I have a HIPAA complaint app which uses an API hosted at https://iswearthisissecure.com.
Is the app allowed to make outbound requests to services that are not HIPAA compliant if no PHI is transferred?
For example:
- Can I serve an image from our blog which does not run on a HIPAA compliant platform?
- Can I make a request for COVID-19 data through a third-party API?
- What if the content is in an iframe?
- Can static content of the app be served from a third-party CDN that I do not sign a BAA with?
I understand there are security implications for making request to third-parties, but that's not my concern. I'm just need to know whether such requests are allowed to be made if no PHI is transferred in the process.
