We are often asked whether a patient authorization is required in order to disclose protected health information (PHI) to a medical or dental device company. Similarly, practices have asked whether device companies will be considered business associates of the practice. The answer to both questions lies in whether or not the device company is considered a healthcare provider, as defined by the Privacy Rule.
A healthcare provider is defined as an entity that furnishes, bills or is paid for healthcare in the normal course of business.
If the device company provides healthcare (care, services or supplies related to the health of an individual), the company will be considered a healthcare provider (and must comply with HIPAA requirements as a covered entity). A patient authorization is not required in order to disclose PHI to other healthcare providers that are involved in the treatment of a patient. Nor is a business associate agreement required with such entities.
For more detailed information, please see the article “Medical & Dental Device Companies” in the December 2015 Advisor.