several reasons why iMessage should not be used to send or receive Protected Health Information – notwithstanding that this would violate the iCloud Terms of Service.

The Privacy of iMessages

Although iMessages are end-to-end encrypted, this does not guarantee messages sent and received by Apple users will remain private. The default setting for Apple accounts is that iMessages are backed up in the iCloud so they can be retrieved and reviewed by users. During the backup process, the encryption key used to encrypt messages is also backed up and stored on Apple’s servers.

This means that – unless iCloud backup is disabled or users subscribe to Advanced Data Protection – Apple can access the content of iMessages stored in the iCloud, including any PHI contained in the iMessages. If Apple’s servers were ever hacked, the hacker would also have access to the decryption key – enabling them to decrypt the content of iMessages stored on the iCloud.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

A further compliance issue is Apple’s Push Notification service. While useful for alerting users when new messages are received, push notifications could disclose PHI to anyone when a device is left unattended. Although the service can be deactivated, this could mean important messages are missed or that users waste time constantly checking their devices for new messages.

iCloud Terms of Service

Apple does not have any control over how devices are configured, so does not take any responsibility for the privacy and security of PHI however it is created, received, stored, or transmitted by Apple devices. Apple will not enter into Business Associate Agreements with covered entities and business associates and specifically states in its terms of service:

“If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) your or any third party’s business associate.”

This clause means that, if a patient requests confidential communications via iMessage (as per §164.522(b) of the Privacy Rule), healthcare providers cannot accommodate the request as to do so would violate Apple’s terms of service. However, healthcare providers can send communications containing PHI via a different HIPAA compliant service and notify the patient of a communication via iMessage.

Is iMessage HIPAA Compliant? Conclusion

Although it is possible to make the use of iMessage HIPAA compliant by disabling iCloud backup and deactivating push notifications, the fact that Apple will not take responsibility for the privacy and security of PHI – and will not enter into a Business Associate Agreement with covered entities and business associates – means it is not possible to use iMessages to communicate PHI.

Healthcare organizations should alert members of the workforce to the compliance issues associated with Apple devices during HIPAA training and implement a HIPAA compliant alternative to iMessage. Organizations requiring assistance with evaluating and implementing a HIPAA compliant alternative to iMessage are advised to seek independent compliance advice.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist