www.hhs.gov Open in urlscan Pro
2a02:26f0:3100:792::219c  Public Scan

Form analysis
1 forms found in the DOM

/hipaa/search-results/index.html

<form class="search-block-form usa-search usa-search--small js-search-form" data-drupal-selector="search-block-form" action="/hipaa/search-results/index.html" id="search-block-form">
  <div class="search-container" role="search">
    <div class="js-form-item form-item js-form-type-search form-item-keys js-form-item-keys form-no-label">
      <div class="form-item form-item--search form-item--id- js-form-item js-form-type-search js-form-item- usa-form-group has-no-label">
        <div class="usa-form-group">
          <label class="usa-label form-item__label  visually-hidden"> HHS Search (hipaa) </label>
          <input data-drupal-selector="hhs-search-input-66841e45a14e7" id="hhs-search-input-66841e45a14e7" aria-label="HHS Search (hipaa)" class="form-search usa-input usagov-search-autocomplete usa-input ui-autocomplete-input" name="query"
            autocomplete="off" type="search" size="60" maxlength="128" placeholder="Search">
        </div>
      </div>
    </div>
    <input type="hidden" name="referrer" value="https://www.hhs.gov/hipaa/for-professionals/faq/490/when-may-a-covered-health-care-provider-disclose-protected-health-information-without-authorization/index.html">
    <div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-wrapper" id="edit-actions" style="position: relative;">
      <button id="uswds-search" value="Search" class="usa-button" type="submit">
        <img src="/themes/custom/hhs_uswds/images/usa-icons-bg/search--blue.svg" class="usa-search__submit-icon" alt=""> <span class="usa-sr-only">Search</span>
      </button>
    </div>
  </div>
</form>

Text Content

Skip to main content

An official website of the United States government

Here’s how you know

Here’s how you know

Official websites use .gov
A .gov website belongs to an official government organization in the United
States.

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.




Menu
HHS Search (hipaa)
Search
 * About HHS
 * Programs & Services
 * Grants & Contracts
 * Laws & Regulations

Health Information Privacy
 * HIPAA for Individuals
 * Filing a Complaint
 * HIPAA for Professionals
 * Newsroom

Breadcrumb
 1. HHS
 2. HIPAA Home
 3. For Professionals
 4. FAQ
 5. 490-When may a provider disclose protected health information to a medical
    device company representative

Navigate to:
 * Authorizations (30)
 * Business Associates (41)
 * Compliance Dates (2)
 * Covered Entities (14)
 * Decedents (9)
 * Disclosures for Law Enforcement Purposes (5)
 * Disclosures for Rule Enforcement (1)
 * Disclosures in Emergency Situations (2)
 * Disclosures Required by Law (6)
 * Disclosures to Family and Friends (28)
 * Disposal of Protected Health Information (6)
 * Facility Directories (7)
 * Family Medical History Information (3)
 * FERPA and HIPAA (10)
 * Group Health Plans (3)
 * Incidental Uses and Disclosures (10)
 * Judicial and Administrative Proceedings (8)
 * Minimum Necessary (14)
 * Notice of Privacy Practice (20)
 * Preemption of State Law (10)
 * Privacy Rule: General Topics (12)
 * Protected Health Information (2)
 * Public Health Uses and Disclosures (13)
 * Research Uses and Disclosures (20)
 * Right to an Accounting of Disclosures (8)
 * Right to File a Complaint (1)
 * Right to Request a Restriction (4)
 * Safeguards (13)
 * Security Rule (24)
 * Smaller Providers and Businesses (145)
 * Student Immunizations (8)
 * Transition Provisions (3)
 * Treatment, Payment, and Health Care Operations Disclosures (30)
 * Workers Compensation Disclosures (5)
 * Limited Data Set (6)
 * Marketing (17)
 * Marketing - Refill Reminders (16)
 * Personal Representatives and Minors (12)
 * Right to Access and Research (58)
 * Mental Health (35)
 * Health Information Technology (41)
 * Telehealth (11)

 * 
 * 
 * 
 * 
 * 


WHEN MAY A COVERED HEALTH CARE PROVIDER DISCLOSE PROTECTED HEALTH INFORMATION,
WITHOUT AN AUTHORIZATION OR BUSINESS ASSOCIATE AGREEMENT, TO A MEDICAL DEVICE
COMPANY REPRESENTATIVE?


ANSWER:

In general, and as explained below, the Privacy Rule permits a covered health
care provider (covered provider), without the individual’s written
authorization, to disclose protected health information to a medical device
company representative (medical device company) for the covered provider’s own
treatment, payment, or health care operation purposes (45 CFR 164.506(c)(1)), or
for the treatment or payment purposes of a medical device company that is also a
health care provider (45 CFR 164.506(c)(2), (3)). Additionally, the public
health provisions of the Privacy Rule permit a covered provider to make
disclosures, without an authorization, to a medical device company or other
person that is subject to the jurisdiction of the Food and Drug Administration
(FDA) for activities related to the quality, safety, or effectiveness of an
FDA-regulated product or activity for which the person has responsibility. See
45 CFR 164.512(b)(1)(iii) and the frequently asked questions on public health
disclosures for more information.

In certain situations, a covered health care provider may disclose protected
health information to a medical device company without an individual’s written
authorization only if the medical device company is a health care provider as
defined by the Rule. A medical device company meets the Privacy Rule’s
definition of “health care provider” if it furnishes, bills, or is paid for
“health care” in the normal course of business. “Health care” under the Rule
means care, services or supplies related to the health of an individual. Thus, a
device manufacturer is a health care provider under the Privacy Rule if it needs
protected health information to counsel a surgeon on or determine the
appropriate size or type of prosthesis for the surgeon to use during a patient’s
surgery, or otherwise assists the doctor in adjusting a device for a particular
patient. Similarly, when a device company needs protected health information to
provide support and guidance to a patient, or to a doctor with respect to a
particular patient, regarding the proper use or insertion of the device, it is
providing “health care” and, therefore, is a health care provider when engaged
in these services. See 65 FR 82569. By contrast, a medical device company is not
providing “health care” if it simply sells its appropriately labeled products to
another entity for that entity to use or dispense to individuals.

The following are some examples of circumstances in which a covered provider may
share protected health information with a medical device company, without the
individual’s authorization:

 * A covered provider may disclose protected health information needed for an
   orthopaedic device manufacturer or its representative to determine and
   deliver the appropriate range of sizes of a prosthesis for the surgeon to use
   during a particular patient’s surgery. (This would be a treatment disclosure
   to the device company as a health care provider. Exchanges of protected
   health information between health care providers for treatment of the
   individual are not subject to the minimum necessary standards. 45 CFR
   164.502(b).)
 * The device manufacturer or its representative may be present in the operating
   room, as requested by the surgeon, to provide support and guidance regarding
   the appropriate use, implantation, calibration or adjustment of a medical
   device for that particular patient. (This would be treatment by the device
   company as a health care provider. As noted in the prior example, treatment
   disclosures between health care providers are not subject to the minimum
   necessary standards.)
 * A covered provider may allow a representative of a medical device
   manufacturer to view protected health information, such as films or patient
   records, to provide consultation, advice or assistance where the provider, in
   her professional judgment, believes that this will assist with a particular
   patient’s treatment. (This would also be a treatment disclosure and minimum
   necessary would not apply.)
 * A covered provider may share protected health information with a medical
   device company as necessary for the device company to receive payment for the
   health care it provides. (This would be a disclosure for payment of a health
   care provider and subject to minimum necessary standards.)
 * A covered provider may disclose protected health information to a medical
   device manufacturer that is subject to FDA jurisdiction to report an adverse
   event, to track an FDA-regulated product, or other purposes related to the
   quality, safety, or effectiveness of the FDA-regulated product. (This would
   be a public health disclosure and subject to minimum necessary standards.)

A business associate agreement would not usually be required for the disclosures
noted above. For example, a business associate agreement would not be needed for
disclosures between health care providers for the treatment of the individual
(45 CFR 164.502(e)(1)(ii)(A)). Likewise, a medical device company would not be a
business associate of a covered provider with respect to public health
disclosures to a device company that is subject to FDA jurisdiction or
disclosures to a device company as a health care provider for that company’s
payment purposes, as in neither case is the device company performing a function
or activity on behalf of, nor providing a specified service to, the covered
provider. See 45 CFR 160.103. In other circumstances, however, a business
associate agreement may be required even if the disclosure were permitted
without an authorization. For example, a business associate agreement would be
required if a covered entity asked the medical device company to provide an
estimate of the cost savings it might expect from the use of a particular
medical device; and to do so, the device company needed access to the covered
entity’s protected health information. In this case, the medical device company
is performing a health care operations function (business planning and
development) on behalf of the covered provider, which requires a business
associate agreement even though the disclosure is permitted without an
authorization.

Date Created: 02/04/2004
Last Updated: 08/08/2005

Content created by Office for Civil Rights (OCR)
Content last reviewed December 28, 2022

Back to top
 * Contact HHS
 * Careers
 * HHS FAQs
 * Nondiscrimination Notice

 * HHS Archive
 * Accessibility Statement
 * Privacy Policy
 * Viewers & Players

 * Budget/Performance
 * Inspector General
 * Web Site Disclaimers
 * EEO/No Fear Act

 * FOIA
 * The White House
 * USA.gov
 * Vulnerability Disclosure Policy


SIGN UP FOR EMAIL UPDATES

Receive the latest updates from the Secretary, Blogs, and News Releases.

Sign Up


HHS HEADQUARTERS

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775