California HIPAA Compliance necessary?

Jurisdiction
California
So I am making a mobile application,
And part of that is that patients can leave testimonials for their doctor (and we are paid by the doctor, so I believe we are a business associate).

No information about the patient is collected other than what they say in their paragraph.
We don't ask for names, emails, or that they were even a patient.

My worry is that instead of saying "I had X surgery and I feel great"
They would say "my name is Y, I had X surgery and I feel great".

If they did say their name, does that throw us out of HIPAA compliance? Or because they wrote it in themselves, it's okay to appear on our platform, and be transmitted on our servers?
 
Last edited:
There is no reason to think that you would have any HIPAA compliance issues.

"The Security Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the "covered entities") and to their business associates."

But just to make sure, read this site. Are You a Covered Entity? | CMS
 
So we would be a business associate because we also provide generic pre-op and post-op instruction, (again, don't save or transmit any patient data), so this isn't the part I'm worried about.

I'm just wondering, in the case where we do have to be HIPAA compliant,
Does taking and posting a testimonial that the patient submits through the app, non compliant?
 
There is no reason to think that you would have any HIPAA compliance issues.

"The Security Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA (the "covered entities") and to their business associates."

But just to make sure, read this site.

So we would be a business associate because we also provide generic pre-op and post-op instruction, (again, don't save or transmit any patient data), so this isn't the part I'm worried about.

I'm just wondering, in the case where we do have to be HIPAA compliant,
Does taking and posting a testimonial that the patient submits through the app, non compliant?
 
If they did say their name, does that throw us out of HIPAA compliance? Or because they wrote it in themselves, it's okay to appear on our platform, and be transmitted on our servers?

Do you make it clear to people using the app that the comments they submit will be made available to others to see?
 
Back
Top