Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

We are a medical device manufacturer who is a business associate for our customers.

I am seeing conflicting information about whether we need to have a HIPAA Compliance officer. According to the legal text of the HIPAA regulation (which I obtained at: Combined Text of All Rules), only covered entities are explicitly required to have a compliance officer. It does not call out business associates as having this requirement.

However, some miscellaneous websites  say that business associates DO require a compliance officer. What's your company's stance on it?

In a previous job, I was the Chief Compliance Officer and Data Protection Officer.   The short answer is that there is no legal requirement in the US for a business associate to have a designed data privacy person.   

However, you will see companies having one when their business model justifies the headcount, such as a business that regularly sells, uses, or transfers consumer data (think Facebook).   

Covered entities, such as hospitals or pharmacies, usually have one at the HQ level because of the high volume of patient data.

For medical device companies, it would be prudent to have someone responsible for privacy matters if your company collects or has access to protected health info as part of its business model.  That person does not have to be a lawyer, although a lawyer may handle it in addition to legal responsibilities (that was my case).

As you probably know, when privacy issues come up, it's helpful for the business teams to have a designated person for them, such as questions about HIPAA's application, the scope of a business associate agreement, a request from a consumer under California's CCPA (https://oag.ca.gov/privacy/ccpa), or a question sent to the company through the privacy notice/policy on your web page.

And if you are engaged in certain activities in the EU, there is a data protection officer requirement under GDPR for both data controllers (like our covered entity) and data processors (like our business associate):  https://gdpr.eu/article-37-designation-of-the-data-protection-officer/ 

To further confuse things, some states have modeled their rules on Europe's GDPR, going so far as to use the terms "processor" and "controller" instead of the US HIPAA terms.   For example, Virginia's law comes into effect next year: https://law.lis.virginia.gov/vacode/title59.1/chapter53/section59.1-578/

------------------------------
Roger Cepeda, JD, MBA, RAC
MedTech Law LLC
roger@medtech.law
Mobile: 847-421-8361
------------------------------

Original Message:
Sent: 15-Jul-2022 16:02
From: Anonymous Member
Subject: HIPAA Compliance Officer for Business Associates

This message was posted by a user wishing to remain anonymous

We are a medical device manufacturer who is a business associate for our customers.

I am seeing conflicting information about whether we need to have a HIPAA Compliance officer. According to the legal text of the HIPAA regulation (which I obtained at: Combined Text of All Rules), only covered entities are explicitly required to have a compliance officer. It does not call out business associates as having this requirement.

However, some miscellaneous websites  say that business associates DO require a compliance officer. What's your company's stance on it?

This message was posted by a user wishing to remain anonymous

Thanks so much for this extremely thoughtful response!
Original Message:
Sent: 19-Jul-2022 01:36
From: Roger Cepeda
Subject: HIPAA Compliance Officer for Business Associates

In a previous job, I was the Chief Compliance Officer and Data Protection Officer.   The short answer is that there is no legal requirement in the US for a business associate to have a designed data privacy person.

However, you will see companies having one when their business model justifies the headcount, such as a business that regularly sells, uses, or transfers consumer data (think Facebook).

Covered entities, such as hospitals or pharmacies, usually have one at the HQ level because of the high volume of patient data.

For medical device companies, it would be prudent to have someone responsible for privacy matters if your company collects or has access to protected health info as part of its business model.  That person does not have to be a lawyer, although a lawyer may handle it in addition to legal responsibilities (that was my case).

As you probably know, when privacy issues come up, it's helpful for the business teams to have a designated person for them, such as questions about HIPAA's application, the scope of a business associate agreement, a request from a consumer under California's CCPA (https://oag.ca.gov/privacy/ccpa), or a question sent to the company through the privacy notice/policy on your web page.

And if you are engaged in certain activities in the EU, there is a data protection officer requirement under GDPR for both data controllers (like our covered entity) and data processors (like our business associate):  https://gdpr.eu/article-37-designation-of-the-data-protection-officer/

To further confuse things, some states have modeled their rules on Europe's GDPR, going so far as to use the terms "processor" and "controller" instead of the US HIPAA terms.   For example, Virginia's law comes into effect next year: https://law.lis.virginia.gov/vacode/title59.1/chapter53/section59.1-578/

------------------------------
Roger Cepeda, JD, MBA, RAC
MedTech Law LLC
roger@medtech.law
Mobile: 847-421-8361

Original Message:
Sent: 15-Jul-2022 16:02
From: Anonymous Member
Subject: HIPAA Compliance Officer for Business Associates

This message was posted by a user wishing to remain anonymous

We are a medical device manufacturer who is a business associate for our customers.

I am seeing conflicting information about whether we need to have a HIPAA Compliance officer. According to the legal text of the HIPAA regulation (which I obtained at: Combined Text of All Rules), only covered entities are explicitly required to have a compliance officer. It does not call out business associates as having this requirement.

However, some miscellaneous websites  say that business associates DO require a compliance officer. What's your company's stance on it?