Is Apple’s iMessage HIPAA Compliant on the iPhone?


Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

iMessage is a built-in instant messaging (IM) service offered by Apple for all its devices. It lets you send text, picture, video, sound, and location quickly and easily to anyone else using iMessage on iPhone, iPad, Mac, or Apple Watch. It is launched when anyone asks their iPhone to send a mesage, and asks to whom the message should be sent.

The question of whether or not Apple’s iMessage is HIPAA compliant comes up often in the medical field, especially because it 1) meets an immediate need for easy health care communication and 2) easily integrates into so many health care office cultures. Using iMessage for internal communication between iPhones can facilitate quick conversations between staff members, but when it comes to sharing patient data does this ease of use translate into HIPAA compliance?

With the exception of third party apps and some Apple Watch functionality, Apple has been decidedly quiet on the issue of HIPAA. There are a number of HIPAA compliant messaging and data storage apps that have long been popular with iPhone and Mac users in the health care field, but Apple’s iMessage messaging service remains unsecure and non-compliant.

HIPAA regulation demands that messaging services must be fully secure in order to protect patient data. iMessage uses end-to-end encryption, meaning that only the intended sender and recipient can view each message. However, Apple keeps a cached version of messages sent using iMessage, which can be accessed either by warrant or by a potential hacker.

Sending patient data over iMessage is a breach of HIPAA regulation. Doing so will put your practice at risk of a data breach and may make you vulnerable to accompanying fines from the HITECH Act.

Apple, Business Associates, iMessage and HIPAA Compliance

HIPAA regulation requires health care providers to execute contracts with their business associates to keep health data secure. These contracts are known as business associate agreements (BAAs) and are mandated by the HIPAA Omnibus Rule.

A business associate is any organization hired by a health care provider who stores, transmits, or in any way handles protected health information (PHI) over the course of services they’ve been paid to provide. PHI is any demographic information that can be used to identify a patient, including name, address, date of birth, or social security number, to name a few.

Because iMessage can be used to store and transmit health data, health care organizations are legally mandated to execute a Business Associate Agreement (BAA) with Apple before using iMessage in their practices.

At this point, Apple has yet to sign HIPAA business associate agreements with health care providers and HIPAA-beholden entities using iMessage. The number one takeaway for behavioral health specialists should be that PHI cannot be legally transmitted via iMessage.

Basic Telehealth Legal & Ethical Rules: HIPAA, Privacy, Working Across State Lines, Malpractice Insurance

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Notify of
Oldest Most Voted
Inline Feedbacks
View all comments
Kit Kaplan
Kit Kaplan
4 years ago

I have Auditory Processing and have difficulty understanding words and don’t process numbers at all difficulty understanding words and don’t process numbers at all.
including gift Cal cool young and dysgraphia. I also have auditory processing problems. So I don’t process numbers of all and I don’t process things I hear very well and need to do things in writing. Do you know any Hyppa compliant methods of communicating through text or email?

Marlene Maheu, Ph. D.
Marlene Maheu, Ph. D.
Reply to  Kit Kaplan
4 years ago

Hello Kit,
Thank you for your inquiry. See the TBHI Buyer’s Guide for HIPAA-complaint text messaging and email platforms. Let us know if you find one that is particularly helpful to you.

Would love your thoughts, please comment.x