Framework · Health Insurance Portability and Accountability Act

HIPAA compliance for connected devices

HIPAA applies the moment a connected product touches protected health information, not just inside a hospital. Scadable gets the vendor and device side of that right.

What is HIPAA, for a device maker?

HIPAA is a US federal law protecting patient health information. Most HIPAA content online is written for hospitals and healthcare employees. This page is not that: it covers what HIPAA actually requires of a connected device maker or software vendor whose product touches protected health information, PHI, even if the company itself is not a hospital or insurer.

If your product is a medical device, note that the EU Cyber Resilience Act explicitly carves out medical devices in favor of the EU's own MDR/IVDR regime. HIPAA and CRA are not the same question and do not substitute for each other; a connected medical device sold in both the US and the EU can be in scope for both, addressing different obligations.

Who does this apply to?

Any vendor that creates, receives, stores, or transmits PHI on behalf of a covered entity (a hospital, clinic, or insurer) is typically a Business Associate under HIPAA, whether or not the vendor thinks of itself as a healthcare company. That includes a device maker whose cloud platform stores patient vitals, and a software vendor whose companion app handles patient data on a covered entity's behalf.

Business Associate Agreements

A Business Associate Agreement, a BAA, is the contract that makes a vendor's HIPAA obligations explicit and is required before a covered entity can legally share PHI with that vendor. If a hospital or clinic is asking your company to sign one, that is the clearest signal HIPAA applies to you right now, not a hypothetical future concern.

What you actually have to do

Implement the Security Rule's administrative, physical, and technical safeguards for any system that touches PHI: access controls, encryption in transit and at rest, audit logging, and a documented incident response process. Sign BAAs with every subprocessor that also touches the data. Maintain breach notification procedures with real, HIPAA-defined timelines.

Cloud storage and telemetry: the part device makers actually get wrong

The most common gap is not malicious, it is architectural: a device's cloud telemetry pipeline was built for uptime and observability, not for PHI handling, and nobody re-audited it once the product started touching patient data. Access logs, third-party analytics, and support tooling are common places PHI ends up without anyone deciding it should.

What's actually at stake

HIPAA carries real civil penalties, and a lost BAA relationship is a lost hospital or clinic contract, not just a compliance gap. For a device maker, the more common near-term cost is simpler: no signed BAA means no data, and no data means the product does not work for that customer.

How Scadable helps

Scadable's HIPAA coverage today is the same concierge model as every new framework: mapping where PHI actually moves through your product, implementing the Security Rule safeguards that are missing, and getting BAAs in place with the right subprocessors. This is the newest and narrowest of the frameworks Scadable covers; if your product is medical-device-first, ask directly about current scope on a call rather than assuming full parity with the CRA or SOC 2 pages above.

Frequently asked questions

Yes, if your product creates, stores, or transmits protected health information on behalf of a covered entity. That makes you a Business Associate under HIPAA, with real obligations, even though you are not a hospital, clinic, or insurer yourself.
A BAA is the contract required before a covered entity can share PHI with a vendor. If a hospital or clinic customer asks you to sign one, HIPAA applies to your company now, not hypothetically.
No. The EU Cyber Resilience Act explicitly excludes medical devices in favor of the EU MDR/IVDR regime. HIPAA is a separate, US-specific law about patient health information. A device sold in both markets can face obligations under both, addressing different questions.
Any pipeline that touches protected health information, including access logs, analytics, and support tooling, needs the same Security Rule safeguards as the primary data store: encryption, access control, audit logging. This is the most common gap for device makers whose telemetry pipeline predates handling patient data.
Civil penalties scale with the violation, but the more immediate cost for a device or software vendor is usually contractual: no signed BAA means a covered-entity customer legally cannot send you data, which typically means the deal does not close.

Get HIPAA-ready. Without the busywork.