One of our physicians requested the use of a website which requires a patient to create an account, then the physician can add medical information about that individual, so the individual can then filter an e-commerce platform to make purchases that are consistent with their medical conditions. As we would be offering the service to patients and uploading the PHI, this would fall under a business associate relationship.
The website does provide a bona fide solution to a medical problem and many patients have requested such a solution. If a patient specifically requested that website without us offering it, according to the HHS guidance below, it sounds like that would be approved despite the risk. However, since we would be offering it, it sounds like we would be responsible for the HIPAA security and could not allow it. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access-right-health-apps-apis/index.html
My question is: does HIPAA consider all cookies to be identifiable, such that if they contain medical information they would be ePHI and protected by the HIPAA Security Rule?