Classifying Medical Device Companies under HIPAA

Modified on Mon, 11 Dec, 2023 at 11:55 AM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.



Whether a medical device company is a health care provider, a covered entity, or a business associate depends on the circumstances. These circumstances are discussed in this article.


When is a Medical Device Company Considered to be a Healthcare Provider Under HIPAA?

A medical device company meets the HIPAA definition of “healthcare provider” if it furnishes, bills, or is paid for “health care” in the normal course of business. “Healthcare” under HIPAA means care, services, or supplies related to the health of an individual. Thus, a device manufacturer is a health care provider under HIPAA if it needs protected health information to counsel a surgeon on or determine the appropriate size or type of prosthesis for the surgeon to use during a patient’s surgery, or otherwise assists the doctor in adjusting a device for a particular patient. Similarly, when a device company needs protected health information to provide support and guidance to a patient, or to a doctor with respect to a particular patient, regarding the proper use or insertion of the device, it is providing “health care” and, therefore, is a health care provider when engaged in these services.

When is a Medical Device Company NOT Considered to be a Healthcare Provider Under HIPAA?
By contrast, a medical device company is not providing “health care” if it simply sells its appropriately labeled products to another entity for that entity to use or dispense to individuals.


When is a Healthcare Provider Regarded as a Covered Entity Under the HIPAA Privacy Rule?
To be a covered entity, the medical device company must meet the definition of “covered entity” - it must be a healthcare provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.

“HIPAA-covered transactions” are Information transmissions between a provider and another entity, to carry out financial or administrative activities related to health care.

If a medical device company transmits health information that relates to one or more of these transactions, the provider is a covered entity.

HIPAA-covered transactions include:

  • Health claims or equivalent encounter information transactions.  (Requests to obtain payment, and necessary accompanying information, from a health care provider to a health plan, for health care.)

  • Health care payment and remittance advice transactions.

  • Coordination of benefits transactions.

  • Health care claim status transactions.

  • “Enrollment and disenrollment in a health plan” transactions.

  • “Eligibility for a health plan” transactions.

  • “Health plan premium payments” transactions.

  • “Referral certification and authorization” transactions.


Can a Medical Device Company be a Business Associate?
A medical device company may be a business associate of a covered entity if the medical device company is performing a function or activity on behalf of, or providing a service to, a covered entity. 


In some circumstances, a medical device company seeking to disclose PHI to a covered entity may be required to enter into a business associate agreement with that covered entity, even if the disclosure does not require prior written patient authorization. For example, a business associate agreement would be required between a medical device company and a covered entity if the covered entity asked the medical device company to provide an estimate of the cost savings it might expect from the use of a particular medical device; and to do so, the device company needed access to the covered entity’s protected health information. In this case, the medical device company is performing a healthcare operations function (business planning and development) on behalf of the covered provider, which requires a business associate agreement even though the disclosure is permitted without an authorization.


For HHS guidance on this topic, please click here.



Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article