Skip to main content
U.S. flag

An official website of the United States government

Return to Search

FAQ 2081 Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?

This is HIPAA FAQ whether health care providers use of mobile devices to access stored cloud ePHI.


Issued by: Office for Civil Rights (OCR)

Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?


Yes.  Health care providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) in a cloud as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI.   The HIPAA Rules do not endorse or require specific types of technology, but rather establish the standards for how covered entities and business associates may use or disclose ePHI through certain technology while protecting the security of the ePHI by requiring analysis of the risks to the ePHI posed by such technology and implementation of reasonable and appropriate administrative, technical, and physical safeguards to address such risks.  OCR and ONC have issued guidance on the use of mobile devices and tips for securing ePHI on mobile devices.[1]

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.