ReadWriteBody is an ongoing series where ReadWrite covers networked fitness and the quantified self.

If we can’t trust Apple with our photos, can we trust it with our medical data?

See also: How Apple Made Its Users Vulnerable To iCloud Theft

Apple has kept details about HealthKit, its framework for collecting personal health details like weight, heart rate, blood sugar, and other vital signs, close to the vest. Even fitness- and health-app developers whom Apple representatives have briefed are fuzzy on how it will work, ReadWrite has learned.

One thing has become clear recently: Apple doesn’t want developers to store HealthKit data on iCloud. The App Store will reject apps that try to do so.

Huh? That’s a huge headscratcher, given how Apple has pushed developers to use iCloud as a backup and cloud-storage service for other apps.

When you think about it, though, Apple’s prohibition makes sense: There are a ton of regulations around private medical information, chiefly those embodied in the Health Insurance Portability and Accountability Act, or HIPAA. Apple has not obtained clearance under HIPAA for iCloud.

Here’s the catch for Apple and developers: If HealthKit doesn’t store data in iCloud, where will it put it? Sample code from Apple’s Fit application, a demonstration of HealthKit, suggests that apps using HealthKit will write to a local database called HKHealthStore. That means the data’s on your phone, much like your contacts database

See also: Sorry, Apple’s HealthKit Isn’t Going To Give You Six-Pack Abs

Apple is placing some restrictions around this data. For example, HKHealthStore isn’t available on iPads—so you can’t move your personal health data from your phone to your tablet. And from other rules it’s put in place, HealthKit apps can only use it for health or fitness purposes. 

It appears that medical-app developers, like the electronic medical-records software makers and hospital groups Apple has partnered with, will be able to take HealthKit-gathered data and move it into their own databases—provided they can prove they have the needed regulatory approvals from the Food and Drug Administration, which oversees medical devices.

The iCloud Hole

What about backups, though? Presumably, when you lose your phone, you’ll want your health data to be restored. And that data is on iCloud—as celebrities whose phone accounts got hacked learned to their dismay.

Either Apple will back up HKHealthStore data points to iCloud along with the rest of your personal data—thereby violating its own prohibition against doing so—or you’ll lose your data if your phone gets lost, stolen, or wiped. (An Apple representative did not respond to a request for clarification on this point.)

See also: Ahead Of The iWatch, Apple Has Given HealthKit A Workout

Before we can trust Apple with our medical data, it will need to come up with much better answers than the ones it has provided on the celebrity photo-hacking incidents, which it attributed to “targeted attacks” on the individuals’ usernames and passwords.

Banks and hospitals manage to secure important personal data using usernames and passwords. They’re just vigilant about attempts to access that information, and swift to shut down suspicious login attempts in a way Apple wasn’t with iCloud backups.

Apple’s approach suggests that the company is more comfortable with securing data on its devices than it is data in the cloud. That makes sense for a hardware manufacturer, but its approach is seriously outdated.

Here’s what Apple should do: Put some of its prodigious cash to work upgrading iCloud security—and gaining HIPAA certification while it’s at it. At this point, Apple desperately needs some official stamp of approval for the security of its cloud storage. Crippling HealthKit while leaving back doors open for hackers is not the answer.

Lead image via “Strength” on Apple’s YouTube channel