• There are no suggestions because the search field is empty.

Guidance on HIPAA Compliance for Medical Devices

Posted by Sierra Labs on Sep 17, 2020 8:38:00 AM

Defining HIPAA Compliance as it pertains to your Medical Device Company.


HIPAA compliance for healthcare can be a complex web to untangle even more if you are trying to figure out what it means to you and your product. See how or why your organization may fall under HIPAA in this blog. Let’s review what exactly HIPAA is.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was created to provide a baseline for security standards when handling personal health information (PHI). Prior to HIPAA, companies developing medical device that handled patient health information (PHI) had no clear regulatory boundaries. It blurred the regulatory lines especially as technology evolved and was more prominently adopted in the healthcare industry. There was no standard that successfully detailed the best methods or practices for handling PHI let alone transmitting it.

The main identifiers that make health information PHI according to HIPAA are:

  • Names, Dates, SSI, Vehicle Identifiers
  • Telephone Numbers, Fax Number, Emails, Internet Protocol Addresses, Geographic Data
  • Certificate Numbers, License Number, Health Plan Beneficiary Number
  • Biometric identifiers or any unique identifying code or number

Purpose of HIPAA

HIPAA has two main purposes, the first, serving as a guide to identify which patient information qualifies as “protected” and, the second, providing the best practices for setting safeguards. Despite HIPAA establishing these standards, it is the U.S. Department of Health and Human Services (HHS) that enforces the implementation of HIPAA through legislation like the Security rule or Privacy rule.

It's important for you to understand the language used in HIPAA so that you have a better grasp of the HIPAA Rules. Two important terms to note that describes the parties involved in HIPAA compliance are found below:
  • Covered Entities (CE): healthcare providers that transmit information in an electronic form; health plans, such as insurance companies, HMOs, and government programs that pay for care; and healthcare clearinghouses, such as a coding service or revenue cycle management partner.
  • Business Associates (BA): partners utilized by Covered Entities, such as claims processors, CPA and law firms, quality assurance consultants, and pharmacy benefits managers.

There are definite instances in which medical device companies will find themselves defined as a business associate such as if your medical device generates PHI and is working with a covered entity contractually (doctor’s office or hospital). This particular instance means that the device transmitting ePHI should be HIPAA compliant.

If you seek further guidance on developing a HIPAA compliance program, check out this thorough checklist!

Which Devices Need to be HIPAA Compliant

Are you unsure if your medical device is affected by HIPAA standards? Here is a way to find out! If your medical device transmits, receives, or records health information, then it falls under HIPAA compliance. 

If you are a startup looking to develop a health app for the healthcare industry, you should take strong consideration of how HIPAA compliance could impact your entire development. Not all health apps need to be HIPAA Compliant such as ones that only require inputting estimated data to chart your own health and fitness goals. But if your app records, stores, manages or shares PHI for/with/on behalf of CEs, then HIPAA in fact does apply.

Developing an eHealth application? Learn how to establish safeguards for HIPAA compliance with our FREE eBook!

HHS expects medical devices to be built with the capability to handle sensitive information as well as safeguarding the transmission of data from patients to authorized third parties.

Legal Implications with HIPAA

So what happens if you fall short with HIPAA compliance? A hefty fine.

If found in violation of any HIPAA rules, you could face a large fine regardless of intentionality. In the case where the violation is severe, criminal charges could be filed to members of your company.

Violation Category Section 1176(a)(1) Each Violation

Violations of Identical Provision in a Calendar Year

A. Did not know $100 - $50,000 $1,500,000
B. Reasonable Cause $1000 - $50,000 $1,500,000
C.i. Willful Neglect - Corrected $10,000 - $50,000 $1,500,000
C.ii. Willful Neglect - Not Corrected $50,000 $1,500,000

A Toolset to Manage your SOP Documents

While the complexities of HIPAA may seem overwhelming, those companies that choose to push through are the ones we’ll be talking about for years to come. With the increased cases of data breaches each year, the last thing you want to face is a long list of penalties and lawsuits by not fortifying your HIPAA compliance program.

Here at Sierra Lab, we have helped SaMD companies break into the health technology market by designing a concrete regulatory roadmap that fits their business’ needs. We do this by conducting a proper HIPAA Risk Assessment that suits your business size and type identifying the key areas your organization needs to focus on to mitigate potential threats.

Sierra Services is the first step to achieve HIPAA compliance and other regulatory requirements in the way of launching your product to market. We will guide you every step of the way to ensure your team feels safe and confident on your product’s journey to market.

Need Further Guidance on HIPAA Compliance for Your Medical Device?

Click Here for a Free Consultation!

Sierra Services

Ask us anything.

Topics: SaMD, Data Security, Medical Device Company, Data Privacy, Data Requirements, SaMD Development, Software Requirement Specification, HIPAA, Personal Health Information, Health Data, HIPAA Compliance, HIPAA Checklist, Covered Entities, Business Associates, ePHI, PHI, eHealth, Health Applications

Recent Posts


See all

Subscribe Here