Little bit picking at straws but I sure would love to find some way to punt this law. Medtronic has an insulin delivery solution which involves the distribution of a custom Android phone with a closed source app. Other fields in medicine do this as well as a matter of course, so that they can guarantee clinical operation on that particular device (rather than risk app operation on Android device fragmentation) and get OK’d by the FDA. The FDA testing process can take upwards of 4 years, and is usually cleared for -specific- operating system versions (which, by the end of testing, can be very old).

I wonder: since that operating system needs to attest and (vaguely) eventually report an age and other identifiers to a government API and app developers, will that report violate HIPAA?