News Stay informed about the latest enterprise technology news and product updates.

Will Apple become a HIPAA covered entity or business associate?

Whether Apple is a HIPAA covered entity was called into question when it advertised for a health regulations lawyer. Expert Mike Chapple discusses Apple's relationship with HIPAA.

I read that Apple is looking to hire a lawyer specializing in health regulations as it grows further into the healthcare...

field. This begs the question: Is Apple a HIPAA covered entity? Why or why not?

When Apple advertised for a top-flight lawyer specializing in health privacy regulations, it seemed that the technology leader might have plans to develop into the healthcare market. However, in the world of the Health Insurance Portability and Accountability Act, Apple is not currently a covered entity because they do not directly engage in the provision of health care or health insurance.

There are several possible explanations for Apple's hiring of a health lawyer. First, Apple may plan to become a HIPAA covered entity. This seems unlikely, as HIPAA covered entities fall into one of three categories: healthcare providers who engage in electronic transactions, health insurers and health information clearinghouses that collect and share information from healthcare organizations. None of these seem to fit Apple's current business model.

It's more likely that Apple has plans to become a business associate of a HIPAA covered entity, expanding into healthcare by exchanging information with or facilitating information transfers between covered entities. Any HIPAA covered entity seeking to use Apple services for handling protected health information would require that Apple sign a business associate agreement that requires Apple to comply with HIPAA as well. Apple's focus on the CareKit development environment for health-focused software lends credence to this theory. As Apple responds to demands from third-party app developers, it may build HIPAA compliance directly into its products. In particular, the company may have plans to provide a HIPAA-compliant, back-end database for its CareKit development community.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Discover what qualifies as a HIPAA business associate

Find of whether organizations should use a SOC 2 report to help with HIPAA compliance

Learn about the rights of medical identity theft victims under HIPAA

This was last published in October 2016

Dig Deeper on HIPAA