HIPAA Process for Medical Device Companies
By: STEVEN N. BECK
April 2003
On April 14, 2003, HIPAA's Privacy Provisions will go into effect. The burdens of this new regulatory system may impact medical device companies more significantly than it does health care providers and payors who are more directly regulated by the law.
Covered Entity
The HIPAA regulations apply directly to entities that are "covered entities" under the HIPAA definitions. In general, this only includes entities that electronically transmit a standard transaction set--in other words, entities that file electronic claims for healthcare related services or products. If a medical device company provides devices to patients and directly bills third-party payors, the device company would meet this definition, and be considered a covered entity. Other device companies may not be covered entities, but nevertheless may be impacted by the law.
Disclosures of Protected Health Information to a Medical Device Company
Medical device companies receive protected health information in a variety of ways: they frequently interact with physicians and hospitals providing a device to specific patients; they sponsor clinical trials relating to the technology; they receive reports on device-related problems from biomedical engineers and hospital peer review organizations, or in servicing products they may require access to a patient's private data. The HIPAA laws will require that the device company examine its practices and develop an understanding for whether the relationship implicates HIPAA, and how this information must be treated. Moreover, many health care providers with whom medical device companies interact are covered entities and will need to determine what type of relationship they have with the medical device company. Many health care providers will then deliver "Business Associate Agreements" to representatives of the medical device company, asking them to execute the agreements as a condition of doing further business.
The problem is that often, the health care provider does not fully understand what HIPAA actually requires. In a great number of cases, the information being received by the medical device company is not disclosed to the device company as a business associate. To be considered a "business associate" under HIPAA, an entity must be both using protected health information and performing a service on behalf of the covered entity. Even if a device company receives protected health information from a health care provider, if the medical device company is not providing services on behalf of the health care provider, the relationship is not a business associate relationship. For example, if a device manufacturer is actually providing services that meet the definition of "treatment" under HIPAA, the services may not be provided as a business associate. Thus, a Business Associate Agreement is not always necessary, and in some cases is not sufficient to give legal authority for the disclosure to the device company.
In some situations, no specific special authority is necessary for a disclosure of information. In others, it is the best practice to obtain a properly worded authorization from the patient. HIPAA requires that authorizations include a number of specific statements and provisions. In addition, when developing an authorization, device manufacturers must take care to make certain that the uses of the information by the medical device company are not circumscribed by the document in a way that prevents the device manufacturer from performing its duties or operating its business in a proper way.
For medical device manufacturers it is critically important with customers to ensure that the HIPAA privacy rule is being properly addressed and that they are not entering into agreements that contain provisions that would needlessly interfere with their normal business practices. This may, unfortunately, be a major task. Fredrikson & Byron has focused significant resources on HIPAA matters and can provide help.