I was contracted out by a local physical therapy clinic to create a survey for new patients using ResearchKit that would replace their paper onboarding process. The data includes Name, Injury info, Hospitilization Dates, etc., so it would be considered PHI. The data is not stored on the device outside of the ORKResult. Once the ORKResult is obtained at the end of the survey it is displayed as a summary to the user, and immediately sent to the business's Dropbox. Dropbox has recently declared itself HIPAA compliant...so for all intents and purposes let's assume that once my data reaches Dropbox it is secure and within HIPAA regulations. Are there processes that occur before it arrives in Dropbox that I need to consider in order to make my app HIPAA compliant? All I'm finding as I search the web are articles saying that developers need to take their own measures to ensure HIPAA compliance, but I'm a little lost as to where I should look.