The European Union’s General Data Protection Regulation (GDPR), which was put into effect on May 25, 2018, is often considered to be one of world’s toughest laws when it comes to privacy and security. The regulations lay down privacy and security standards, imposing obligations on any/ all organizations having an impact on the people of EU, whether related to targeting or collecting data. The regulations are timely as they come at a time when more and more people are entrusting their personal data with cloud services and the occurrence of breaches is increasing exponentially. Analogous to GDPR in US is the U.S. Health Insurance Portability and Accountability Act (HIPAA). While one may assume that both GDPR and HIPAA have no influence on medical devices, that is not the case! HIPAA is a federal legislation that ‘requires creation of national standards to protect sensitive patient information from being disclosed.’[1]

The US Department of Health and Human Services issued and implemented the Privacy Rules which, when read with HIPAA, addresses the use and disclosure of individual’s health information. This is the ‘protected health information’ (PHI) that related entities would be subject to. The goal of both these laws, amongst the rest, is to draw an appropriate balance- to ensure that individual’s health information is properly protected while allowing proper flow of information essential for providing and promoting high-quality healthcare. This flow of information is critical for protecting public’s health and well-being. The purpose of these laws is to permit use of information while protecting people’s privacy.

Given how these laws are developing and progressing, they are playing a primary role in the activities of pharmaceutical companies and medical devices companies. Any time the companies are involved in collection of data that concerns health, it concerns GDPR and/or HIPAA. The GDPR has defined “data concerning health” as personal data relating to a person’s physical or mental health well-being, including services which reveal the person’s health status. In addition, GDPR also allows the right to be forgotten which refers to “the ability of individuals to limit, de-link, delete, or correct the disclosure of personal information on the internet that is misleading, embarrassing, irrelevant, or anachronistic.”[2] All software privacy and security rules stipulate consent and access to personal records, which with the right to be forgotten, introduce an indispensable obligation on software (including software as medical devices) to support deletion of records. When it comes to HIPAA, the law provides “portability of insurance between employers, standard transaction codes to improve accountability, and safeguarding of individually identifiable health information for patient privacy.”[3] Of these three elements, privacy has the strongest influence on medical device design. If the device relates to or deals with health information, HIPAA necessitates addressing patient privacy in its design. Protected health information under HIPAA includes any individual identifiable information that is transmitted and maintained in any form or medium.[4] This identifiable information must be safeguarded against inappropriate disclosures. This information could include ECG traces, histories of patient drug therapy, defibrillators, or beside patient monitors recording patient information, etc.

As a device manufacturer, the GDPR and HIPAA affect you in at least two ways:

  1. To protect identifiable data/ health information that comes into their possession;
  2. To be compliant with the requirements laid down by HIPAA and/ or GDPR- this is not limited to the device but also to the organization.

While these laws and regulations lay down what is to be protected, they don’t necessarily state the manner in which this protection is to be offered. The need therefore is for manufacturers to design their own set of policies. Compliance with established standards also requires training the personnel on the definitions of protected health information and how to handle this information. When it comes to the GDPR, this impact assessment is mandated in Article 35 of the regulations, designed to evaluate practices, assess risks and mitigate measures in regards to collection, storage, processing and managing protected health information.

In summary, both GDPR and HIPAA are designed to enhance privacy and security, which makes them actively cross paths with the medical device industry in many ways. Regulations such as the GDPR has no limited territory, given its enforceable on anybody having an impact on the people of EU. Aforementioned topics such as impact assessments, compliance and the right to be forgotten are some of the many facets of these laws and regulations. If you are a medical device manufacturer and wondering if you are compliant with GDPR and/ or HIPAA, EMMA International’s team of experts can help! Give us a call at 248-987-4497 or email info@emmainternational.com to see how we can help.


[1] Centers for Disease Control and Prevention, Health Insurance Portability and Accountability of 1996 (HIPAA). (last accessed: August 29, 2022). Available at- https://www.cdc.gov/phlp/publications/topic/hipaa.html

[2] Michael J. Kelly and David Satola, The Right to be Forgotten, University of Illinois Law Review (2017)

[3] Medical Device and Diagnostic Industry (July 2003), HIPAA’s Influence on Medical Device Technology. Available at- https://www.mddionline.com/news/hipaas-influence-medical-device-technology

[4] HIPAA Journal (Jan 2022), What is considered protected health information under HIPAA?. Available at- https://www.hipaajournal.com/what-is-considered-protected-health-information-under-hipaa/#:~:text=Health%20information%20such%20as%20diagnoses,and%20contact%20and%20emergency%20contact

Kanika Kalra

Kanika Kalra

Ms. Kalra is an internationally trained attorney from India, joining EMMA International Consulting Group, Inc. as a Regulatory Affairs Specialist. Currently, Ms. Kalra is a Postdoctoral Research Fellow at the Center for Global Health Science and Security at Georgetown University. At CGHSS, her work focuses on legal research on multilateralism and international law, relevant to preparing for and responding to future epidemics and pandemics. Prior to starting at EMMA, Ms. Kalra completed her LL.M. in National and Global Health laws from Georgetown Law specializing in food and drug law. Alongside her LL.M. degree, Ms. Kalra worked as a research assistant at the O’Neill Institute for National and Global Health Law, working with different initiatives.

More Resources

Pattern Recognition as a Quality Superpower

Pattern Recognition as a Quality Superpower

There are always new ways and reasons to apply pattern recognition to quality improvement. Better ensuring patient outcomes in health care facilities and improving accuracy for medical diagnoses are two such frontiers.
Record Control for a Regulated World

Record Control for a Regulated World

In a regulated industry, the prevailing posture of regulatory representatives, in my experience, has been “Show me proof.” In fact, the philosophy I’ve heard repeated by regulators is “If it wasn’t documented, it didn’t happen.”
EU MDR SSCP’s: The Importance of Readability

EU MDR SSCP’s: The Importance of Readability

Among many of the new requirements that EU MDR has introduced, the Summary of Safety and Clinical Performance (SSCP) is certainly one of the more confusing ones for many firms. SSCP’s are required for implantable and Class III devices under EU MDR and is intended to be a public document summarizing important safety and clinical performance information about the device.

Ready to learn more about working with us?

Pin It on Pinterest

Share This