If a health care provider who is a covered entity were to create a general fitness/wellness app and silo off any collected data from their covered operations, could it be a valid hybrid entity? For instance, if a hospital creates a free meditation app but does not prescribe it as treatment, nor convey any data the app ingests back to medical professionals or EMRs, must the app still be HIPAA compliant? What are the criteria to consider in making this determination?
Consumer fitness and wellness apps avoid HIPAA by denying that they provide health care and by virtue of not participating in standard transactions. HIPAA acknowledges the existence of treatment providers who aren't bound by HIPAA on the basis that they do not conduct standard transactions (e.g., some manufacturer sales reps). Can the lack of standard transactions absolve such a product of HIPAA liability, or is it impossible to designate the app as distinct from the entity's health care component?
Given HIPAA's expansive definition of "health care," it's certainly not difficult to construe the app as such, but the same could be said of wellness coaches claiming that they don't practice medicine or offer medical advice. So, is the distinction entirely down to the question of HIPAA-contagion via standard transactions?
Does incorporating a legally distinct subsidiary simplify the determination, presumably?