I was wondering if someone could verify my understanding about how HIPAA and GDPR apply to my company's products.

Our company produces a medical therapy device that can wirelessly transfer data to a dedicated PDA and or user's phone via app. The dedicated PDA or Phone app cannot transfer data outside of this system (that is, it's not cloud connected and the data cannot easily be transferred to a covered entity or business associate)

Since HIPAA is mainly associated with Covered Entities and Business Associates, the current product system only should comply with the "Security Rule" about ensuring security in the data transfer between device and PDA/Phone. Is that correct?

Regarding GDPR, I believe it's a similar situation as the user controls the data 100%, so there are little to no requirements for GDPR compliance.

Am I missing something?


Top Bottom