Why Cloud Storage May Be Jeopardizing Your HIPAA Compliance

Apple iCloud is a HIPAA Don't

If you are using iOS with your mobile or desktop devices, and you are using iCloud sharing, you may be in breach of HIPAA. Apple will not sign a BAA with you; therefore, iCloud is not suitable for use with PHI (Protected Health Information).

You may have noticed that Apple tends to default to having you use iCloud to sync your, text, your contacts, and your calendar events between devices, and this is super-convenient feature if you are juggling between an iPhone and an iPad and a desktop computer.

The issue is not that you can't have PHI in your contacts--it's the part where iCloud syncs them over their not-secure-for-HIPAA servers that is exposing PHI. So store your clients names and addresses in your contacts, but turn iCloud sharing off. Every device should have its own local contacts file even though that means you will have to enter contact information manually on each of your devices.

If your clients have signed an informed consent related to text/email (like the one in my Toolkit), and they have initiated contact with you by text, then you think you can now use iMessage and sync it across the cloud since your client has signed something to say "I know this is not guaranteed to be secure." You will absolutely want to consult with your own attorney before implementing this, and I recommend reading this article on managing the risks associated with texting clients. Having a secure messaging system separate from iMessage, in addition to informed consent covering text/email, constitutes the recommend way to manage client communications. I personally use Spruce and if you mention me, we'll both get a free month.

iCal is almost impossible to make secure, because the whole point of using an online calendar is so you can sync it between devices. It makes no practical sense to maintain separate calendars. While you could manually enter information on separate unlinked calendars, I strongly recommend against this practice. It is not really a huge deal if you forget to enter a client's information into all of your separate address books, but if you fail to enter an appointment into all of your calendars you could end up double booking yourself--or worse, fail to show up at a scheduled appointment. I recommend using a calendar system that will give you a BAA like G-Suite's Calendar


Annie Headshot.png

About the Author

Annie Frisbie, MA, IBCLC is the creator of the IBCLC Private Practice Essential Toolkit, a collection of books, resources, legal forms, training manuals, and workbooks aimed at helping private practice lactation consultants build a private practice that’s ethical, profitable, sustainable, and enjoyable.