Navigating HIPAA and State Privacy Laws for Drug and Device Manufacturers

June 12, 2024


The Health Insurance Portability and Accountability Act of 1996 as amended and implemented through regulations at 45 C.F.R. §§ 160 and 164 (“HIPAA”) regulates the privacy and security of health information. For drug and device manufacturers, navigating HIPAA alongside state privacy laws presents unique challenges. This alert summarizes key takeaways from Paul Rothermel's recent presentation on HIPAA's applicability, key disclosure exceptions, and how state privacy laws (through key examples) intersect with federal regulations.

Read below for some highlights and view Paul's presentation online.

HIPAA Applicability for Drug and Device Makers

HIPAA applies to “covered entities” and “business associates.” Covered entities include healthcare providers, health plans, and healthcare clearinghouses, while business associates handle protected health information (“PHI”) on behalf of covered entities. Most drug and device manufacturers are not covered entities (exceptions include durable medical equipment manufacturers, for example) and many also do not qualify as business associates (exceptions include certain connected devices that process PHI and programs, including reimbursement support programs, that require access to PHI). HIPAA considerations can add complexity not faced by other U.S. privacy laws.

Key components of HIPAA include the Privacy Rule, Security Rule, and Breach Notification Rule. These rules set standards for protecting PHI, limiting the use and disclosure of PHI and ensuring its confidentiality, integrity, and availability.

HIPAA Disclosure Exceptions and Patient Authorization

HIPAA allows specific exceptions for disclosing PHI without patient authorization, including but not limited to treatment, payment, healthcare operations, public health activities, and disclosures to business associates. Patient authorization is always required for using or disclosing PHI for marketing purposes or for sales of PHI.

HIPAA and State Laws: Intersection and Compliance

HIPAA sets federal standards for health information privacy, but state laws can complement or supplement these requirements. Manufacturers must evaluate the applicability of both federal and state laws. This includes identifying exemptions for HIPAA PHI, determining the presence of business associate agreements, and ensuring compliance with both sets of regulations.

Compliance with HIPAA does not automatically mean compliance with state privacy laws. Manufacturers must understand and adhere to the specific requirements of each relevant state law.

State Privacy Laws: Scope and Examples

Many state privacy laws impose additional requirements on handling personal health information. Nearly half of all U.S. states now have one or more consumer privacy laws on the books. Any list of these laws not updated in the past month is likely outdated. Some are broad (often called “comprehensive” privacy laws) and others more focused (e.g., creating requirements for so-called “consumer health data”). For example, the Washington "My Health My Data Act" (“MHMDA”) regulates consumer health data, and the California Consumer Privacy Act (CCPA) introduces broad requirements affecting all types of business. Both, among many other laws throughout the state privacy law patchwork, provide stringent privacy protections that affect drug and device manufacturers.

State laws often exempt PHI under HIPAA (or even provide exemptions at an entity level for covered entities or business associates to an extent). However, in most cases drug and device manufacturers must still comply with state-specific privacy laws. These can introduce various requirements depending on the particular activity involved. For instance, the MHMDA requires explicit consent before certain collection and/or uses of “consumer health data” (which is broadly defined) and mandates detailed privacy notices.

Key Takeaways

  • HIPAA compliance does not address all state law requirements. Companies must consider both.
  • HIPAA applies only to covered entities and business associates, not all drug and device makers.
  • State privacy laws can directly impact how manufacturers handle patient information and must be considered when designing programs, patient applications, building data use strategies, and other key activities.
  • State regulators are already enforcing data security and privacy regulations, highlighting the importance of robust compliance strategies.

Drug and device manufacturers must navigate the complex interplay between HIPAA and state privacy laws to ensure comprehensive compliance. Understanding these regulations is vital for protecting patient information and maintaining the trust of healthcare consumers. Gardner Law has extensive experience with applying data, privacy, and cybersecurity considerations to drug and device companies of all sizes. If you have questions, the team at Gardner Law can help.