Regular User of Apple’s iMessage? Your Data May Not Be HIPAA Compliant

Apple is popular in health care settings because users are familiar with the iMessage technology developed by Apple since it’s a previously adopted mode of interaction between iOS users. iMessage’s use in the medical field has gained much popularity on account of its straightforward integration with already designed office structures. The app allows rapid conversations between office personnel but when you are handling critical patient data, the question of iMessage’s compliance with HIPAA remains to be a critical one.

A large number of Apple Watch functions built for healthcare purposes are HIPAA compliant. The same could be stated for some other third-party apps. For this reason, many third party HIPAA compliant messaging and info storage apps are becoming highly prevalent in the medical field.  Apple’s iMessage app’s compliance with HIPAA is yet to be clarified and formally addressed by Apple. At the moment of writing, iMessage texting service is still considered to be not compliant and intractable.

According to HIPPA privacy and security rules and regulations, it is compulsory for any data communication and flow of protected health information to be completely safe and invulnerable. Any form of statistic information that may be used to bear a distinction between patients including patient’s name, social security number, address to account for a few are an integral part of Protected Health Information (PHI).

Although an end-to-end encryption and decryption mechanism is intact at both senders and receivers end in the iMessage app, it still doesn’t ensure complete integrity of the data. The reason is iMessage always maintains a cached or stored version of individual iMessages sent and received on Apple’s servers. In case of a potential data breach, legal and illegal both, the data may be vulnerable to the hacker or other parties which is a matter of critical concern for users.

Despite receiving multiple critical responses from the medical IT industry, Apple is yet to conclude on a decision regarding its iMessage policy. PHI data transmission over iMessage persists to be a violation of HIPAA regulation and it continues to be an immense risk as well as a potential large HIPAA penalty and fine.

What Healthcare Providers Should Know

Health care practices are legitimately authorized to execute a BAA (Business Associates Agreement) with a provider like Apple before making use of services like iMessage to convey delicate patient data. Lacking a BAA, PHI cannot be legally transmitted via iMessage.

Apple seems to lack interest in the matter and hasn’t been able to reach any conclusion. There weren’t any announcements regarding the compliancy of iMessage with HIPAA even at the WWDC 2017. At the moment of writing, Apple still does not provide HIPAA BAAs to health care providers that are using iMessage, therefore none are HIPAA compliant.



You may also like