Gardner Law Firm writes:
The Health Insurance Portability and Accountability Act of 1996 as amended and implemented through regulations at 45 C.F.R. §§ 160 and 164 (“HIPAA”) regulates the privacy and security of health information. For drug and device manufacturers, navigating HIPAA alongside state privacy laws presents unique challenges. This alert summarizes key takeaways from Paul Rothermel’s recent presentation on HIPAA’s applicability, key disclosure exceptions, and how state privacy laws (through key examples) intersect with federal regulations.
Read below for some highlights and view Paul’s presentation online.
HIPAA Applicability for Drug and Device Makers
HIPAA applies to “covered entities” and “business associates.” Covered entities include healthcare providers, health plans, and healthcare clearinghouses, while business associates handle protected health information (“PHI”) on behalf of covered entities. Most drug and device manufacturers are not covered entities (exceptions include durable medical equipment manufacturers, for example) and many also do not qualify as business associates (exceptions include certain connected devices that process PHI and programs, including reimbursement support programs, that require access to PHI). HIPAA considerations can add complexity not faced by other U.S. privacy laws.
Key components of HIPAA include the Privacy Rule, Security Rule, and Breach Notification Rule. These rules set standards for protecting PHI, limiting the use and disclosure of PHI and ensuring its confidentiality, integrity, and availability.
Read more highlights at Gardner.