Gajus - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is a medical device vendor a HIPAA covered entity?

Medical device companies are part of the health industry, but does that make them a HIPAA covered entity or business associate? Expert Mike Chapple has the answer.

I know that any HIPAA covered entity or business associate has to be HIPAA compliant, but I heard that only some...

medical device companies fall into those categories. How do I know if my medical device company counts as a HIPAA covered entity or business associate?

There are only two ways to become subject to HIPAA requirements: by either directly falling into the definition of a HIPAA covered entity or by entering into a relationship with a HIPAA covered entity that makes your organization a business associate. Let's take those one by one.

HIPAA covered entities fall into one of three categories:

  • Healthcare providers, such as doctors, nurses and pharmacies;
  • Healthcare plans, such as insurance companies and HMOs; and
  • Health clearinghouses, such as firms that perform standardization of health data.

It's unlikely that a medical device company will participate directly enough in patient care to fall into any of these three categories. Therefore, it is unlikely that your company will be considered a HIPAA covered entity.

Business associates, on the other hand, are defined as "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity." Notice that the definition requires a relationship between the business associate and a covered entity. If your company does not work with any HIPAA covered entities, you can stop right there. You're not a business associate and you're not subject to HIPAA.

If your company does work directly with healthcare providers or other HIPAA covered entities, it will need to dig a little deeper into the situation. Does your company get involved in the transmission of protected health information from your device to a healthcare provider? If your company has access to that information or is part of the transmission path, it may be a business associate and should run the details of the situation past a HIPAA attorney. Your company may also fall under the business associate provisions if it receives protected health information from a HIPAA covered entity.

As always, compliance requirements depend heavily on the specifics of any situation. You'd be well-advised to consult with an attorney who understands your business and the inner workings of HIPAA.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Learn what HIPAA business associate agreements mean for covered entities under the Omnibus Rule

Find out what organizations need to know about privacy in a HIPAA audit

Learn who should perform HIPAA and HITECH compliance assessments

This was last published in January 2016

Dig Deeper on Security audit, compliance and standards