Who has to follow HIPAA privacy regulations?
There is often confusion when it comes to knowing what types of companies are required to abide by HIPAA, and a regulatory gray area still exists. Many companies are not automatically considered covered entities (e.g., health care providers and their business associates). Therefore, they are not required to adhere to legal privacy regulations since they are a vendor or self-help resource provider, not a licensed health care service provider. Vendors working with health care providers are considered business associates and must adhere to HIPAA laws and regulations. If and when a company providing an app, platform or website is legally considered a business associate is not always clear. Also, most “mental health apps” on the market that provide self-help services and education are not considered either a covered health care provider or business associate, and therefore no requirement to abide by privacy practices exists for these noncovered entities.