minor edits

01 Introduction.md

@@ -6,15 +6,15 @@ HIPAA, the [Health Insurance Portability and Accountability Act](http://en.wikip
 With any twenty year old piece of legislation that was written in a world without smartphones, tablets, and heck, even webmail, HIPAA is full of requirements that are confusing and challenging, particularly for software developers who have to make sense of them as they relate to their product and the underlying technologies that we all use on a regular basis to build and deliver applications to our customer bases. 
 
 #### 2013 Final Omnibus Rule Update 
-In September of 2013, the [Final Omnibus Rule Update](http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#cite_note-33) was passed that amended HIPAA and greatly expanded the definition of who needed to be HIPAA compliant. Previously, only covered entities (such as doctors, hospitals, and insurers) were required to be HIPAA compliant. With the recent rule change however, all entities that store, manage, record or pass Protected Health Information (we'll just call it PHI from now on) to and from covered entities are also required to be HIPAA compliant. These entities, called Business Associates, who were previously exempt from HIPAA now fall under its governance.
+In September of 2013, the [Final Omnibus Rule Update](http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#cite_note-33) was passed that amended HIPAA and greatly expanded the definition of who needed to be HIPAA compliant. Previously, only covered entities (such as doctors, hospitals, and insurers) were required to be HIPAA compliant. With the recent rule change however, all entities that store, manage, record or pass Protected Health Information (we'll just call it PHI from now on) to and from covered entities are also required to be HIPAA compliant. These entities, called Business Associates, who were previously exempt from HIPAA, now fall under its governance.
 
 ### Why this guide?
 As you can imagine, complying with federal regulations around privacy and healthcare data is no small task. That's why we've created this guide—to help you wade through what you need to know about HIPAA compliance as it relates to your application and what steps you'll need to take to ensure you don't end up in violation of the law.
 
 There is plenty to read about HIPAA guidelines, and if you want you can spend a good chunk of the rest of the year reading up on all the details. Therefore, we're not going to rewrite everything here. This guide is not meant to be comprehensive, but rather give you a framework and reference to help you understand the major portions of the law that apply directly to the software you're developing for mobile, web and wearable applications. 
 
 ### Who is this guide for?
-If you're a developer building a web, mobile or wearable software application that deals in the collection, storage, or transmission of personally identifiable health information then this is for you. You'll get the ins and outs of HIPAA compliance guidelines and the steps you'll want to take to ensure you're within those guidelines in the development, hosting, and communication with your users. 
+If you're a developer building a web, mobile or wearable software application that deals in the collection, storage, or transmission of personally identifiable health information to covered entities like doctors this is for you. You'll get the ins and outs of HIPAA compliance guidelines and the steps you'll want to take to ensure you're within those guidelines in the development, hosting, and communication with your users. 
 
 From a breakdown of the terms and requirements, to specific examples of HIPAA-covered activities, we've tried to give you what you need to understand the laws in plain language so that you can make the right decisions when developing your application. 
 

02 What is HIPAA?.md

@@ -24,7 +24,9 @@ Like the four horsemen, these are the major pieces that govern what you do and h
 + HIPAA Privacy Rule
 + HIPAA Security Rule
 + HIPAA Enforcement Rule
-+ HIPAA Breach Notification Rule

++ HIPAA Breach Notification Rule
+
+
 **Developers need to focus on the Technical and Physical safeguards outlined in the Security Rule.**
 
 ## Important terms to know
@@ -55,11 +57,11 @@ Examples of non-PHI data:
 
 ### The Difference Between Protected Health Information and Consumer Health Information
 
-So how do you know if you’re dealing with protected health information (PHI) or consumer health information? The test is pretty simple: if your device or application stores, records or transmits the user’s personally-identifiable health data held in the app or device then you are dealing with protected health information and need to be HIPAA compliant.
+So how do you know if you’re dealing with protected health information (PHI) or consumer health information? The test is pretty simple: if your device or application stores, records or transmits the user’s personally-identifiable health data held in the app or device to a covered entity (see below) then you are dealing with protected health information and need to be HIPAA compliant.
 
-If you are building a wearable device or application that collects the anonymous health information, but do not plan on sharing it with a covered entity such as a doctor at any point in time then you do not need to be HIPAA compliant. 
+If you are building a wearable device or application that collects health information, but does not plan on sharing it with a covered entity at any point in time then you do not need to be HIPAA compliant. 
 
-For example, the Nike Fuelband is not HIPAA compliant because it does not track data considered protected health information nor allow data transmission from the device to a covered entity. 
+For example, the Nike Fuel Band is not HIPAA compliant because it does not track data considered protected health information because you can't transmit that data from the device to a covered entity. 
 
 ### Covered Entity
 
@@ -99,7 +101,7 @@ If a Covered Entity (customer) sends PHI through a vendor, and the vendor’s se
 
 Unlike other laws (DMCA anyone?) there is no "safe harbor" here. Just because you don't want to handle PHI doesn't opt you out of HIPAA compliance requirements. 
 
-Further, just refusing to sign a business associate agreement doesn't absolve you of the provisions of HIPAA compliance should your services handle PHI (intentionally or not) in any way. 
+Further, just refusing to sign a Business Associate Agreement doesn't absolve you of the provisions of HIPAA compliance should your services handle PHI (intentionally or not) in any way. 
 
 Here are some examples of potential Business Associates:
 

03 Do I Need to Be HIPAA Compliant?.md

@@ -2,11 +2,11 @@
 
 This is the most important question you can ask, because HIPAA violations can result in some serious penalties.
 
-**If you handle protected health information (PHI) then you need to be HIPAA compliant.** 
+**If you handle, store or transmit protected health information (PHI) to or from a covered entity then you need to be HIPAA compliant.** 
 
 If you skipped straight here and don't know what PHI is, read [this part of the guide](#).
 
-## So, who needs to be HIPAA compliant?
+## Who needs to be HIPAA compliant?
 
 The short answer is that the HIPAA rules apply to both Covered Entities and their Business Associates. [HHS.gov](http://HHS.gov) 
 

05 Becoming HIPAA Compliant.md

@@ -12,13 +12,15 @@ HIPAA as a law requires that you do the following four things.
 
 2) Reasonably limit use and sharing to the minimum necessary to accomplish your intended purpose.
 
-3) Have agreements in place with service providers that perform covered functions. These agreements (BAAs) ensure that service providers (Business Associates) use, safeguard and disclose patient information properly.
+3) Have agreements in place with service providers that perform covered functions. These Business Associate Agreements (BAAs) ensure that service providers (Business Associates) use, safeguard and disclose patient information properly.
 
 4) Procedures to limit who can access patient health information, and training programs about how to protect patient health information.
 
 ## What it means for developers
 
-If you're building an application that has any reasonable likelihood of collecting, storing or transmitting PHI you should be HIPAA compliant. 
+If you are collecting, storing or transmitting PHI to a covered entity then you definitely should be HIPAA compliant.
+
+If you're building an application that has any reasonable likelihood of collecting, storing or transmitting PHI you should probably be HIPAA compliant.  
 
 Your non-technical team or (co-founder, depending on your size) should worry about the administrative compliance issues. As the developer you should focus both on the physical and technical aspects of the law.
 

08 Developer Considerations.md

@@ -6,11 +6,11 @@ As you're evaluating how to best deal with HIPAA you'll probably have some of th
 
 Scanning the list of safeguards required by HIPAA it's not unreasonable to think first of building out the safeguards yourself. Functionality such as unique identifiers for users and automatic logoff are part of any application anyway, so building those is going to happen one way or another. 
 
-Couple that with HIPAA compliant hosting providers, and it's easy to see why a combination of an AWS instance and some best practice application security wouldn't do the trick.
+Couple that with HIPAA compliant hosting providers, and it's easy to draw the conclusion that a combination of an AWS instance and some best practice application security wouldn't do the trick.
 
-Unfortunately, the other pieces of the security rule safeguards aren't as efficient and can take a ton of people-power and time to build out not just the features but the audit and logging functionality as well. 
+Unfortunately, the other pieces of the security rule safeguards aren't as easy to address or maintain and can take a ton of people-power and time to build out not just the features but the audit and logging functionality as well. 
 
-We think this comment from Hacker News sums up the technical debt required to roll your own HIPAA compliant infrastructure quite accurately. This was completely unsolicited and not from a TrueVault customer. 
+We think this comment from Hacker News sums up the technical debt required to roll your own HIPAA compliant infrastructure quite accurately. This was completely unsolicited and is not from a TrueVault customer. 
 
 > 	“[Building our own HIPAA compliant infrastructure] took upwards of 1,000 person-hours to figure out HIPAA-compliance issues. This will continue to be an ongoing cost for us, because HIPAA is an ongoing law 	and it changes sometimes. It takes substantial auditing time and money." — jph
 
@@ -24,7 +24,6 @@ It's not as big of an edge case as you might think. Here's a few examples of how
 
 + Your app to get doctor's advice based on anonymous symptoms could easily have PHI as soon as the patient shares an email address, lab report, or last doctor visit.
 + Your diabetes management app which tracks your blood sugar and prescription information has a note added by the user of their doctor's dosing instructions and pharmacy Rx number.
-+ Your user adds their doctor's office contact information to personal health app to make it easier for them to keep track of their health care providers.
 
 You get the idea. Regardless of how you intend for the user to use your application, there is a pretty decent chance that if the application is related to personal health in any way, PHI will ultimately end up in the system.
 

09 Mobile Applications.md

@@ -14,7 +14,7 @@ As we mentioned under [Developer Considerations](#) a thorough understanding of
 
 Needless to say, it’s important to consider whether or not your app will be used to store or transmit protected health information, regardless of how you’ve designed it or anticipate it being used. 
 
-Even if you’ve designed your app to collect or use anonymous data that doesn’t fall under HIPAA by itself, if a user chooses to use your app to store or transmit PHI then you are subject to HIPAA compliance requirements. Edge case or not, as soon as PHI is on the device your app falls under HIPAA.
+Even if you’ve designed your app to collect or use anonymous data that doesn’t fall under HIPAA by itself, if a user chooses to use your app to transmit PHI to a doctor then you are subject to HIPAA compliance requirements. Edge case or not, as soon as PHI is involved your app falls under HIPAA.
 
 If your application has the chance to be used to store and transmit PHI it’s a safer bet to be HIPAA compliant to protect yourself from inadvertently violating HIPAA guidelines.
 
@@ -26,7 +26,7 @@ The fact that an individual has received services from a covered entity is itsel
 
 PHI can also include what would otherwise be anonymous information. This includes a date of service i.e. anything more specific than a year.
 
-If you store, collect, manage, or transmit any protected health information then your app needs to be HIPAA compliant.
+If you store, collect, manage, or transmit any protected health information to covered entities then your app needs to be HIPAA compliant.
 
 ## User communication
 
@@ -58,13 +58,13 @@ This goes beyond just mobile push notifications. Any time you’re making an aut
 
 ## Physical phone security
 
-Phones are prone to being stolen, left in the back of cabs, on the table at restaurants and pretty much everywhere else. Because of the natural lack of security of the phone itself you need to ensure that PHI isn't easily accessible to unauthorized users. 
+Phones are prone to being stolen, left in the back of cabs, on the table at restaurants, and pretty much everywhere else. Because of the natural lack of security of the phone itself you need to ensure that PHI isn't easily accessible to unauthorized users. 
 
 Unfortunately, as a mobile app developer, most of this is out of your hands. However you can take a few small steps to help users ensure their PHI is protected if they should lose their phone.
 
 ### Using the lock screen
 
-In order to secure data on an iPhone (for example), users must use a passcode to lock the handset when not in use. You can’t control whether a user enables this functionality; but you can recommend that users who install your app enable the feature. 
+In order to secure data on an iPhone (for example), users must use a passcode to lock the handset when not in use. You can’t control whether a user enables this functionality, but you can recommend that users who install your app enable the feature. 
 
 An easy way to do this is suggest that the user turns on the passcode lock setting in your welcome email to new account holders.
 

10 Wearable Applications.md

@@ -2,7 +2,7 @@
 
 Wearables are popping up left and right. From bands, to watches, to shirts, earbuds and more. All of these devices have the opportunity to collect PHI and require HIPAA compliance. While many will choose to initially collect anonymous data that doesn't require HIPAA protection, the need to add true utility to the devices will likely push many of them down the road to compliance.
 
-As an application developer for wearables it's important to consider whether the data you're collecting now will remain anonymous (such as a simple pedometer report) or if you're building something more ambitious that requires a larger set of personalized data (PHI). 
+As an application developer for wearables it's important to consider whether the data you're collecting now will remain anonymous (such as a simple pedometer report) or if you're building something more ambitious that requires a larger set of personalized data that will be transmitted to HIPAA covered entities (PHI). 
 
 If it is the latter, you're likely better off building the software for the wearable in a HIPAA compliant environment to begin with, to protect against unforeseen use cases, unexpected PHI, etc.
 
@@ -28,6 +28,14 @@ One of the most exciting aspects of wearables may be in patient health managemen
 
 Covered entities and their business associates are required by law to be HIPAA compliant, so any application hoping to connect to one of these entities as part of patient care must be HIPAA compliant. 
 
+### Medical devices
+
+It is possible, based on the features and functionality that you include in your application or wearable device that it may actually be classified as a medical device. It’s important to look up FDA regulations and check whether your app will be considered to be a medical device or not. 
+
+If it does fall under those definitions it may require FDA approval which brings with it a whole host of further regulations.
+
+Don’t launch your app until you’ve determined whether or not you are safely outside the FDA’s medical device classification.
+
 ### Data encryption
 
 Because most wearables lack a user interface to add or manage security features on the device in the event it is lost or stolen, it's important for wearable software developers to take the appropriate precautions to encrypt the data on the device as the default.