From b3f588f1da0608a494a17a18044d60e19d41ba3e Mon Sep 17 00:00:00 2001
From: Jason Kulatunga <jason@thesparktree.com>
Date: Thu, 25 Apr 2024 16:16:51 -0700
Subject: [PATCH] vault backup: 2024-04-25 16:16:51

---
 .obsidian/workspace.json | 20 ++++++++++----------
 legal/hipaa.md           | 14 ++++++++++++++
 2 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/.obsidian/workspace.json b/.obsidian/workspace.json
index 798333f..4790a68 100644
--- a/.obsidian/workspace.json
+++ b/.obsidian/workspace.json
@@ -13,7 +13,7 @@
             "state": {
               "type": "markdown",
               "state": {
-                "file": "getting-started/sandbox.md",
+                "file": "legal/hipaa.md",
                 "mode": "source",
                 "source": true
               }
@@ -93,7 +93,7 @@
             "state": {
               "type": "backlink",
               "state": {
-                "file": "getting-started/sandbox.md",
+                "file": "legal/hipaa.md",
                 "collapseAll": false,
                 "extraContext": false,
                 "sortOrder": "alphabetical",
@@ -110,7 +110,7 @@
             "state": {
               "type": "outgoing-link",
               "state": {
-                "file": "getting-started/sandbox.md",
+                "file": "legal/hipaa.md",
                 "linksCollapsed": false,
                 "unlinkedCollapsed": true
               }
@@ -133,7 +133,7 @@
             "state": {
               "type": "outline",
               "state": {
-                "file": "getting-started/sandbox.md"
+                "file": "legal/hipaa.md"
               }
             }
           },
@@ -167,6 +167,12 @@
   },
   "active": "5fc1dd549bcf0f60",
   "lastOpenFiles": [
+    "legal/fhir-fees.md",
+    "legal/intellectual-property.md",
+    "legal/checklist.md",
+    "legal/carin-trust-framework.md",
+    "legal/21st-century-cures-act.md",
+    "getting-started/sandbox.md",
     "img/macos-app-store/1.dashboard.png",
     "img/macos-app-store/2.timeline.png",
     "img/Screen Shot 2024-02-01 at 5.13.39 PM.png",
@@ -177,7 +183,6 @@
     "img/screenshots/Screen Shot 2023-11-30 at 7.40.12 PM.png",
     "img/screenshots/widget-dashboard.png",
     "img/screenshots/security-manager-import.png",
-    "img/screenshots/security-manager-generate.png",
     "technical/marketplace/promo-codes.md",
     "providers/flexpa-supported-payers.md",
     "providers/largest-healthcare-companies.md",
@@ -192,19 +197,14 @@
     "technical/patient-summary.md",
     "technical/patient-data-collection.md",
     "img/macos-app-store/slides.pdf",
-    "getting-started/sandbox.md",
     "roadmap.md",
     "getting-started/index.md",
     "getting-started/main.md",
     "img/fasten_images_merged.pdf",
-    "legal/21st-century-cures-act.md",
     "legal/record-ownership.md",
     "legal/privacy-policy.md",
     "legal/license.md",
-    "legal/intellectual-property.md",
     "legal/index.md",
-    "legal/hipaa.md",
-    "legal/fhir-fees.md",
     "img/windows-app-store",
     "img/macos-app-store/1.dashboard.pdf",
     "deck/pitch-deck-v2.pptx.pdf",
diff --git a/legal/hipaa.md b/legal/hipaa.md
index b8d9b82..93a3fb2 100644
--- a/legal/hipaa.md
+++ b/legal/hipaa.md
@@ -97,3 +97,17 @@ At the end of the day, while there is a need for something like this, I don't kn
 > - <https://www.hhs.gov/hipaa/for-professionals/special-topics/health-apps/index.html>
 > - <https://www.healthit.gov/topic/information-blocking>
 > - <https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access-right-health-apps-apis/index.html>
+
+
+
+# Can Providers/EHR platforms require a BAA?
+
+See [https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access-right-health-apps-apis/index.html#:~:text=The%20HIPAA%20Privacy%20Rule%20generally%20prohibits%20a%20covered%20entity%20from%20refusing%20to%20disclose%20ePHI%20to%20a%20third%2Dparty%20app%20designated%20by%20the%20individual%20if%20the%20ePHI%20is%20readily%20producible%20in%20the%20form%20and%20format%20used%20by%20the%20app](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access-right-health-apps-apis/index.html#:~:text=The%20HIPAA%20Privacy%20Rule%20generally%20prohibits%20a%20covered%20entity%20from%20refusing%20to%20disclose%20ePHI%20to%20a%20third%2Dparty%20app%20designated%20by%20the%20individual%20if%20the%20ePHI%20is%20readily%20producible%20in%20the%20form%20and%20format%20used%20by%20the%20app "https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access-right-health-apps-apis/index.html#:~:text=The%20HIPAA%20Privacy%20Rule%20generally%20prohibits%20a%20covered%20entity%20from%20refusing%20to%20disclose%20ePHI%20to%20a%20third%2Dparty%20app%20designated%20by%20the%20individual%20if%20the%20ePHI%20is%20readily%20producible%20in%20the%20form%20and%20format%20used%20by%20the%20app").
+
+> The HIPAA Privacy Rule generally prohibits a covered entity from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app.
+
+And just beyond:
+
+> 5. Q: Does HIPAA require a covered entity or its EHR system developer to enter into a business associate agreement with an app designated by the individual in order to transmit ePHI to the app?
+
+> HIPAA does not require a covered entity or its business associate (e.g., EHR system developer) to enter into a business associate agreement with an app developer that does not create, receive, maintain, or transmit ePHI on behalf of or for the benefit of the covered entity
\ No newline at end of file