Does HIPAA have a safe harbor clause?

HIPAA isn’t like the The Digital Millennial Copyright Act (DMCA) - there is no safe harbor clause for unintended transmission, storage or disclosure of PHI. Regardless of how you planned it, scoped it, envisioned it or dissuaded users from including it—if PHI is in your app or on your servers you could face HIPAA fines if you’re not in compliance.


Further, just refusing to sign a Business Associate Agreement doesn’t absolve you of the provisions of HIPAA compliance should your services handle PHI (intentionally or not) in any way.

It’s not as big of an edge case as you might think. Here’s a few examples of how easily PHI can enter into your application.

  • Your app to get doctors’ advice based on anonymous symptoms could easily have PHI as soon as the patient shares an email address, lab report, or last doctor visit.
  • Your diabetes management app which tracks your blood sugar and prescription information has a note added by the user of their doctor’s dosing instructions and pharmacy Rx number.

You get the idea. Regardless of how you intend for the user to use your application, there is a chance that if the application is related to personal health in any way, PHI will ultimately end up in the system.