Answered Questions

What safeguards for PHI on offline devices?

Q: Remote devices may not have access to the internet at all times and therefore may be operating offline. Data must be stored on the devices until connectivity is restored. What is the protocol for PHI data storage on offline mobile devices?

A: A covered entity or business associate must consider the administrative, physical, and technical safeguards that apply under HIPAA for storage of ePHI data on mobile devices, irrespective of whether a device is offline or has connectivity. When a mobile application is caching data for offline operation, an entity should make sure that it has assessed the risks related to use of the device, access, storage and removal of ePHI (whether persistent or temporary), transmission of ePHI, encryption, as well as related concerns regarding remote access and use of mobile devices.

HHS has developed guidance with general information on the risks and possible mitigation strategies for remote access to and use of ePHI

OCR and ONC have also issued guidance on the use of mobile devices and tips for securing ePHI on mobile devices

What are suggested encryption protocols for cloud security?

Q: What are the suggested encryption protocols that one should implement in order to fulfill the 164.312(a)(2)(iv)? Have you implemented a mechanism to encrypt and decrypt EPHI?

A: OCR does not recommend or endorse a particular encryption solution nor require the use of a particular encryption protocol or algorithm to meet an entity’s obligations for encryption under the HIPAA Security Rule. However, as part of our breach notification work we have issued OCR Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals:

PHI encrypted in accordance with OCR’s guidance is not unsecured PHI, and thus would not trigger an entity’s breach notification obligations in the event of a potential breach of such encrypted PHI. That guidance notes the following: For encryption of data-at-rest, National Institute of Standards and Technology (NIST) has issued Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices:

For encryption processes for data-in-motion, NIST has issued SP 800-52 Revision 1 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (dated April 2014); 800–77 Guide to IPsec VPNs; and 800–113 Guide to SSL VPNs:

Although the Security Rule does not require an entity to use a particular encryption solution or algorithm to meet its addressable obligations, OCR considers encryption implementations consistent with the unsecured PHI guidance to meet HIPAA Security Rule requirements for encryption.

In addition, OCR has issued FAQ guidance regarding cloud computing that addresses encryption:

Which video chat apps are HIPAA-compliant?

Q: Is Skype or any other video chat app HIPAA-compliant? Which video chat apps can currently be used for telehealth treatment activities involving general physicians or involving mental health professionals?

A: OCR does not endorse, certify, or recommend specific technology, software, applications, or products. Choosing whether to use a particular piece of software or video chat application should be informed by an organization’s risk analysis. In selecting video software as part of tele-health treatment activities, the organization should consider the risks to the ePHI in using the software and whether the appropriate safeguards are in place. A business associate agreement would be necessary when the video chat software is hosted by a vendor that would be receiving, maintaining, and transmitting ePHI.

Organizations should consider whether the product supports HIPAA Security Rule controls such as backups of audit and video chats, access logs and auditing, as well as breach reporting. has produced a great deal of technical assistance on tele-health. See; more information is available at, if you search on telehealth.

Are we a HIPAA compliant distributed team?

Q: We are a small startup team that is distributed nationwide. To date everyone has used their own personal computers to login into work email, etc. Is it a requirement that we purchase and make all of our employees use only their work computers for development and access to our db? It's understood that we need a robust password policies and defined lists of who has access to any sensitive data where ever they may be.

A: Take a look at the “helpful links” page for information to help you in your considerations. You might want to examine whether you are covered by the HIPAA Rules and in what capacity.

A covered entity or business associate needs to put into place appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted on any device. The entity must establish its own security policies, consistent with its risk analysis, regarding employee use of personal devices for business purposes, also known as Bring Your Own Device (BYOD).

HHS has developed guidance with general information on the risks and possible mitigation strategies for remote access to and use of ePHI:

OCR and ONC have also issued guidance on the use of mobile devices and tips for securing ePHI on mobile devices:

Does HIPAA require Scanning and Penetration Testing?

Q: Do entities need to run internal and external vulnerability scanning be HIPAA compliant? Do entities have to run penetration tests to ensure compliance? Reading §164.312(e)(2)(i) it seems that 'security measures' could include these tests, but does not specify a requirement for it.

Additionally, a risk analysis could identify that these services would help to reduce the risk, threats and vulnerabilities in-scope systems, but I cannot find anywhere that these tests are mandatory.

A: Vulnerability scans and penetration tests are tools an entity may choose to use for risk analysis and management purposes. Review the Cyber Security Guidance Material on the OCR Security Rule pages. In this guidance, you will find the newsletters OCR issues for the regulated community about the various security threats and vulnerabilities facing the healthcare sector, to understand what security measures can be taken to decrease the possibility of being exposed by these threats, and how to reduce breaches of ePHI.

The HIPAA Security Rule does not contain a specific provision regarding internal and external vulnerability scans and/or penetration tests. However, CEs and business associates are required under 164.308(a)(1)(ii)(A) Risk Analysis to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” Vulnerability scans are a tool to identity potential vulnerabilities in an entity’s security posture. Similarly, a penetration test attempts to exploit an entity’s vulnerabilities, to assess risk and determine the effectiveness of an entity’s security controls. Both vulnerability scans and penetration tests can be incorporated into an entity’s risk analysis and management procedures as reasonable and appropriate.

A penetration test or vulnerability scan may also be helpful to an entity as a periodic evaluation under 164.308(a)(8) – Evaluation Standard: “Perform a periodic technical and nontechnical evaluation…that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.”

Can patients request controlled access or data masking in EHRs?

Q: Data masking or controlled access provides a means for patients to control disclosure of select information within the EHR.

Can patients request that access to sensitive data be controlled? Can patients request that only certain people can access their PHI? Can they request an audit of how their data has been shared by a covered entity? If so, do (or should) Notices of Privacy Practices specify these privacy rights?

A: Yes, a patient has a right to request that a covered entity restrict certain uses and disclosures of ePHI, and a covered entity must have a process in place to consider such requests (which could include the actions of a business associate). A covered entity must comply with a request for a restriction on disclosures of PHI to a health plan for payment or health care operations purposes when the patient has paid in full for the related health care item or service. Otherwise, an entity is not required to agree to a requested restriction. You can find more information about the right of an individual to request restrictions of uses and disclosures, on the OCR website and

Individuals also have the right to receive an accounting of certain disclosures of their PHI in a designated record set. However, this accounting right does not include an audit of all access to the records. Check out the Guide to Privacy and Security of Electronic Health Information. The Office of the National Coordinator for Health Information Technology (ONC), coordinated with OCR to create the Guide to help you integrate privacy and security into your practice. The Guide covers a variety of topics, including individual rights with respect to their protected health information.

Finally, the Notice of Privacy Practices for your covered entity must describe individual rights, including those discussed above. You may find a model Notice here:

What activity within an application must be logged?

Q: In order to be HIPAA compliant, should all activity that occurs with in an app be logged, or should activity that exceeds the normal threshold be logged? For instance, users that access information in the application routinely during the course of their work day will evince a regular level of activity. The activity will indicate routine access of sensitive information. Should the log contain all of the users activity, or should the app only log excess access to sensitive information?

A: OCR addresses this issue in OCR Cyber Awareness Newsletter #12, Understanding the Importance of Audit Controls, released January 2017. Covered Entities and Business Associates should make sure that they appropriately review and secure audit trails, and they use the proper tools to collect, monitor, and review audit trails. Protecting audit logs and audit trails prevent intruders from tampering with the audit records and helps ensure their integrity.

How should developers execute audit logging?

Q: Right now, developers expend a lot of time and resources (including the cost of data storage) on audit logging but don’t have assurance that they are in compliance. Could HHS provide an open source library of code to help developers understand how to execute audit logging.

A: OCR addresses this issue in OCR Cyber Awareness Newsletter #12, Understanding the Importance of Audit Controls, released January 2017. See Covered Entities and Business Associates should make sure that they appropriately review and secure audit trails, and they use the proper tools to collect, monitor, and review audit trails. Protecting audit logs and audit trails prevent intruders from tampering with the audit records and helps ensure their integrity. OCR does not maintain an open-source library of code. Entities have flexibility to implement the audit control standard in a manner appropriate to their needs as deemed necessary by their own risk analyses. For example, see NIST Special Publication 800–14, Generally Accepted Principles and Practices for Securing Information Technology Systems and NIST Special Publication 800–33, Underlying Technical Models for Information Technology Security.

What end-user disclosures to a subcontractor require a business associate agreement?

Q: I'm a compliance consultant for early stage startups with tight budgets. I'm not sure how to advise them regarding BAAs for third-party services such as customer support ticketing that aren't meant to collect PHI, but may incidentally. (E.g. "[Covered entity] entered my profile information wrong and I don't know how to change it. It should say...") These subcontractors meet the NIST definition of a cloud service provider, if that matters.

BAAs are often not available at my clients' service level. ZenDesk, for instance, doesn't offer a BAA until the client is paying $2K/mo. They do offer a Ticket Redaction App, but it doesn't purge the original logs of redacted info, so I don't know that we can call them a conduit, since they store any PHI/PII they come across...?

65 FR 82476 seems to establish that "intent" and "probability of exposure of PHI" matter in determining who's a business associate. My clients would prefer that such subcontractors not see PHI, but they haven't removed free-form text boxes where it could be disclosed. Even if my clients instruct users not to use a third-party customer service ticketing system to communicate PHI, it seems unlikely that all users will follow those instructions. Do their efforts constitute appropriate safeguards?

Also, does it matter, in determining whether these vendors are business associates, how my clients configure login (including end users and customer service representatives)? Is knowing end users' email addresses, names, affiliation with a SaaS business associate (my client), and/or non-treatment affiliation with a covered entity sufficient to require a BAA of these subcontractors?

A: The cloud service guidance available on this portal--from the home page and in Helpful Links—addresses these questions. In short, a cloud service provider that provides such services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meets the definition of a business associate.

The HIPAA Privacy Rule protects most “individually identifiable health information (IIHI)” held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. The Privacy Rule calls this information protected health information (PHI). Protected health information is individually identifiable health information, including demographic information, which relates to:
- the individual’s past, present, or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.

Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.

If the end user is an individual (meaning a patient or health plan member), then end user email address, name, and other identifying information created, received or maintained on behalf of a CE or a business associate is PHI, and the service provider is a business associate of the CE or business associate. The CE or BA engaging these third party services must enter into a BAA with the third party service. Note that no fee or revenue threshold applies to consideration of whether an entity is acting as a business associate.

American parent company using offshore development and customer support

Q: Does HIPAA have any restrictions on offshore development and/or customer support functions if the parent company is based in U.S. and/or if the foreign entity is owned and/or controlled by an entity based in U.S.?

A: Generally, the requirements for affiliated covered entities at 45 CFR § 164.105(b) apply to the use of PHI among legally separate covered entities under common ownership or control, that have designated themselves as an affiliated covered entity (i.e., a single covered entity for purposes of compliance with the HIPAA Rules). HIPAA does not apply specific restrictions based on the location of the entities for otherwise permissible use of PHI within a single legal entity that is a covered entity or an affiliated covered entity. You can read more about this in the Organizational Options section of the OCR HIPAA Privacy Rule Summary.

Also take a look at the "FAQs about business associates" link on this site’s Helpful Links page. Through it you can find FAQ 2082, which addresses using cloud service providers (CSP) or other services outside the US.

From that guidance: While the HIPAA Rules do not include requirements specific to protection of electronic protected health information (ePHI) processed or stored by a CSP or any other business associate outside of the United States, OCR notes that the risks to such ePHI may vary greatly depending on its geographic location. In particular, outsourcing storage or other services for ePHI overseas may increase the risks and vulnerabilities to the information or present special considerations with respect to enforceability of privacy and security protections over the data. Covered entities (and business associates, including the CSP) should take these risks into account when conducting the risk analysis and risk management required by the Security Rule.

What is a business associate to do with stored patient health information at the end of the contract?

Q: The scenario is this: A private health clinic (PHC) signs up online to use a web-based EHR application to create patient charts, schedule patients, provide a patient portal, etc. - classic practice management tasks. The EHR vendor has a BAA with a company which hosts its web application and the encrypted database. My question is, what happens to the PHC's electronically stored ePHI if the PHC's account is cancelled and/or the EHR vendor has exhausted all confirmed methods of contact with the PHC (email, text). Is it possible to have Terms of Service which include destroying the PHC's stored patient data if the PHC is unreachable? Do other laws (ie. state laws about holding onto patient data for a certain number of years) apply to the EHR vendor and their web host company? The EHR vendor can't possibly be required to pay to store the PHC's patient data for 7-10 years or whatever, right?

A: Take a look at OCR’s FAQ 2074, which addresses the question of whether a business associate of a HIPAA covered entity may block or terminate access by the covered entity to the protected health information (PHI) the business associate maintains for or on behalf of the covered entity. You can reach it through the Helpful Links page, as "Can a business associate block access".

The OCR cloud guidance, available on the home page and Helpful Links page, further addresses all of these questions related to HIPAA, and links to the FAQ. Also, find more general discussions of disposal of ePHI here:

You can find information about state health privacy laws on the Other Federal and State Privacy and Security Resources tab at

Clarify when online consumer information is PHI

Q: I see a great deal of variation from organization to organization on what constitutes PHI in the digital realm. I have several scenarios that I'd like your thought on:

- Is public website browsing behavior considered PHI as is suggested in the current Winston Smith V. Facebook case ( This could impact a number of common services used by covered entities - for example, if the answer is yes then this suggests that healthcare organizations should have BAAs in place when using Google Analytics? Is this answer different if the individually identifiable component is an IP address rather than a confirmed individual identity?

- When a consumer signs up for a class, information session, support group, etc. held by the covered entity, is that information PHI? I've heard CEs argue that any such signup is PHI while others argue that signing up for a "Living with Cancer" support group would not constitute PHI.

- When one individual submits information online that suggests the health status of another individual, is that considered PHI? For example, an online "get well soon" card.

A: Individually identifiable health information (IIHI) is information, including demographic information, which relates to:
- the individual’s past, present, or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.

Protected Health Information (PHI) is IIHI that is created, received, maintained, or transmitted by a covered entity (e.g. health plan, most health care providers) or business associate (who creates, receives, maintains, or transmits PHI for the covered entity or another business associate).

Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.

Keep in mind that the information an individual shares through a patient portal with her health plan or covered health care provider for patient care or operations, such as scheduling an appointment or discussing a reimbursement issue, would be PHI protected by the HIPAA Rules, because the Rules apply to such information received by the covered entity and involved in health care functions.

Conversely, health information shared by a consumer or between two consumers, independent of a covered entity or business associate performing a health care function, is not PHI, regardless of its form (electronic, paper) or format.

How to protect PHI such as birthweights & ages in an app

Q: Certain pediatric tasks require fairly precise ages, for example when evaluating jaundice one must know a baby's age in hours. What precautions are required to ensure that a birthdate cannot be inferred by usage data from an app that automates some of these tasks? For example, if a nurse enters in that a baby is 8 hours old, it seems a birthdate could be identified if the time of the nurse/app interaction was known. Any advice on how to avoid patient sensitive information or the transfer of it, in this case even when there are no other identifiers, such as name, SSN, etc?

A: Based on your questions, it appears you are seeking information about how to de-identify protected health information in compliance with HIPAA. Please see

You should also know that HIPAA’s Privacy Rule sets out the terms and conditions for use and disclosure of identifiable health information (referred to as protected health information or PHI). You may want to consider whether the use or disclosure of the information that you anticipate is permitted by the Privacy Rule (and therefore the information would not necessarily need to be de-identified). Take a look at the Helpful Links page. The Privacy Rule permits use and disclosure of (identifiable) PHI for many purposes, including treatment, payment and health care operations. In addition, the Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose. However, the minimum necessary requirements do not apply to disclosures of PHI to other providers for treatment purposes. For more information see

HIPAA E-Signature Requirements

Q: We are a small organization starting up a tele-health initiative. We would like to deliver a copy of our Notice of Privacy Practices electronically and have patients acknowledge receipt via check box prior to completing our online intake forms. This method is used for acceptance when one downloads software online. We are having a difficult time understanding the requirements for this. Can it be a check box and/or typed name on a form? Does it need to be legally binding? Do we need to electronically track the signature back to a specific person? As long as we can prove they check the box prior to providing us information, will that would suffice for acknowledgement of receipt?

A: We have addressed this topic on the OCR website in the FAQs. For notice delivered electronically, an electronic return receipt or other return transmission from the individual is considered a valid written acknowledgment of the notice. A covered entity is not required to obtain the individual’s legally valid electronic signature for this purpose. The covered entity must retain any written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgment. See

Provider suggested use of an App - there is a breach

Q: A provider or a wellness management company, which are both subject to HIPAA because they collect and house PHI. If that provider or wellness provider suggest to a patient that they use an app (the app was not developed for them and there has been no communication with the app company that the providers are going to use the app) to gather health data to share with them and the app company suffers a breach of information. What is the liability to the providers that suggested the patient use the app that was breached?

A: The “Health App Use Scenarios and HIPAA” guidance, available on this portal home page and helpful links page, poses a scenario in which a covered provider recommends a particular app for her patient to use to capture and share information with the provider. In this scenario, the app developer is not a business associate of the covered provider. If an app developer is not a business associate of a provider, a breach experienced by the app developer does not create any breach notification responsibilities for the provider. Take a look at the guidance, and also the “what federal laws apply to you” tool on the helpful links page.

Unencrypted PHI in the Cloud

Q: If a CE puts PHI on the Cloud and later terminates that Cloud as a service provider, there is inevitably some data remanence, thus leaving PHI on the Cloud. NIST Special Publication 800-80 addresses this by suggesting CEs use crypto-erase. What if the CE previously sent unencrypted PHI to the Cloud? Is it as simple as extending the protections of the contract to the information and limiting further uses and disclosures to those purposes that make the return or destruction of the information infeasible?

A: In short, yes, the protections of the contract must be extended and future use and disclosures limited. In this question, the cloud service provider is a business associate of the CE because it holds or processes ePHI on its behalf. A business associate agreement between a covered entity and a business associate, or a business associate and a subcontractor, must, if feasible, require the business associate to return or destroy all ePHI at termination. If such return or destruction is not feasible, the protections of the business association agreement must be extended to the information and further uses and disclosures limited to those purposes that make the return or destruction of the information infeasible. You can find more information about business associate compliance through the helpful links page. Update: Please consult the HIPAA and Cloud Computing guidance:

Sale of Data Collected by a Consumer Targeted App

Q: We are not a covered entity or business associate. We are developing a direct-to-consumer app that tracks medication adherence. We want to de-identify the information the app collects to sell to third parties. Do we follow the same HIPAA de-identification processes that a covered entity or business associate would follow?

A: If a developer is not a covered entity or a business associate, HIPAA’s regulations – including the provisions on de-identification - do not apply. (Note that the Health App Use Scenarios & HIPAA guidance provides four examples of consumer apps where the app developer would not be a covered entity or business associate.) However, the developer could choose to use HIPAA’s de-identification provisions to reduce the risk of re-identification of consumers through the sale of health information. Consider what other federal consumer protection laws may apply; use the tool available through the What federal laws apply to you? link. Also see the OCR guidance on de-identification.

Are We a Covered Entity?

Q: A business associate provides no medical advice, medical services, medical devices, etc. But it talks to patients of the covered entity. Those patients tell the business associate what prescriptions they have for prescription drugs and when they must be refilled. The business associate faxes the refill request to the pharmacy. Does that make the business associate a covered entity?

A: No. Conducting prescription management activities on behalf of or as a service to a covered entity does not make the business associate a covered entity. Take a look to our responses to the “are we a covered entity” question for resources, also the helpful links page.

Are Cloud Storage providers BAs?

Q: Is a company that provides encrypted cloud storage for a covered entity a BA if it does not have the encryption key and has no ability to access the IIHI?

A: This important question will be addressed in upcoming cloud guidance. We will be sure to announce the release of the guidance on this site, and provide a link. Update: Please consult our cloud computing guidance, issued October 2016:

Risk Assessment Tool

Q: Small companies and Business Associates are eager to meet their security requirements under HIPAA. Many smaller B.A.s have stated that they are unable to use the current security risk assessment tool because they believe it is needlessly cumbersome, redundant, and designed for Covered Entities. Do you recommend that Business Associates start to use private tools instead of the current tool for risk assessments? If so, would OCR consider reviewing and endorsing third party risk assessment tools for Business Associates?

A: You can find links to three risk analysis tools, as well as other guidance on Security Rule compliance, at

HIPAA Training

Q: Employees of a Business Associate must be trained on the basics of HIPAA. Startups and emerging companies want to ensure that the training their employees receive meets the standards expected by OCR. Similar to the practices of OSHA, can OCR provide a standardized training program on key HIPAA issues?

A: The HIPAA Rules are flexible and scalable to accommodate the enormous range in types and sizes of entities that must comply with them. This means that there is no single standardized program that could appropriately train employees of all entities. However, a good place to start looking for resources for your employee training is This guide provides a good beginner's overview of what the HIPAA Rules require, and the page has links to security training games, risk assessment tools and other aids. Also look at the resources available through the helpful links page.


Q: With random audits becoming a feature of HIPAA enforcement, small companies and Business Associates should ensure that information sought by OCR is readily available. This will allow OCR to make assessments quickly and efficiently. Making this process efficient also limits the disruptive impact audits can have on emerging companies. Similar to the practice of the FCC, can OCR provide guidance for Business Associates regarding the specific requirements of the audit process? What can a Business Associate do to prepare for an audit, and what should be expected?

A: Phase Two of OCR’s HIPAA audit program is currently underway. OCR has begun to obtain and verify contact information to identify covered entities and business associates of various types and determine which are appropriate to be included in potential auditee pools. We encourage covered entities and business associates to review their compliance programs, ensure that they have implemented complete risk analysis and risk management processes, and compile a record of all their business associates. The audit protocols can be used for self assessment. For more information, including a link to the protocols that will be used to assess compliance, go to

Does an online appointment scheduler need to abide by HIPAA?

Q: I would like to know if I offer an online appointment scheduler to health care providers, would the system and I, as the programmer/manager need to abide by HIPAA or other related laws. Information included in the system would not be medical in nature; it would just be the clients name, appointment date and time, their email address and phone number. Possibly a credit card for deposits, but that's not the concern. The concern would be their personal info, their name, email and phone and apt date/time. Would this system need to abide by HIPPA guide lines? or special confidentiality rules?

A: An online scheduler that creates, receives, maintains, or transmits identifiable patient information as part of providing appointment scheduling services to a covered health care provider is a business associate of the health care provider and subject to HIPAA. (E.g., a calendar application run from a vendor’s computers and delivered by the vendor’s remote servers over the Internet.) From the OCR website: When identifying information, such as personal names, residential addresses, or phone numbers, are listed with health condition, health care provision or payment data, such as an indication that the individual was or will be treated at a certain clinic, then this information would be protected health information (PHI) and protected by the HIPAA Rules. Click on “what information is protected” at, and browse the material available here through the Helpful Links.

Developer and HIPAA

Q: Assume you have a software company that will be using a smartphone application and related device to record and store arguably protected health information.

1. Assume the software company stores the information on its own servers. The company is not subject to HIPAA (privacy or security rules) because it isn't a covered entity or a business associate of a covered entity, correct?

2. Now assume that the software company uses a 3rd party data storage provider to store all of the arguably protected health information. Again, neither the company nor the 3rd party provider are subject to HIPAA (privacy or security rules) because they aren't covered entities or a business associate of a covered entities, correct?

A: Take a look at the app developer scenario guidance posted on the welcome page of this site. It contains a range of scenarios and questions to help you analyze whether you have HIPAA responsibilities for the information. Also, you will want to take a look at the Mobile Health App Tool, which you can reach on our links page.

De-identification of individuals' information

Q: Is there any limitation on a covered entity's de-identification of PHI or use of de-identified information? For example, may a covered entity de-identify information purely for the purposes of selling data as a service?

Additionally, from a Privacy Rule perspective (i.e., not considering state law or contractual considerations), are there any restrictions on a business associate using or disclosing the de-identified PHI (assuming they have been directed by the covered entity to de-identify the information in the first place)?

A: The Privacy Rule does not restrict how a covered entity may use or disclose information that meets the Rule’s standards for de-identified health information, as it is no longer considered protected health information. A covered entity may use a business associate to de-identify PHI on its behalf only to the extent such activity is authorized by the business associate agreement. Guidance about the de-identification standard is available at

Teaching Hospitals and HIPAA Privacy

Q: I work for a University medical school that employs physicians as faculty and who teach at the hospital. I would like to know more about how far the ability access patient's records for educational purposes reaches. For example, if a Radiologist faculty member treated several patients with interesting or notable conditions and wanted to use the films as a teaching guide for residents, then what guidance or protocols should that faculty member follow that would permit the residents to access that patient's medical records to view the films without violating HIPAA? The residents were not treating physicians, but the faculty member was; or maybe only one or two residents were involved in the actual care of the patient but several others were not. Does the faculty member have to log-in to the electronic medical record under their user id, deidentify all of the patient's PHI, and then show the residents the films? Can the faculty physician simply give the patient's MRN to the residents and tell them to look up the films using their own user id's since it's for educational purposes?

A: Guidance on how teaching hospitals may use and disclose protected health information to train health care professionals and other members of their workforce can be found through the links below.

Are we a covered entity?

Q: How can we determine if we’re a covered entity? The resources to make that determination are expensive – i.e. law firms

A: Only health plans, health care clearinghouses and most health care providers are covered entities under HIPAA. You can learn more about what types of organizations fit into these categories You can follow the steps of this chart to figure out your own status. However, even if you are not a covered entity, you may be a business associate required to comply with certain provisions of the HIPAA Rules. In general, a business associate is a person [or entity] who creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered entity or another business associate. PHI is defined in the HIPAA regulations, and, in general, is identifiable health information. So, most vendors or contractors (including subcontractors) that provide services to or perform functions for covered entities that involve access to PHI are business associates. For example, a company that is given access to PHI by a covered entity to provide and manage a personal health record or patient portal offered by the covered entity to its patients or enrollees is a business associate.
Find out which federal laws you need to follow by using the new Mobile Health Apps Interactive Tool.

I am happy to provide updated resources! The Federal Trade Commission (FTC) has created a new web-based tool to help developers of health-related mobile apps understand what federal laws and regulations might apply to them. The FTC developed the tool in conjunction with OCR, the HHS Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA). You can get find this tool on our helpful links page.

Cloud Computing

Q: Developers need better guidance around cloud storage/computing and the Security Rule. Client-server architecture is no longer relevant in many cases. Health technology companies are typically now 100 percent cloud-based. Many clients are doing some type of data analytics work, or offer cloud-based EHRs and medical devices. HHS should provide good guidance for companies that are cloud based and virtual. Most companies now don’t necessarily have a physical location, everyone is working from home, and accessing data via VPN (virtual private network). The current rule just doesn’t apply to these new business models.

A: From OCR: This important question will be addressed in upcoming cloud guidance. We will be sure to announce the release of the guidance on this site, and provide a link. Update: Please consult our cloud computing guidance, issued October 2016:

What part of the environment has to be compliant?

Q: Does the entire environment need to be HIPAA compliant, or is it possible that the solution could fall into an exception to HIPAA, or can they use an API to store certain kinds of data? If you’re building modern technologies, you’re relying on a lot of third party (likely API) based services; mostly cloud based services. So which aspects of those need to be compliant?

A: Both business associates and covered entities must consider where and how they use, maintain and disclose protected health information in order to determine how to comply with the HIPAA Rules.

The business associate is responsible for ensuring its compliance with the applicable HIPAA standards for all aspects of the environment that involve PHI and the provision of business associate services or activities.

The HIPAA Rules permits a covered entity that conducts both covered and non-covered functions to elect to be a “hybrid entity.”(The activities that make a person or organization a covered entity are its “covered functions.”) To be a hybrid entity, the covered entity must designate in writing its operations that perform covered functions as one or more “health care components.” (For example, a chain drugstore could elect to be a hybrid entity and so designate its pharmacy-related activities as its health care component and exclude its retail operations.) After making this designation, most of the requirements of the Privacy and Security Rules will apply only to the health care components. The covered entity must ensure that it does not share PHI from its health care component with other components of its business (unless the Privacy Rule would permit such sharing with a separate legal entity). A covered entity that does not make this designation is subject in its entirety to the HIPAA Rules. For more information search for “hybrid” in the FAQs

Help with business associate agreements

Q: There is a lack of transparency around the content of Business Associate Agreements (BAAs), a lack of sample BAA language around the topics developers care about, such as cloud storage & PGHD, and a lack of bargaining power on the part of startups. This has led to many challenges for the industry, resulting in high legal fees which may be a barrier to entry for many companies. HHS should issue sample BAA language around these common topics, to reduce the need for customized legal work.

A: You can find sample BAA language on the OCR website; we have not developed provisions specific to particular services or industries. However, entities are welcome to take the sample language and tailor it to their needs. See

Can HIPAA address patient generated data?

Q: Developers need better guidance around patient generated health data, since HIPAA focusses on one-way data sharing from a provider/other covered entity outward to the patient/other entity. In the future, more and more data will be flowing in the opposite direction, and there should be guidance to clarify that HIPAA should not prevent the flow of information from the patient back to the provider.

A: Information created or held by individuals/patients/consumers is not subject to HIPAA unless and until it is received by a covered entity (or a business associate). HIPAA does not prevent hospitals, medical practices and other covered entities from receiving patient generated health data, whether by phone, paper, fax, online patient facing portal, or mHealth application. Note that under the HIPAA Security Rule, covered entities and business associates need to conduct a security risk analysis to evaluate and address the potential risks of any solutions deployed (e.g., web based portal, data transfer application, direct network connection, etc.) to receive and process ePHI from external sources.

To more fully respond to this question, we created the "Health App Use Scenarios and HIPAA" guidance, which takes on individual/patient/consumer generated health data and relationships between the individual, the provider and the app. You can find it on the portal home page and in helpful links.