HIPAA and Medical Device Manufacturers: What Cybersecurity Obligations Actually Apply

Key Takeaways

• Manufacturers are usually neither Covered Entities nor Business Associates. They become a Business Associate the moment their cloud, SaaS, or remote monitoring service touches PHI on behalf of a hospital.
• The HIPAA Security Rule (45 CFR §164.308/310/312) applies to Business Associates with the same force as to Covered Entities, including the §164.312 technical safeguards that map directly to device design.
• The HHS NPRM published January 6, 2025 (90 FR 898) would remove the "addressable" designation, mandate encryption, require MFA, annual pen testing, asset inventories, network segmentation, and 24-hour Business Associate notification to Covered Entities.
• HIPAA governs PHI confidentiality, integrity, and availability. The FDA governs device safety and effectiveness. The control families overlap heavily, but the documentation, the auditor, and the enforcement path are different.
• Hospitals will ask for HIPAA-flavored controls through MDS2, HSCC JSP, and security questionnaires even when no BAA exists. Devices that cannot support unique user IDs, audit logging, automatic logoff, encryption, and access control will lose deals.

Table of Contents

• Does HIPAA apply to medical device manufacturers?
• The three indirect ways HIPAA reaches manufacturers
• HIPAA Security Rule controls that map to device design
• What changes under the 2025 HIPAA Security Rule NPRM
• HIPAA vs FDA cybersecurity: where they overlap and where they don't
• Breach notification: dual obligations to OCR and the FDA
• How Blue Goat approaches HIPAA for medical device manufacturers

Why this matters

HIPAA enforcement against Business Associates is no longer rare. HHS OCR's Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance shows year-over-year growth in Business Associate enforcement actions and settlement amounts, with several seven-figure resolutions against vendors whose products touched PHI on behalf of a hospital. The 2024 Change Healthcare incident, the largest healthcare breach on record, was a Business Associate failure, not a Covered Entity failure, and it is the proximate cause of the January 6, 2025 NPRM (90 FR 898).

At the same time, the FDA's Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (Feb 3, 2026 final guidance) and Section 524B of the FD&C Act formalize cybersecurity as a clearance gate. Manufacturers are now squeezed from two directions: the FDA on safety and effectiveness, OCR on PHI. Hospitals enforce both through procurement using MDS2 (the HSCC-aligned Manufacturer Disclosure Statement for Medical Device Security) and the Joint Security Plan.

Does HIPAA apply to medical device manufacturers?

In most cases, not directly. HIPAA applies to Covered Entities (health plans, healthcare clearinghouses, and most healthcare providers) and to Business Associates (vendors that create, receive, maintain, or transmit PHI on behalf of a Covered Entity). A medical device manufacturer selling a standalone device into a hospital is typically neither.

You cross the line into Business Associate status when:

• Your cloud backend ingests, stores, or processes PHI generated by the device on the hospital's behalf
• You provide a remote monitoring service, managed analytics, or hosted reporting
• You operate a patient portal or companion app that handles PHI as a service to the provider
• You host or administer infrastructure where PHI lives

Selling a device that creates PHI used only inside the hospital's own infrastructure does not, by itself, make you a Business Associate. The triggering question is always "are you handling PHI on behalf of a Covered Entity?" If yes, you need a Business Associate Agreement (BAA) and you owe the full HIPAA Security Rule, Breach Notification Rule, and applicable Privacy Rule provisions.

The three indirect ways HIPAA reaches manufacturers

Even when HIPAA does not apply directly, it shapes the manufacturer's obligations through three predictable channels.

1. Business Associate exposure through the cloud backend

The moment a connected device sends PHI to a manufacturer-operated cloud, you are a Business Associate. The Security Rule then applies in full: administrative safeguards (§164.308), physical safeguards (§164.310), and technical safeguards (§164.312), plus Breach Notification (§164.410) requiring you to notify the Covered Entity without unreasonable delay and in no case later than 60 days after discovery.

2. Procurement gating via MDS2 and the HSCC Joint Security Plan

Hospitals must comply with HIPAA, and they extend that obligation to vendors through procurement. The MDS2 questionnaire is a HIPAA Security Rule checklist in everything but name, covering unique user IDs, automatic logoff, audit controls, encryption, transmission security, and emergency access. The HSCC Joint Security Plan formalizes the same expectations for the device lifecycle. A device that cannot support these controls cannot be deployed in a way that lets the hospital meet its HIPAA obligations, which means the hospital cannot buy it.

3. The January 6, 2025 HIPAA Security Rule NPRM

The proposed update at 90 FR 898 raises the floor for every Business Associate and, by extension, every device whose backend touches PHI. The controls become prescriptive, not "addressable." See the next section.

HIPAA Security Rule controls that map to device design

The §164.312 technical safeguards translate almost one-for-one into device design requirements:

HIPAA §164.312 control	What the device must support
Access control — unique user identification	Per-user accounts, no shared service accounts in clinical workflow
Access control — emergency access	Documented break-glass procedure
Access control — automatic logoff	Configurable inactivity timeout
Access control — encryption and decryption	Encryption at rest for PHI on the device
Audit controls	Tamper-evident audit log of PHI access and security events
Integrity	Mechanism to detect unauthorized PHI alteration
Person or entity authentication	Strong authentication; MFA where feasible
Transmission security	TLS for all PHI in transit, including HL7/MLLP wrapped in TLS

These map directly onto the FDA's expectations in the Feb 3, 2026 guidance, which means the same control evidence (test reports, design documentation) typically serves both regulators if it is written for that purpose from the start.

What changes under the 2025 HIPAA Security Rule NPRM

The HHS Notice of Proposed Rulemaking published January 6, 2025 (90 FR 898) is the most significant Security Rule update since 2013. If finalized as proposed, the headline changes for device manufacturers operating as Business Associates include:

See also: FDA Pen Test Timing: How Recent Does Your Penetration Test Need to Be at Submission?, EHR/EMR Integration for Medical Devices: Common Systems and Cybersecurity Risks, and Data Flow Diagrams for Medical Device Cybersecurity.

• Encryption becomes mandatory, not "addressable." Encryption at rest and in transit for all ePHI, with limited exceptions.
• Multi-factor authentication required for access to systems containing ePHI.
• Annual penetration testing and vulnerability scanning with documented remediation.
• Comprehensive asset inventory and network map maintained and updated.
• Network segmentation required to limit lateral movement.
• 24-hour incident notification from Business Associates to Covered Entities for security incidents, dramatically tighter than the current 60-day breach window.
• Written verification annually from Business Associates that their safeguards meet Security Rule requirements, signed by a person with authority.
• Contingency planning with 72-hour restoration targets for critical systems.

For a device manufacturer with a cloud backend, this means the engineering investment HIPAA expects is now closer to what the FDA expects under the 2026 premarket guidance, which is helpful. Where they diverge is the operational overhead: HIPAA's 24-hour BA-to-CE incident clock and the annual written verification are administrative burdens the FDA does not impose.

HIPAA vs FDA cybersecurity: where they overlap and where they don't

Dimension	HIPAA Security Rule	FDA Feb 3, 2026 guidance
Statutory basis	HIPAA / HITECH	FD&C Act Section 524B
Enforcer	HHS OCR	FDA CDRH
Object of protection	PHI confidentiality, integrity, availability	Device safety and effectiveness
Applies to	Covered Entities and Business Associates	Medical device manufacturers (cyber devices)
Risk analysis	§164.308(a)(1)(ii)(A)	Security risk assessment, threat model
Encryption	Mandatory under 2025 NPRM (addressable today)	Expected; documented per architecture view
Access control	§164.312(a)	Documented in Security Architecture Views
Incident response	§164.308(a)(6); BA notice in 24h under NPRM	Coordinated vulnerability disclosure; postmarket plan
Breach reporting	OCR within 60 days (BA to CE: 60d today, 24h proposed)	21 CFR 803 MDR if serious injury/death is implicated
Documentation audience	OCR investigators, plaintiffs	FDA reviewers, postmarket auditors

The control families overlap heavily. The documentation, the auditor, and the enforcement consequence do not. Treating one set of evidence as sufficient for both is the recurring mistake.

Talk to us about your HIPAA and FDA cybersecurity strategy →

Breach notification: dual obligations to OCR and the FDA

A single cybersecurity event involving a connected device can trigger:

• HIPAA Breach Notification Rule — OCR within 60 days of discovery, individuals notified, media notification if the breach affects 500+ individuals in a state.
• FDA postmarket reporting under 21 CFR 803 if the event caused or could have caused death or serious injury (a ransomware event that delays therapy can qualify).
• Coordinated vulnerability disclosure under the FDA's postmarket cybersecurity guidance and CISA's CVD framework.
• State breach notification laws, which vary and sometimes have shorter clocks than HIPAA.
• Under the 2025 NPRM, Business Associate to Covered Entity notification within 24 hours for any reportable security incident.

The playbook needs to be written before the event, and it needs to live in both the Security Risk Management File (for the FDA) and the HIPAA incident response plan (for OCR).

How Blue Goat approaches HIPAA for medical device manufacturers

Blue Goat Cyber's medical device practice is led by engineers with CISSP, OSCP, and prior military red-team backgrounds. For HIPAA-adjacent engagements we map every PHI flow to both regimes: the FDA's threat model, Security Architecture Views, and labeling on one side, and the HIPAA Security Rule's §164.308/310/312 safeguards on the other. The same control evidence (encryption design, audit logging, access control) is produced once and used twice.

For manufacturers operating cloud backends, we build the Business Associate posture against the 2025 NPRM baseline, not the 2013 baseline, because that is where enforcement is heading. See our medical device cybersecurity services for scope. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost.

FAQ

Is a medical device manufacturer a Covered Entity under HIPAA?

Almost never. Covered Entities are health plans, healthcare clearinghouses, and most healthcare providers. A device manufacturer becomes a Business Associate, not a Covered Entity, when it handles PHI on behalf of a Covered Entity. Selling a device that creates PHI used only inside the hospital does not, by itself, make the manufacturer a Covered Entity or a Business Associate.

When does a manufacturer become a Business Associate?

The trigger is handling PHI on behalf of a Covered Entity. Operating a cloud backend that ingests PHI from the device, providing remote monitoring as a service, hosting a patient portal, or running managed analytics all create Business Associate status. The day data starts flowing is the day the obligation begins, with or without a signed BAA.

What is the 2025 HIPAA Security Rule NPRM?

The Notice of Proposed Rulemaking published by HHS on January 6, 2025 (90 FR 898) is the first major update to the Security Rule since 2013. It would remove "addressable" implementation specifications, mandate encryption and multi-factor authentication, require annual penetration testing, asset inventories, network segmentation, and 24-hour Business Associate to Covered Entity incident notification. It is proposed, not yet final, but vendors should plan against it.

Does HIPAA require encryption today?

Today, encryption is an "addressable" specification under §164.312(a)(2)(iv) and (e)(2)(ii), meaning you must implement it or document why an equivalent measure is reasonable. Under the proposed 2025 NPRM, encryption becomes a required specification for ePHI at rest and in transit, with only narrow exceptions.

How does HIPAA relate to the FDA's Feb 2026 cybersecurity guidance?

The two regimes overlap in control families (risk analysis, access control, audit logging, encryption, incident response) but have different enforcers, documentation audiences, and consequences. HIPAA protects PHI and is enforced by HHS OCR. The FDA's guidance protects device safety and effectiveness and is enforced by CDRH. Manufacturers operating cloud backends typically need to satisfy both, and the evidence can be produced once if planned that way.

What happens if my device has a breach?

You may have to notify HHS OCR within 60 days under the HIPAA Breach Notification Rule, file an MDR with the FDA under 21 CFR 803 if the event caused or could cause death or serious injury, run coordinated vulnerability disclosure, and comply with state breach laws. Under the 2025 NPRM, Business Associates would also have to notify Covered Entities within 24 hours. The incident response plan needs to address all of these in one playbook.

CTA

Building a connected device with a cloud backend, or already getting hospital security questionnaires you cannot answer? We build the HIPAA Business Associate posture against the 2025 NPRM baseline and align it with your FDA cybersecurity documentation so the same evidence serves both regulators. Schedule a discovery session →

About the author

Christian Espinosa, CISSP, Founder, Blue Goat Cyber. Christian leads a team focused exclusively on medical device cybersecurity, including HIPAA Business Associate posture for manufacturer-operated cloud backends and remote monitoring services. Read more about Christian.