If a medical device collects, stores, or transmits protected health information (PHI) to a Covered Entity or a Business associate, for example, glucose level tied to a person, then HIPAA rules will apply. Many modern medical devices, wearables, and the Internet of Medical Things (IoMT) devices now have built-in microprocessors and WiFi or Bluetooth that can store PHI data and transmit it to the cloud, that can be accessed by healthcare providers.
For instance, a Fitbit for personal use is not bound by HIPAA, but a Fitbit integrated with a corporate wellness program and tied to a Covered Entity or a Business Associate would be bound by HIPAA. In this case, Fitbit should have a Business Associate Agreement in place for this application.
A business associate contract, or business associate agreement, is a written arrangement that specifies each party’s responsibilities when it comes to PHI.
The contract must describe permitted and required PHI uses for the business associate, and also state that the business associate “will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.”
Want to keep on top of all the HIPAA compliance requirements? See how this HIPAA compliance software – HIPAA Ready can help.