I read that Apple is looking to hire a lawyer specializing in health regulations as it grows further into the healthcare field. This begs the question: Is Apple a HIPAA covered entity? Why or why not?
When Apple advertised for a top-flight lawyer specializing in health privacy regulations, it seemed that the technology leader might have plans to develop into the healthcare market. However, in the world of the Health Insurance Portability and Accountability Act, Apple is not currently a covered entity because they do not directly engage in the provision of health care or health insurance.
There are several possible explanations for Apple's hiring of a health lawyer. First, Apple may plan to become a HIPAA covered entity. This seems unlikely, as HIPAA covered entities fall into one of three categories: healthcare providers who engage in electronic transactions, health insurers and health information clearinghouses that collect and share information from healthcare organizations. None of these seem to fit Apple's current business model.
It's more likely that Apple has plans to become a business associate of a HIPAA covered entity, expanding into healthcare by exchanging information with or facilitating information transfers between covered entities. Any HIPAA covered entity seeking to use Apple services for handling protected health information would require that Apple sign a business associate agreement that requires Apple to comply with HIPAA as well. Apple's focus on the CareKit development environment for health-focused software lends credence to this theory. As Apple responds to demands from third-party app developers, it may build HIPAA compliance directly into its products. In particular, the company may have plans to provide a HIPAA-compliant, back-end database for its CareKit development community.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Discover what qualifies as a HIPAA business associate
Find of whether organizations should use a SOC 2 report to help with HIPAA compliance
Learn about the rights of medical identity theft victims under HIPAA
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.