Dear Valued Customer:
HIPAA compliance is a high priority for most healthcare providers. As a health care provider, you have the responsibility to ensure that individually identifiable health information is not released in unauthorized ways.
Because of this, Cadwell has received many inappropriate requests to enter Business Associate contracts to protect this information. While Cadwell fully supports the Health Information Privacy Act and has the desire to meet our customer’s needs and expectations, the act gives clear definitions of who must comply as a Business Associate and/or Covered Entity. Cadwell does not perform any tasks or functions that correlate with those requirements. Cadwell conforms to HIPAA regulations as an FDA regulated manufacturing company. In short Cadwell is not considered a Business Associate under the definition of HIPAA (1996 or 2009). Furthermore, most of the business associate agreement requests have no bearing on the business relationship between Cadwell and the Health Care Provider.
In order to provide a timely and consistent response to these requests we have reviewed HIPAA requirements as they relate to Cadwell as an FDA regulated medical device manufacturer and provide this response and attachment. These materials serve as our binding commitment to meet the requirements of HIPAA as they pertain to the protection of your patients’ health records.
Cadwell has implemented strict procedures to prevent disclosure of patient data that may enter our hands. Additionally, we note that under the HIPAA regulations, Cadwell’s activities, such as repairing its medical devices, are covered as Public Health Activities under Section 164.512(b)(iii)(C) and are thus “uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required[.]” The attached text taken from the rule confirms that medical device manufacturers are not considered Business Associates under HIPAA when selling medical devices to a covered provider or when repairing medical devices. An additional excerpt listing the definition of a business associate (section 160.103) has been provided to illustrate this point. While a medical device manufacturer could be considered a Business Associate when providing “health care” or when using protected health information for marketing purposes, Cadwell does not participate in either of these activities and is thus not a Business Associate for those purposes.
Please accept this statement and the attachment in lieu of the contractual agreement you have requested.
Thank you for your understanding in this matter
Department of Health and Human Services
45 CFR Parts 160 and 164
Standards for Privacy of Individually Identifiable Health Information; Final Rule
PART 164- SECURITY AND PRIVACY
§ 164.512 Uses and disclosures agree or object is not required.
A covered entity may use or disclose protected health information without written consent or authorization in the situations covered by this section …
(b) A covered entity may disclose protected health information for the public health activities and purposes described in this paragraph to: …
(iii) A person subject to the jurisdiction of the Food and Drug Administration:
(A) To report adverse events … product defects or problems (including problems with the use or labeling of a product), … if the disclosure is made to the person required or directed to report such information to the Food and Drug Administration;
(B) To track products if the disclosure is made to a person required or directed by the food and Drug Administration to track the product;
(C) To enable product recalls, repairs, or replacement (including locating and notifying individuals who have received products of product recalls, withdrawals, or other problems); or
(D) To conduct post marketing surveillance to comply with requirements or at the direction of the Food and Drug Administration;
The term ‘business associate’ has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations. This contains new verbiage from ARRA of 2009
PART 160-General Administration Definitions
Except as otherwise provided, the following definitions apply to this subchapter:
(1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who:
(i) On behalf of such covered entity or of an organized health care arrangement in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:
(A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or
(B) Any other function or activity regulated by this subchapter; or
(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the services involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
(2) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a services as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement.
(3) A covered entity may be a business associate of another covered entity.
P/N 805002-000 rev 01