I know that any HIPAA covered entity or business associate has to be HIPAA compliant, but I heard that only some...
medical device companies fall into those categories. How do I know if my medical device company counts as a HIPAA covered entity or business associate?
There are only two ways to become subject to HIPAA requirements: by either directly falling into the definition of a HIPAA covered entity or by entering into a relationship with a HIPAA covered entity that makes your organization a business associate. Let's take those one by one.
HIPAA covered entities fall into one of three categories:
- Healthcare providers, such as doctors, nurses and pharmacies;
- Healthcare plans, such as insurance companies and HMOs; and
- Health clearinghouses, such as firms that perform standardization of health data.
It's unlikely that a medical device company will participate directly enough in patient care to fall into any of these three categories. Therefore, it is unlikely that your company will be considered a HIPAA covered entity.
Business associates, on the other hand, are defined as "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity." Notice that the definition requires a relationship between the business associate and a covered entity. If your company does not work with any HIPAA covered entities, you can stop right there. You're not a business associate and you're not subject to HIPAA.
If your company does work directly with healthcare providers or other HIPAA covered entities, it will need to dig a little deeper into the situation. Does your company get involved in the transmission of protected health information from your device to a healthcare provider? If your company has access to that information or is part of the transmission path, it may be a business associate and should run the details of the situation past a HIPAA attorney. Your company may also fall under the business associate provisions if it receives protected health information from a HIPAA covered entity.
As always, compliance requirements depend heavily on the specifics of any situation. You'd be well-advised to consult with an attorney who understands your business and the inner workings of HIPAA.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Learn what HIPAA business associate agreements mean for covered entities under the Omnibus Rule
Find out what organizations need to know about privacy in a HIPAA audit
Learn who should perform HIPAA and HITECH compliance assessments
Dig Deeper on Security audit, compliance and standards
Related Q&A from Mike Chapple
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading