DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Some durable medical equipment manufacturers are covered by HIPAA, and some are not. The Department of Health and Human Services has published guidance on this topic to assist DME manufacturers determine their HIPAA status:
A medical device company meets the Privacy Rule’s definition of “healthcare provider” if it furnishes, bills, or is paid for “healthcare” in the normal course of business. “Healthcare” under the HIPAA Rules means care, services or supplies related to the health of an individual.
Therefore, a device manufacturer is a health care provider under the Privacy Rule if it needs protected health information to counsel a surgeon on or determine the appropriate size or type of prosthesis for the surgeon to use during a patient’s surgery, or otherwise assists the doctor in adjusting a device for a particular patient.
Similarly, when a device company needs protected health information to provide support and guidance to a patient, or to a doctor with respect to a particular patient, regarding the proper use or insertion of the device, it is providing “health care” and, therefore, is a health care provider when engaged in these services.
By contrast, a medical device company is not providing “health care” if it simply sells its appropriately labeled products to another entity for that entity to use or dispense to individuals.
If the device company meets the definition of "provider," AND engages in one or more "HIPAA transactions," the device company is a covered entity under HIPAA.
Can a Medical Device Company/Medical Device Equipment Manufacturer be a Business Associate?
The guidance addresses this issue as well. In some instances, a medical device company may be regarded as a business associate. When a medical device company is a business associate, it must enter into a business associate agreement with a covered entity for whom it performs services involving the creation, transmission, maintenance, and/or receipt of PHI.
The guidance provides:
A medical device company is acting as a business associate, and a business associate agreement would be required if a covered entity asked the medical device company to provide an estimate of the cost savings it might expect from the use of a particular medical device; and to do so, the device company needed access to the covered entity’s protected health information.
In this case, the medical device company is performing a healthcare operations function (business planning and development) on behalf of the covered provider, which requires a business associate agreement even though the disclosure is permitted without an authorization.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article