iCloud is not HIPAA compliant. Apple explicitly prohibits the use of iCloud to store, sync, or share protected health information (PHI), and the company does not sign a Business Associate Agreement (BAA) for iCloud services. Without a BAA, no cloud service can legally be used for PHI under HIPAA, regardless of how strong its encryption is.
What Apple’s Terms Actually Say
Apple’s iCloud terms and conditions contain an unusually direct statement on this point. The relevant language reads: “If you are a covered entity, business associate or representative of a covered entity or business associate, You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any ‘protected health information’ or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.”
This covers everything: iCloud Drive, iCloud Mail, Notes, Photos, backups, and any other iCloud feature. It doesn’t matter whether you’re a hospital, a private practice, a therapist, or a billing company. If you handle PHI, you cannot put it in iCloud.
Why Encryption Alone Isn’t Enough
Apple does offer strong encryption for iCloud data. With Advanced Data Protection enabled, iCloud provides end-to-end encryption for Photos, Notes, backups, and more. When this is turned on, not even Apple can access your encrypted data, and your protected files can only be decrypted on your trusted devices.
That sounds like it should satisfy HIPAA’s technical requirements, and in a narrow sense, it does check some boxes. But HIPAA compliance isn’t just about encryption. It requires a signed BAA between the covered entity and any service provider that handles PHI. The BAA spells out each party’s responsibilities for protecting patient data, reporting breaches, and limiting how the data is used. Without one, using a service for PHI is a HIPAA violation, full stop. Apple refuses to sign a BAA for iCloud, so the encryption is irrelevant to the compliance question.
The Exception: Apple Health Records
There is one narrow area where Apple does align with HIPAA standards. The Health app on your iPhone can download medical records directly from participating healthcare organizations. That data travels over an encrypted connection straight from the provider to your device, without passing through Apple’s network.
Once on your phone, health records are encrypted in the device’s health database. If you use two-factor authentication, any health data synced to iCloud is protected with end-to-end encryption, meaning only you can access it on your signed-in devices. Apple states that data shared through the health records feature with healthcare organizations “will be stored in a secure system in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security standards.”
This is a consumer-facing feature, though. It lets patients view their own records. It is not a tool for healthcare organizations to store or manage PHI in the cloud. The distinction matters: Apple built HIPAA-compliant infrastructure for this specific feature while keeping iCloud itself entirely off-limits for PHI.
Cloud Alternatives That Support HIPAA
If you need cloud storage or collaboration tools that can legally hold PHI, several major platforms will sign a BAA and provide the administrative controls HIPAA requires:
- Microsoft 365 (OneDrive, SharePoint) with a signed BAA and proper configuration
- Google Workspace (Drive, Gmail) under a BAA with admin controls and audit logging
- Box with its HIPAA-specific offering and extended audit controls
- Dropbox Business or Enterprise with a HIPAA addendum and strict access controls
- AWS, Azure, or Google Cloud storage configured under a BAA with logging, encryption, and data lifecycle policies
Signing a BAA is just the starting point. Each of these platforms requires specific configuration to meet HIPAA’s technical safeguards. Default settings are rarely sufficient. You’ll typically need to enable audit logging, restrict sharing permissions, enforce two-factor authentication, and manage data retention policies.
What This Means for Apple Device Users
You can absolutely use iPhones, iPads, and Macs in a healthcare setting. Apple devices themselves aren’t the problem. The issue is specifically with iCloud as a storage and syncing service. If your staff uses Apple devices, you need to ensure that PHI isn’t being backed up to iCloud, synced through iCloud Drive, or stored in iCloud-connected apps like Notes or Photos.
Organizations that deploy Apple hardware in clinical environments typically use mobile device management (MDM) tools and Managed Apple IDs to control which services are available on each device. This lets IT teams disable iCloud syncing for specific apps or accounts while still taking advantage of Apple’s hardware and on-device security features. The local encryption on Apple devices, including passcode protection, Face ID, and Touch ID, keeps health data in the Health app encrypted and inaccessible when the device is locked.
The bottom line is straightforward: use Apple devices if they fit your workflow, but route all PHI through a cloud service that will sign a BAA. iCloud isn’t that service, and Apple has made clear it doesn’t intend to be.