Assume you have a software company that will be using a smartphone application and related device to record and store arguably protected health information.
1. Assume the software company stores the information on its own servers. The company is not subject to HIPAA (privacy or security rules) because it isn't a covered entity or a business associate of a covered entity, correct?
2. Now assume that the software company uses a 3rd party data storage provider to store all of the arguably protected health information. Again, neither the company nor the 3rd party provider are subject to HIPAA (privacy or security rules) because they aren't covered entities or a business associate of a covered entities, correct?