The Health Insurance Portability and Accountability Act of 1996 (HIPAA) created a statutory obligation and regulatory scheme to protect patient health information protected health information or PHI). The law applies to both health care providers (covered entities) as well as their business associates. Many life sciences companies are involved in providing health care, either directly or as a business associate, or are developing products for us by health care providers that create, store or manipulate PHI. This means that these companies must comply with HIPAA, and their services and products must be capable of protecting the PHI with which they deal.

Since 2013, when the omnibus rule came into effect, HIPAA compliance has become significantly more complicated and burdensome, and penalties for noncompliance have become potentially enormous, stretching into the millions. Furthermore, the new regulatory scheme is on a sliding scale—that is, a very small medical practice or medical device startup has to do less to comply with the HIPAA regulatory scheme than a large health system, pharmaceutical company or medical device manufacturer. Exactly how much less has never been clear. The Office for Civil Rights within the federal Department of Health and Human Services (OCR), the primary agency that investigates HIPAA compliance, has not and will not provide clear guidance on exactly what a covered entity or business associate must do to comply with HIPAA’s regulations.