Is the iPhone HIPAA compliant?

Discussion in 'iPhone' started by HollandX, Jul 10, 2009.

  1. HollandX macrumors newbie

    Aug 17, 2003
    I've been tasked with buying Blackberries for my team since they are HIPAA compliant. I'm trying to get my group to choose the iPhone instead, but I can't find any whitepapers or information on the Internet that state the iPhone is HIPAA compliant.

    Any ideas?

    Thank you!
  2. vinay427 macrumors 6502a


    Sep 18, 2008
    Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16)

    I have no clue what HIPAA is but if the iPhone isn't then I recommend the BB Curve 8900 or the Bold if 3G is necessary. If you're on AT&T, that is.
  3. samcraig macrumors P6

    Jun 22, 2009
    I know what HIPAA compliance is and I think that's a question for Apple tech/corporate specifically.
  4. -aggie- macrumors P6


    Jun 19, 2009
    Where bunnies are welcome.
    Should I google that for you? :)

    Anyway, I would think the iPhone would be HIPAA compliant, since they were demonstrating some Medical apps at the WWDC, but I'm not sure. I would just try googling iPhone and HiPAA and maybe you'll find something. You could also search the Apple site.
  5. nikhsub1 macrumors 68020


    Jun 19, 2007
    mmmm... jessica.'s beer...
    The iPhone has all the needed security to be HIPAA compliant. HIPAA compliance is more of a set of rules and procedures and not a hardware based issue.
  6. Kadman macrumors 65816


    Sep 22, 2007
    The biggest question would be around local device encryption, enforcement of passwords with auto-lock, and possibly (depending on the institution) ability to remotely destroy data. We work in a HIPAA/CFR Part 11 validated environment and we have our BES (Blackberry Enterprise Server) enforce local encryption, lock on holster or 10 minutes of inactivity, and destruction of data on the device after 10 consecutive incorrect passwords. This configuration has passed many external audits (including government medical audits) so I would assume they would be key elements to an iPhone passing such scrutiny. That said, I have no idea if the data at rest on the iPhone is encrypted or not. :confused:
  7. diabolic macrumors 68000

    Jun 13, 2007
    Austin, Texas
    A quick google search showed me what look like HIPAA compliant apps available on the iPhone right now, so I'd guess the answer is yes.
  8. pdjudd macrumors 601

    Jun 19, 2007
    Plymouth, MN

    You might want to look at this page for some information on that kind of stuff. A lot of the rest of those items can be sent via the deployment agent.
  9. vansouza macrumors 68000


    Mar 28, 2006
    West Plains, MO USA Earth
    With all the Doctors using the iPhone to track patient vitals and using apps to diagnose and prescribe, of course it is HIPPA compliant... I think.
  10. samcraig macrumors P6

    Jun 22, 2009
    "of course it is HIPPA compliant... I think. "

    LOL.. funny
  11. vansouza macrumors 68000


    Mar 28, 2006
    West Plains, MO USA Earth
    Thank you, I try.
  12. EatMyApple macrumors 6502

    Dec 2, 2008
    The iPhone was approved for me to use in my MD/PhD program and we had to list what phone we used in our ID card/badge/key paperwork. So I would assume it passed my HIPPA compliance.
  13. HollandX thread starter macrumors newbie

    Aug 17, 2003
    I know that you can make a specific iPhone App HIPAA compliant, but I don't know if the whole phone itself is.

    For HIPAA compliancy, I know that we can...
    -access our e-mail securely over Exchange
    -password protect the phone
    -enable remote wipe
    -use only HIPAA compliant Apps when using medical Apps​

    Is that "what else am I missing" that I don't know, and if that stuff is enough to deem the phone HIPPA compliant.

    Thank you everyone so far for your responses.
  14. vinay427 macrumors 6502a


    Sep 18, 2008
    No, thanks but actually I'm one of the exclusive few who can go to and type a search term. By the way, I just did. :cool:
  15. emt1 macrumors 65816

    Jan 30, 2008
    If you also use the encrypted backup on iTunes, then yes, it is HIPAA compliant.

    EDIT: forgot to mention, data transmission on an unsecured wifi network is a violation
  16. The General macrumors 601

    Jul 7, 2006
    3G S has hardware encryption for the entire filesystem.
  17. ZipZap macrumors 603

    Dec 14, 2007
    What medical product is this....eClinicalWorks (only one with an iphone interface I am aware of).

    This is about what gets left behind on the phone as much as its about 2 factor authentication, encryption, policies and procedures.

    You must be 100 percent sure that no unauthorized person can pick up your phone and gain access to patient records. They should not be able to see the data either by looking over your shoulder. Further, you must be 100% sure that the application leaves no patient data or any kind on the phone unless that data is encrypted so that it can only be access by the doctor.

    If you can say yes & are hippa compliant.
  18. HollandX thread starter macrumors newbie

    Aug 17, 2003
    Hey ZipZap--

    It's not for a specific product, but a medical company in general.

    ie, We will have e-mails, files saved on the phone, etc.

    So I was wondering about the whole phone itself...

  19. Roller macrumors 68020

    Jun 25, 2003
    Devices aren't HIPAA-compliant per se. However, covered entities (such as hospitals and health plans) must have policies and procedures in place that safeguard against unauthorized release of Protected Health Information. Many facilities require that PHI stored on portable devices be encrypted and that access to the data be password-protected, both of which can be done at the application level. A method to remotely erase the device is often required, as well. PHI must also be encrypted while in transit to or from the device. The iPhone is capable of satisfying all these requirements.
  20. dseig001 macrumors member

    Apr 28, 2009
    +1 UCLA MS3 here using the iPhone everyday
  21. The Californian macrumors 68040

    The Californian

    Jan 17, 2009
    Surfers Paradise
    Medical facilities and orginizations are leaning towards communication devices that can be LOCKED into a "HIPPA SAFE" mode as to prevent someone from accidently engaging in a HIPPA violation. You can make any device HIPPA SAFE by monitoring your transmissions, it all depends on how much the company trusts it's employees. I'm at Loma Linda University Medical Center and most of the physicians and clinicians use iPhones, we also have data encrypted pagers to ensure highly sensitive information stays secure.

    Your company must no trust you guys that much, haha
  22. HollandX thread starter macrumors newbie

    Aug 17, 2003
    Hey everyone-- I've spent the last few days doing some intensive research on this subject. It was all new to me, so I'm glad I spent the time to learn about it. Your comments were all so very helpful. I just needed to verify some stuff on my own.

    Here is what I came up with.

    Devices themselves cannot be "HIPAA compliant." HIPAA compliancy is set by internal IT guidelines and procedures. Some are pre-defined in practice, some are pre-defined in theory, and some you can decide on your own. However, the device must allow for you to implement these guidelines, or it will not work allow you to reach HIPAA compliancy. This is all to prevent patient data from falling into the hands of unauthorized users.

    The iPhone can:
    - securely access e-mail
    -be protected by a password
    - be remotely wiped (even by the user from Outlook Web Access, or through Exchange server controls. In fact, the iPhone will instantly brick unlike the Blackberry)
    - run HIPPA-compliant Apps
    - be backed up with encryption through iTunes

    AND the iPhone 3GS is the first iPhone that offers an encrypted backup of the whole hard drive.

    Thus, the iPhone 3GS offers everything to allow us to maintain HIPAA compliancy.

    I have convinced my CEO to allow the iPhone as our mobile device as long as we choose the iPhone 3GS (or any other later model in the future I presume).

    This is the document that was tremendous to me in my research and the most helpful thing I saw (other than your comments): There is so much more information in it than what I posted. I highly recommend anyone interested in this topic read it.

    Thank you all again for your time and your postings. This was a wonderful learning experience for me. I hope this thread serves to benefit others as well.

  23. Saroku macrumors newbie

    Oct 28, 2010
    iPhone: Encryption Farse!

    I just came across this... I hope you don't believe the same as you did back in 2009.

    If you can recover raw data from a device in clear text, it should not be used in your environment.

    Case in point:

  24. nefan65 macrumors 65816


    Apr 15, 2009
    I've was in IT Healthcare for over 12 years. Recently changed, had Anywho, anyone who states that a device is/is not HIPAA compliant is crazy. There's no such thing. It's all policy, and processes. If you allow clinical staff to send/receive PI Information via email, and it's not encrypted at the server level, then that's an issue with policy allowing it. If you allow laptops to hold PI Information, and the drive isn't encrypted, then it's policy that needs to be addressed. I'd first check all IT policies to see what they state. That includes email, files, etc. All of our policies clearly stated that NO PI information could reside on any PC, Laptop, or mobile device, including thumb drives, etc. ONLY the clinical system could be utilized for PI Information, such as notes, diagnosis, etc. Any remote access to those systems had to be done via a secure VPN connection, and nothing else.

    If you're accessing clinical applications via the phone, and the data does not reside on the phone, then you're fine. Also, if you use Exchange 2007 or newer, you have the ability to remote wipe if needed. However, if you're not storing PI Info on the device, you're fine.

    Someone in your org should be the HIPAA Guru. I'd find them, and sit and discuss this specifically with the guidelines, as well as your internal policies on data use/storage, etc...
  25. THENIZZZEIL macrumors member

    Dec 22, 2009
    Cerritos, Ca
    We use it without any issue at our facility, it helps for on the fly searching and if you just follow basic rules by putting pt initials rather than John Smith when transporting text messages I think its okay. We havent had any issues or complaints so far, i know a few Dr's use the BB or a few droids but thats probably preference vs anything else.

Share This Page