Key Takeaways From McGuireWoods’ Webinar on HIPAA and Cybersecurity for Medical Device Companies

January 26, 2024

On Jan. 17, 2024, McGuireWoods partners Kimberly Kannensohn and Sam Bernstein conducted a webinar regarding how the Health Insurance Portability and Accountability Act (HIPAA) applies to medical device companies and certain U.S. Food and Drug Administration (FDA) guidance documents related to digital health and cybersecurity.

Below are eight key takeaways from the discussion. To watch the full webinar, visit McGuireWoods’ website.

  1. In performing their core functions, most medical device companies are not covered entities or business associates under HIPAA. (Durable medical equipment, prosthetics, orthotics, and supplies manufacturers are usually covered entities.) However, medical device companies may qualify as healthcare providers, which affords hospitals and other providers the flexibility to disclose protected health information (PHI) to medical device companies and their sales representatives in a treatment setting.
  2. Medical device companies are not business associates when they receive PHI for treatment, but hospitals and other providers may nonetheless insist that such companies sign a business associate agreement (BAA) as a condition to facility access. Manufacturers should take certain precautions when signing a BAA in those circumstances, as described in the webinar.
  3. As clinical research does not fall within the definition of healthcare operations and is not a covered function under HIPAA, covered entities may not disclose PHI to third parties for research purposes pursuant to a BAA. In addition, unless an exception applies, a provider may only disclose PHI to a medical device manufacturer or other third party for research purposes pursuant to a HIPAA-compliant patient authorization or a waiver.
  4. Covered entities may disclose PHI to medical device manufacturers for certain activities related to FDA-regulated products without obtaining a patient authorization, including medical device reporting, tracking FDA-regulated products, post-market surveillance, and facilitating product recalls, repairs, or replacements.
  5. HIPAA prohibits the sale of PHI and the use of PHI for marketing purposes without a signed patient authorization.
  6. A number of states have adopted privacy laws applicable to medical device companies, which place limitations on medical device companies that are more stringent than HIPAA.
  7. The FDA recently introduced guidance that permits the use of digital health technology for remote data collection in clinical trials.
  8. The FDA expects medical device manufacturers to address cybersecurity concerns in product design, labeling, and quality management systems, as well as throughout the entire life cycle of a medical device product.

McGuireWoods’ cross-functional team of life sciences attorneys routinely assists clients with privacy, compliance, regulatory, transactional, and litigation matters, and with navigating the ever-evolving landscape of life sciences laws and regulations. For assistance with data privacy or cybersecurity issues, please contact one of the authors of this article.