16In our next article, we discuss relevant provisions of the Federal Food, Drug and Cosmetic Act (FDCA) and its application to mHealth application developers, including issues unique to non-US companies.1. 45 C.F.R. § 164.506.2. 45 C.F.R. § 164.502(b).3. 45 C.F.R. § 164.520.4. 45 C.F.R. §§ 164.314, 164.504(e).5. Id.6. 45 C.F.R. § 164.104(b).7. 45 CFR, Subtitle A, Subchapter C, Part 164, Subpart C, Security Standards for the Protection of Electronic Protected Health Information.8. Id.9. 45 C.F.R. §§ 160.400-414.10. 45 C.F.R. § 160.404(b).11. 45 C.F.R. §§ 160.401, et seq.12. See, e.g., Press Release, HHS, Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (Jan. 15, 2021), https://www.hhs.gov/about/news/2021/01/15/health-insurer-pays-5-1-million-settle-data-breach.html.13.

HHS did note in the preamble, however, that it will issue additional guidance "to aid covered entities and business associates in performing risk assessments with respect to frequently occurring scenarios."2. Expansion of HHS Enforcement Authority over Business Associates and Related Changes to Requirements for Business Associate Agreements As expressly required by HITECH, the Omnibus Rule amends 45 C.F.R. § 164.104 to make certain HIPAA privacy and security rules directly applicable to business associates, but only where those rules so provide. The rules that are made applicable to business associates under this provision are: 45 C.F.R. § 164.306 pertaining to security standards, 45 C.F.R. § 164.308 pertaining to administrative safeguards, 45 C.F.R. § 164.310 pertaining to physical safeguards, 45 C.F.R. § 164.312 pertaining to technical safeguards, 45 C.F.R. § 164.316 pertaining to policies and procedures, 45 C.F.R. § 164.502 pertaining to disclosures of PHI, and 45 C.F.R. § 164.504 pertaining to organizational requirements.