Five HIPAA Red Lines For Medtech Companies

Mitchell C. ShelowitzManaging Partner, SLG Shelowitz Law Group

HIPAA[1] is a complex healthcare privacy law that applies to many global technology companies which serve the U.S. healthcare industry. Tech companies that are deemed Business Associates under HIPAA face significant liability for the following 5 HIPAA violations, among others.[2]

    1. NON-COMPLIANCE. Failure to comply with the HIPAA Security Rule.[3]
    2. FAILURE TO REPORT. Failure to report data breaches.[4]   
    3. MISUSE OF PATIENT INFORMATION. Misuse and improper disclosure of protected health information (PHI).[5]  
    4. MORE PHI THAN YOU NEED. Disclosure or use of more PHI than needed to complete the tasks at hand.[6]
    5. NO BUSINESS ASSOCIATE AGREEMENT. Failure to enter into Business Associate Agreements or failure to comply with signed Business Associate Agreements.[7]

SLG has leveraged its extensive knowledge in the technology industry to support our clients’ compliance needs under HIPAA.  For more information, please see our HIPAA For Tech Companies page.

[1] HIPAA is The Health Insurance Portability and Accountability Act of 1996, a U.S. healthcare privacy law, which has been implemented through various federal rules by the US Department of Health and Human Services (HHS) (the “HIPAA Rules”). 

[2] See New HHS Fact Sheet On Direct Liability of Business Associates under HIPAA, www.hhs.gov/hipaa/for-   professionals/privacy/guidance/business-associates/factsheet/index.html.

[3] See HITECH Act § 13401, 42 USC § 17931 (making 45 CFR §§ 164.308, 164.310, 164.312, and 164.316 directly applicable to business associates, as well as any other security provision that the HITECH Act made applicable to covered entities); 45 CFR §§ 164.306, 164.308, 164.310, 164.312, 164.314, 164.316.

[4] See 45 CFR §§ 164.410, 164.412.

[5] See 45 CFR § 164.502(a)(3).

[6] See 45 CFR § 164.502(b).

[7] See 45 CFR §§ 164.502(e)(1)(ii), 164.504(e)(5).