Think twice before texting your patients and staff.

iMessage is a go-to technology for Apple users in the medical field because it so easily integrates into pre-existing office infrastructure. Using iMessage for office communication can facilitate quick conversations among office staff -- but when it comes to sending and receiving patient data, the question of whether or not iMessage is HIPAA compliant needs to be taken into account.

Some third-party apps and Apple Watch health monitoring functions are built to be HIPAA compliant. However, Apple has yet to address HIPAA compliance on its own iMessage platform. Third-party HIPAA compliant messaging and data storage apps have become increasingly popular with iPhone and Mac users in the healthcare field, but Apple's iMessage messaging service remains insecure and non-compliant.

HIPAA privacy and security regulation mandates that data transmission of protected health information must be fully secure. Protected health information (PHI) is any demographic information that can be used to identify a patient, including name, address, date of birth, social security number, or full facial photographs, among others.

iMessage uses end-to-end encryption, which means that only the sender and intended recipient can view the contents of each message. But what makes iMessage different than other HIPAA compliant messaging services, is that it keeps a cached version of each iMessage sent on its servers. These cached messages can be accessed either by warrant or by a potential hacker in the event of a data breach.

Although critics in the healthcare IT industry have spoken out against Apple's practice in this regard, the company has yet to announce a change to this policy. Sending PHI over iMessage remains a breach of HIPAA regulation -- putting your practice at risk of a data breach and accompanying HIPAA fine.

HIPAA regulation requires healthcare providers to execute contracts with their healthcare vendors before sharing PHI. These contracts are known as business associate agreements (BAAs) and are mandated by the HIPAA Omnibus Rule, which was first enacted in 2013.A business associate is an organization that has been hired by a healthcare provider to store, transmit, or in any way handle PHI over the course of the work they've been hired to do.

In medical settings where iMessage can be used to store and transmit PHI, healthcare practices are therefore legally mandated to execute a BAA with Apple before using iMessage to transmit sensitive patient data.

As of WWDC 2017, Apple still hasn't made any new announcements on iMessage being HIPAA compliant. Apple still does not execute HIPAA business associate agreements with healthcare providers and HIPAA-beholden entities using iMessage. Without a BAA, PHI cannot be legally transmitted via iMessage. 

This article was originally published in iMedical Apps on June 21, 2017
Author: Frank Sivilli