[Legogris]

I worded that poorly. How about this: If you don't own, manage, solicit or control any servers having access to PHI or PII you don't have any risk of being liable.

Put all of that on the client, do your best to protect it but ultimately make it the clients responsibility.

I still haven't seen any lawsuits or regulation targeting software in that sense, apart from DRM.

[manigandham]

There is no distinction between client vs server when it comes to the law. The same organization created and operates both and is liable as a data processor in both situations.

This is again the difference between engineer vs policymaker.

[Legogris]

Do you have a source to back that up?

As far as I understand it, Microsoft has no responsibility for PIIs e-mails going through the Outlook e-mail client. Maybe the US is different, but at least in Europe, the GDPR is clear that software vendors have no responsibility in data being processed locally when it's deployed and run by others.

Oracle has no liability for the data stored in their database.

If you have no way of touching the data, your servers (self-managed or otherwise) aren't touching data in any form, you have no legal liabilities wrt data (apart from agreements of course).

Or am I missing something?