The facts of life for HIPAA business associates

March 11, 2013

If you are a biomed vendor and you collect any  kind of PHI (protected health information) in your medical device or store information in the cloud (including public cloud services like Google Drive and Dropbox) you need to be aware of US healthcare information privacy regulation.

As a medical device vendor selling to healthcare providers, hospitals, physicians and health information providers in the US, you may be directly liable for violations of the HIPAA Security Rule for impermissible use and disclosure of PHI (protected health information) in any form, paper or digital.

You cannot hide behind your contract with the covered entity or sub-contract your services to another entity.
You must now comply with the HIPAA Security Rule yourself.
In the past you could rely on your business contract with your covered entity customer as a business associate.
The Final Rule makes business associates of covered entities directly liable for Federal penalties for failures to comply.
The Security Rule’s administrative, physical, and technical safeguards requirements in §§ 164.308, 164.310, and 164.312, as well as the Rule’s policies and procedures and documentation requirements in § 164.316, apply to business associates in the same manner as these requirements apply to covered entities; business associates are now civilly and criminally liable for violations of these provisions.
When a breach of patient privacy occurs, business associates and their sub-contractors must notify HHS if more than 500 records have been disclosed.

The HIPAA Final rule becomes effective March 26, 2013. Everyone has to comply by September 23, 2013.  That includes medical device vendors like you.

 I’m a small biomed startup – what should I do?

Smaller or less sophisticated  biomed vendors may not have engaged in the formal safeguards required by the HIPAA Security Rule, and may find the Final Rule and even intimidating new territory .
Software Associates specialize in software security and HIPAA compliance for biomed. We use a robust threat modeling process that  analyzes multiple threat scenarios and generates best-fit cost-effective safeguards  in a  highly effective way of achieving robust software security and HIPAA compliance
We will help you achieve HIPAA compliance and implement the right safeguards for your product.
Please feel free to contact us at any time and ask for a free phone consultation.

More Articles