Need help to understand HIPAA requirements

Ajit Basrur

Staff member
Thanks Marc.

I was reviewing 190-Who must comply with HIPAA privacy standards and find that HIPAA privacy standards apply only to the below ... so wanted to know the scope for a medical device specification developer who is not identified below.

Who must comply with HIPAA privacy standards?
As required by Congress in HIPAA, the Privacy Rule covers:
  • Health plans
  • Health care clearinghouses
  • Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers


Captain Nice
Staff member
It may not call out medical device specification developers specifically, but it doesn't take much imagination to 'assume' that any medical device that data can be exported from would have to address security risks.

As you know it's far afield of my areas of expertise so I was just throwing out a thought. I know that it's a big issue to health care providers. Health software (e.g.: Epic) is being heavily scrutinized these days.


Quite Involved in Discussions
HIPAA applies to all Business Associates, so if you are a developer working for a company that provides services to a Covered Entity (e.g. hospital, doctors office, etc.) and your services include for example processing or storing PHI, then there are a number of requirements you have to comply with. In particular I would look at the Security Rule, which contains requirements for Administrative, Physical and Technical Safeguards.

Top Bottom