January 17, 2024 McGuireWoods Partners Kimberly Kannensohn and Sam Bernstein discuss how the Health Insurance Portability and Accountability Act (HIPAA) applies to medical device companies and as it relates to digital health. Conducted webinars on specific U.S. Food and Drug Administration (FDA) guidance documents. and cyber security.
Below are eight key takeaways from the discussion. To watch the entire webinar, please visit McGuireWoods. Website.
- Most medical device companies are not HIPAA covered entities or business associates in performing their core functions. (Typically, covered entities are manufacturers of durable medical devices, prosthetics, orthotics, and consumables.) However, medical device companies can qualify as health care providers, which allows hospitals and Other health care providers will have greater flexibility in disclosing protected health information (PHI) to medical device and medical device companies. A sales representative at the treatment site.
- Although medical device companies are not business associates when receiving PHI for treatment, hospitals and other health care providers may still require such companies to enter into business associate agreements ( You may be required to sign a BAA). As explained in the webinar, a manufacturer must take certain precautions when signing her BAA in such situations.
- Because clinical research does not fall within the definition of a medical practice and is not a covered activity under HIPAA, covered entities cannot disclose PHI to third parties for research purposes pursuant to the BAA. Further, unless an exception applies, the provider is only permitted to disclose her PHI to a medical device manufacturer or other third party for research purposes pursuant to the patient’s authorization or waiver pursuant to HIPAA.
- Covered entities may be required to report medical devices for certain activities related to FDA-regulated products without obtaining patient approval, such as reporting medical devices, tracking FDA-regulated products, post-market surveillance, and facilitating product recalls, repairs, and replacements. We may disclose PHI to manufacturers.
- HIPAA prohibits the sale of PHI and the use of PHI for marketing purposes without signed patient authorization.
- Many states have adopted privacy laws that apply to medical device companies and impose stricter restrictions on them than HIPAA.
- The FDA recently introduced guidance allowing the use of digital health technologies for remote data collection in clinical trials.
- FDA expects medical device manufacturers to address cybersecurity issues throughout the lifecycle of medical device products, not just product design, labeling, and quality control systems.