HIPAA only applies to healthcare providers I think. Private companies like the extension maker can do whatever they want. At least that’s what someone on the internet told me and maybe it’s wrong.
If the provider wants to use the extension for patient care, the extension maker must be prepared to enter into an agreement to comply with the HIPAA rules.
> If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information.
Business associate only comes into play when you're working with a covered entity. And, covered entities are far less inclusive than most people think.
----
The posted software is absolutely free to be non-HIPAA compliant. They're not a covered entity and without a relationship with a covered entity, they're not a business associate. However, without a relationship with a covered entity, they're also unlikely to generate any meaningful revenue.
This is not so clear-cut, though. There is a lot of gray area and doubt about this. HIPAA is not as complete protection as people think, and there are many situations where you'd think HIPAA would obviously apply, but it doesn't.
When a covered entity (a HIPAA-required provider) does business with a private non-covered entity _and_ that transaction involves HIPAA controlled information, they must enter into a Business Associate Agreement (BAA). This effectively forces the private entity to maintain the same HIPAA standard as the provider.
A private company is absolutely free to build non-HIPAA compliant software, but they completely unlikely to get any healthcare providers to actually use it.
https://www.hhs.gov/hipaa/for-professionals/covered-entities...
> If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information.