A Business Associate Agreement - a contract between a Covered Entity and Business Associate that establishes permitted uses, safeguards, breach notification, and subcontractor flow-down.

How does GDPR interact with HIPAA?

Both can apply to the same data. GDPR has stricter consent requirements and broader extraterritorial reach; HIPAA has more prescriptive breach notification rules. A unified privacy program addressing both is the norm for global MedTech.

All terms

CybersecurityConnected & Cyber-Physical DevicesHIPAA

HIPAA

U.S. federal law governing the privacy and security of protected health information.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed May 5, 2026

Definition

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the HITECH Act (2009) and the HIPAA Omnibus Rule (2013), establishes federal requirements for the privacy and security of Protected Health Information (PHI) in the United States. The HIPAA Security Rule (45 CFR Part 164 Subpart C) requires Covered Entities and Business Associates to implement administrative, physical, and technical safeguards for electronic PHI (ePHI). HHS Office for Civil Rights (OCR) enforces HIPAA.

What the regulation says

MedTech device manufacturers are typically not Covered Entities, but become Business Associates when they store, process, or transmit PHI on behalf of a Covered Entity (a hospital, payer, or provider). Business Associates must sign a Business Associate Agreement (BAA), follow the Security Rule, and report breaches under the Breach Notification Rule. The 2024 Notice of Proposed Rulemaking (NPRM) proposes substantial Security Rule updates including mandatory MFA and annual risk analyses.

What this means in practice

Connected medical devices increasingly touch PHI - telemetry, patient identifiers, device-derived diagnostic data. The right design pattern is to minimize PHI on the device, encrypt in transit and at rest, segment from non-PHI workloads, and codify the BAA terms in product architecture decisions. Failure to recognize Business Associate status is a leading cause of OCR enforcement against MedTech companies.

Common pitfalls

•Assuming MedTech manufacturers aren't subject to HIPAA - Business Associate status is common.
•Storing PHI in customer-support tooling or analytics platforms without BAAs and equivalent controls.
•Treating de-identified data as 'not PHI' without meeting the Safe Harbor or Expert Determination standards.

Frequently asked questions

When it creates, receives, maintains, or transmits PHI on behalf of a Covered Entity. Cloud-connected devices, remote monitoring services, and analytics platforms typically qualify.

Primary references

3 sources

Link health: 3 verified· last checked 2026-05-09

HHS OCR·1eCFR·1Federal Register·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Acronym: HIPAA
Sources: 3
Updated: 5/5/2026

Compare with another term

Learn in 60 seconds

U.S. federal law governing the privacy and security of protected health information.

·Connected medical devices increasingly touch PHI - telemetry, patient identifiers, device-derived diagnostic data.
·The right design pattern is to minimize PHI on the device, encrypt in transit and at rest, segment from non-PHI workloads, and codify the BAA terms in product architecture decisions.
·Failure to recognize Business Associate status is a leading cause of OCR enforcement against MedTech companies.

Remember this

Watch out: Assuming MedTech manufacturers aren't subject to HIPAA - Business Associate status is common.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.