As a Medical Device Company, Are You a HIPAA Business Associate?

07/09/2018

If your medical device collects PHI, you may be considered a HIPAA Business Associate.

What makes it "medical" and "health" related?

  • Heart beat monitor? Yes?
  • Step counters (Fitbit, phone) pedometer - not?
  • ECG?

Under HIPAA, a Business Associate is a third-party entity or contractor that performs services on behalf of Covered Entities such as health care providers that involve the handling of protected health information, or PHI. If you are working under someone who is a Covered Entity, that does not make you a Business Associate. However, a software developer who develops applications using PHI collected from wearable devices would not be considered a Business Associate unless he/she is an independent contractor and not an employee of a Covered Entity. Some other examples of Business Associates may include:

  • A third party administrator that assists a health plan with claims processing.

  • A CPA firm whose accounting services to a health care provider involve access to protected health information.

  • An attorney whose legal services to a health plan involve access to protected health information.

  • A consultant that performs utilization reviews for a hospital.

  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.

  • An independent medical transcriptionist that provides transcription services to a physician.

  • A pharmacy benefits manager that manages a health plan's pharmacist network.

What About Medical Device Companies That Produce Wearables?

If the company does create, maintain, transmit, or receive PHI or ePHI on behalf of a covered entity, and there is no receipt of patient information from a covered entity by the device prior to sale, then the company is not a business associate and therefore does not need to be HIPAA compliant. Wearable devices like Fitbit that collect information used for the company's own behalf also are not bound by HIPAA because they are not sharing the information with any covered entities and are not considered business associates. Much ambiguity still exists for companies who keep their customer's data collected through mobile apps and devices, but as of now it's clear that regulation in those cases fall out of HIPAA's scope.

Do You Need a Business Associate Agreement?

Yes! If you meet the above definition that is. Business Associates must guarantee that they will only use the disclosed information exclusively for the purposes outlined by the Covered Entity, keep it protected, and comply with the Covered Entity's duties outlined in the Privacy Rule. The above must be documented in the form of a contract or other agreement between the Covered Entity and the Business Associate.

Check out our references page here to see a sample BAA agreement.