HIPAA Compliance for Medical Device Companies (2026 Security Rule Update)
Complete guide to HIPAA compliance for medical device manufacturers — when HIPAA applies to devices, the 2026 Security Rule NPRM changes (mandatory encryption, MFA, network segmentation, 24-hour incident notification), business associate agreements for IoMT, FDA cybersecurity overlap, risk assessment frameworks, and step-by-step compliance strategies for connected medical devices.
Why HIPAA Matters for Medical Device Companies in 2026
HIPAA — the Health Insurance Portability and Accountability Act of 1996 — is often assumed to apply only to hospitals, health plans, and clinics. In reality, the regulatory perimeter has expanded well beyond those traditional covered entities. Any company that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity is a business associate under HIPAA, and medical device manufacturers frequently fall into that category.
In 2026, this matters more than ever. The HHS Office for Civil Rights (OCR) published a Notice of Proposed Rulemaking (NPRM) in January 2025 proposing the most significant overhaul of the HIPAA Security Rule since 2013. The proposed changes would eliminate the "addressable" designation for most safeguards, making encryption, multi-factor authentication (MFA), network segmentation, and annual penetration testing mandatory. OCR has listed finalization of the rule on its regulatory agenda for May 2026, with a potential 240-day compliance window after publication.
This guide explains when and how HIPAA applies to medical device companies, what the 2026 changes require, and how to build a compliance program that addresses both HIPAA and FDA cybersecurity requirements.
When HIPAA Applies to Medical Devices
Covered Entities and Business Associates
HIPAA applies to three types of entities:
- Covered entities: Health care providers, health plans, and health care clearinghouses that transmit health information electronically
- Business associates: Any person or entity that performs functions on behalf of a covered entity involving the use or disclosure of PHI
- Business associate subcontractors: Entities that perform services for a business associate that involve access to PHI
A medical device manufacturer is not automatically subject to HIPAA. The trigger is whether the company accesses, stores, processes, or transmits PHI in the course of providing services to a covered entity.
Common Scenarios Where Device Companies Become Business Associates
| Scenario | HIPAA Applies? | Reason |
|---|---|---|
| Selling a device to a hospital with no access to patient data | No | No PHI exposure |
| Providing cloud-based analytics on patient data from device sensors | Yes | Creating/receiving PHI on behalf of covered entity |
| Remote monitoring service that transmits patient vitals to clinicians | Yes | Transmitting PHI |
| Device sends de-identified aggregate data only | No | No individually identifiable information |
| Repair technician accesses hospital network containing ePHI | Potentially | If PHI access is incidental, a BAA may still be required |
| Providing cost-savings analysis requiring access to patient records | Yes | Accessing PHI on behalf of covered entity |
The key distinction: if your company sells a device and has no ongoing relationship involving patient data, HIPAA does not directly apply. But if you provide any service involving PHI — cloud connectivity, data analytics, remote monitoring, software updates that access patient records — you are a business associate and must comply.
The IoMT Explosion
The Internet of Medical Things (IoMT) market is projected to reach $650 billion by 2030, according to Grand View Research. Connected insulin pumps, remote patient monitoring platforms, cloud-enabled imaging systems, and AI-powered diagnostic tools all generate, transmit, and store PHI. Each of these data flows creates HIPAA obligations for the device manufacturer acting as a business associate.
A March 2026 HIMSS survey found that 60% of healthcare organizations cannot adequately protect unpatchable medical devices with their current tools. Between 50% and 70% cannot install security agents on these devices, which often run Windows XP, Windows 7, Windows CE, or embedded Linux variants long past end-of-life. These devices are certified to specific firmware under FDA regulation, where pushing a patch without manufacturer qualification can void the clearance. This intersection of HIPAA and FDA requirements is one of the most complex compliance challenges in 2026.
The HIPAA Rules That Apply to Device Companies
Privacy Rule (45 CFR Part 164, Subpart E)
The Privacy Rule establishes standards for how PHI can be used and disclosed. For device companies acting as business associates:
- You may only use PHI for the purposes specified in your Business Associate Agreement
- You must limit use and disclosure to the minimum necessary for the intended purpose
- You must honor patient rights when applicable (access, amendment, accounting of disclosures)
- You must provide a Notice of Privacy Practices if you have a direct treatment relationship
Security Rule (45 CFR Part 164, Subpart C)
The Security Rule requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI). This is where the 2026 changes are concentrated. The current rule establishes three categories of safeguards:
Administrative Safeguards:
- Risk analysis and risk management
- Security management process
- Workforce security and training
- Information access management
- Security incident procedures
- Business associate contracts
Physical Safeguards:
- Facility access controls
- Workstation security
- Device and media controls
Technical Safeguards:
- Access controls (unique user IDs, emergency access, automatic logoff)
- Audit controls
- Integrity controls
- Transmission security
Breach Notification Rule (45 CFR Part 164, Subpart D)
If unsecured PHI is breached, the covered entity must notify:
- Affected individuals without unreasonable delay and no later than 60 days after discovery
- HHS/OCR — for breaches affecting 500+ individuals, notify immediately; for fewer than 500, report annually
- Prominent media outlets for breaches affecting 500+ individuals in a single state or jurisdiction
Business associates must report breaches to the covered entity within the timeframe specified in the BAA (HIPAA allows up to 60 days, though many BAAs specify shorter windows, and the 2026 NPRM proposes 24-hour notification for security incidents).
Enforcement Rule and Penalties
HIPAA violations carry civil monetary penalties structured in four tiers based on the level of culpability:
| Tier | Description | Penalty per violation | Annual maximum |
|---|---|---|---|
| 1 | Did not know | $100 – $50,000 | $25,000 |
| 2 | Reasonable cause | $1,000 – $50,000 | $100,000 |
| 3 | Willful neglect, corrected within 30 days | $10,000 – $50,000 | $250,000 |
| 4 | Willful neglect, not corrected | $50,000+ | $1,500,000 |
OCR enforcement trends show no signs of slowing. Organizations continue to face fines for missing or outdated risk assessments even in the absence of major breaches. Small and midsize companies are not exempt.
The 2026 HIPAA Security Rule NPRM: What Changes
The NPRM published in January 2025 proposes sweeping changes. Here is what medical device companies need to know about each major area.
1. Mandatory Encryption (No More "Addressable" Flexibility)
Under the current rule, encryption is an "addressable" safeguard — organizations can choose not to implement it if they document an equivalent alternative and justify the decision. The NPRM eliminates this flexibility.
All ePHI must be encrypted both at rest and in transit. Required standards include TLS 1.2 or higher for data in transit and AES-256 or equivalent for data at rest. No exceptions. No risk-based alternatives.
For device companies, this means:
- All patient data stored on device firmware, edge servers, or cloud platforms must be encrypted at rest
- All data transmissions between devices, gateways, and cloud services must use TLS 1.2+
- Encryption key management procedures must be documented
- Legacy devices that do not support encryption require documented compensating controls (network segmentation, encryption offloading, secure gateways)
2. Mandatory Multi-Factor Authentication
MFA becomes required for all systems accessing ePHI:
- Cloud consoles and administrative interfaces
- Remote access (VPN, RDP, SSH)
- EHR integrations
- Customer support portals that may access patient data
- Any privileged or administrative accounts
The proposal also emphasizes phishing-resistant MFA methods where feasible.
3. Network Segmentation
The NPRM introduces a network segmentation mandate — covered entities and business associates must segment networks to isolate ePHI systems from general-purpose and IoT networks. For device manufacturers, this means:
- Medical device communication channels should be logically separated from enterprise IT networks
- Cloud environments hosting PHI must use dedicated virtual networks or subscriptions
- Network maps documenting all ePHI data flows are required
4. Technology Asset Inventory and Network Mapping
Organizations must maintain a comprehensive, current inventory of all technology assets that create, receive, maintain, or transmit ePHI, along with a network map showing how these assets connect. The inventory must be updated at least annually and upon any significant change.
This is particularly challenging for IoMT environments. Device companies must inventory:
- All connected devices and their firmware versions
- Cloud services and APIs that process patient data
- Data flow diagrams from device sensor → gateway → cloud → customer
- Third-party integrations and subcontractor systems
5. Annual Compliance Audits and Technical Testing
| Requirement | Frequency |
|---|---|
| Comprehensive compliance audit | Every 12 months |
| Security measures review and testing | Every 12 months |
| Vulnerability scanning | Every 6 months |
| Penetration testing | Every 12 months |
| Access review | Quarterly recommended |
6. Incident Response Requirements
The NPRM proposes:
- 24-hour notification from business associates to covered entities for security incidents (down from the current 60-day maximum)
- Formal incident response plans must be documented and tested annually
- Organizations must be able to restore ePHI within 72 hours
- Incident response plans must identify critical systems and prioritize restoration
7. Enhanced Business Associate Oversight
BAAs must be updated to include requirements for:
- Encryption and MFA implementation
- Vulnerability scanning schedules
- Incident notification timelines (24 hours)
- Asset inventory requirements
- Access termination within 1 hour of workforce separation
8. Workforce Security
- Access must be terminated within 1 hour of workforce separation
- New workforce members must receive security awareness training within 30 days
- Role-based access policies must be documented
Business Associate Agreements for Medical Device Companies
When a BAA Is Required
A BAA is required before any business associate accesses PHI on behalf of a covered entity. For medical device companies, common triggers include:
- Cloud-based device data platforms that store or analyze patient data
- Remote monitoring services that transmit patient vitals to healthcare providers
- Technical support where technicians may incidentally view patient data on device screens
- Software maintenance involving access to systems containing ePHI
- Post-market surveillance data collection that includes identifiable patient information
Required BAA Provisions
A HIPAA-compliant BAA must include:
- Permitted uses and disclosures of PHI — specifically defining what the business associate may do
- Safeguard requirements — the business associate must implement administrative, physical, and technical safeguards per the Security Rule
- Breach notification obligations — timeline and format for reporting breaches to the covered entity
- Subcontractor requirements — any subcontractors that access PHI must also sign compliant BAAs
- Return or destruction of PHI — upon termination of the agreement
- Right to audit — the covered entity retains the right to verify compliance
- Reporting and cooperation obligations for government investigations
BAA Update Checklist for the 2026 Changes
If the NPRM is finalized, existing BAAs will need to be updated to include:
- Mandatory encryption of all ePHI (at rest and in transit)
- MFA requirements for all ePHI system access
- 24-hour security incident notification (down from 60 days)
- Annual compliance audit and penetration testing requirements
- Technology asset inventory and network map obligations
- Access termination within 1 hour of workforce separation
- Network segmentation requirements
Where HIPAA and FDA Requirements Overlap
Medical device companies face a unique dual-compliance challenge. Both HIPAA and FDA impose cybersecurity requirements, but from different angles:
| Dimension | HIPAA Security Rule | FDA Cybersecurity Guidance |
|---|---|---|
| Scope | Protection of ePHI | Safety and effectiveness of the device |
| Trigger | Access to PHI on behalf of covered entity | Device classification and premarket submission |
| Key standards | NIST SP 800-66, 45 CFR Part 164 | IEC 81001-5-1, AAMI TIR57, FDA premarket guidance |
| Focus | Data confidentiality, integrity, availability | Device safety, secure design, SBOM, vulnerability management |
| Incident reporting | OCR breach notification (60 days, proposed 24 hours) | FDA medical device reporting (MDR), voluntary malfunction reporting |
| Risk framework | Security risk analysis (NIST SP 800-30) | ISO 14971 risk management + cybersecurity risk analysis |
The SPDF Overlap
The FDA's Secure Product Development Framework (SPDF) — required under the 2023 cybersecurity guidance for premarket submissions — overlaps with HIPAA Security Rule requirements for:
- Threat modeling and risk assessment
- Secure software development practices
- Vulnerability management and disclosure
- Software Bill of Materials (SBOM) requirements
- Patch management and update processes
Device companies should align both frameworks rather than treat them as separate compliance exercises. A unified cybersecurity risk assessment can satisfy both HIPAA's risk analysis requirement and FDA's cybersecurity risk analysis, reducing duplication.
Section 524B of the FD&C Act
Since March 2023, Section 524B requires device manufacturers to:
- Submit a cybersecurity plan with premarket applications
- Design, develop, and maintain processes to ensure device cybersecurity
- Make updates and patches available on a reasonably justified cycle
- Comply with FDA-determined reporting requirements
This creates a regulatory floor that aligns well with HIPAA's proposed mandatory safeguards.
Building a HIPAA Compliance Program for Your Device Company
Step 1: Determine Your HIPAA Status
- Map all data flows: Document every pathway through which your device or service encounters PHI
- Identify covered entity relationships: List all hospital, clinic, and health plan customers
- Classify your role: Are you a business associate, a subcontractor, or neither?
- Execute BAAs: If you are a business associate, ensure compliant BAAs are in place with every covered entity
Step 2: Conduct a Comprehensive Risk Analysis
A HIPAA-compliant risk analysis must:
- Inventory all systems that create, receive, maintain, or transmit ePHI
- Identify threats and vulnerabilities to each system
- Assess the likelihood and impact of each threat
- Document existing safeguards
- Prioritize remediation based on risk level
- Use NIST SP 800-30 or equivalent methodology
- Be updated at least annually (or when significant changes occur)
Step 3: Implement Administrative Safeguards
- Designate a Security Official with documented authority
- Develop written security policies and procedures
- Implement workforce security clearance and termination procedures
- Establish security awareness training (within 30 days of hire for new workforce)
- Create information access management policies (role-based, minimum necessary)
- Develop security incident response procedures
- Establish a business associate management program
Step 4: Implement Physical Safeguards
- Facility access controls (badge systems, visitor logs, locked server rooms)
- Workstation security policies (screen privacy, clean desk, automatic logoff)
- Device and media controls (inventory, tracking, secure disposal, encryption)
Step 5: Implement Technical Safeguards
Access Controls:
- Unique user identification for every workforce member
- Role-based access controls enforcing minimum necessary
- Emergency access procedures
- Automatic logoff (configurable timeout)
Audit Controls:
- Centralized logging for all ePHI access and activity
- Tamper-proof log storage with retention
- Regular audit log review
Encryption:
- ePHI at rest: AES-256 or equivalent
- ePHI in transit: TLS 1.2 or higher
- Key management procedures documented
Integrity Controls:
- Mechanisms to detect unauthorized alteration of ePHI
- Backup and recovery procedures
Network Segmentation:
- Isolate ePHI systems from general IT and IoT networks
- Document network architecture and data flows
- Implement firewall rules and access control lists
Step 6: Establish Ongoing Compliance Operations
| Activity | Frequency | Documentation |
|---|---|---|
| Risk analysis update | Annual + upon change | Written risk analysis report |
| Compliance audit | Annual | Audit report with findings |
| Vulnerability scanning | Semi-annual | Scan results and remediation log |
| Penetration testing | Annual | Pen test report |
| Access review | Quarterly | Review documentation |
| Security training | Annual + new hire within 30 days | Training records |
| Incident response test | Annual | Tabletop exercise report |
| BAA review | Annual | Updated agreements as needed |
| Asset inventory update | Annual + upon change | Inventory and network map |
Common Compliance Challenges and Solutions
Legacy Devices That Cannot Support Encryption
Many deployed medical devices run operating systems that cannot support modern encryption. The NPRM includes a provision for pre-March 2023 FDA-approved devices, but only when paired with a documented migration plan. Compensating controls include:
- Network segmentation to isolate legacy devices
- Encryption offloading through secure gateways
- Data loss prevention (DLP) monitoring
- Enhanced logging and anomaly detection
Cloud Service Provider Compliance
If your device platform uses cloud services (AWS, Azure, GCP), the cloud provider is typically a business associate subcontractor. Requirements include:
- Execute BAAs with cloud providers (most major providers offer standard HIPAA BAAs)
- Verify that cloud configurations meet encryption requirements
- Implement cloud-specific access controls and logging
- Document cloud architecture in your network map
- Verify that cloud services are configured for HIPAA compliance (not all default configurations meet requirements)
Third-Party Component Risk
If your device uses third-party software components that process PHI:
- Include HIPAA requirements in vendor security assessments
- Verify that component suppliers maintain appropriate safeguards
- Include flow-down provisions in subcontractor agreements
- Monitor vendor security posture continuously
Incident Response Coordination
Device companies must coordinate incident response with multiple stakeholders:
- The covered entity (per BAA requirements)
- FDA (if the incident involves a device safety issue)
- Subcontractors and cloud providers
- Legal counsel
- Potentially state attorneys general (many states have breach notification laws with shorter timelines than HIPAA)
Compliance Timeline: Preparing for the 2026 NPRM
If the Security Rule NPRM is finalized in May 2026, organizations may have approximately 240 days to comply. Here is a recommended preparation timeline:
Immediate Actions (Now)
- Complete a comprehensive ePHI inventory and data flow map
- Assess current encryption posture for all systems handling ePHI
- Identify systems lacking MFA and prioritize deployment
- Review all existing BAAs for gaps against proposed requirements
- Designate or confirm your Security Official
60-Day Sprint
- Commission a NIST SP 800-30-aligned risk analysis
- Draft updated security policies reflecting proposed mandatory requirements
- Begin MFA deployment on highest-risk systems
- Initiate BAA renegotiation with all business associates and subcontractors
180-Day Build-Out
- Deploy or expand vulnerability scanning and centralized logging
- Implement network segmentation for all ePHI environments
- Establish patch management SLAs and exception governance
- Conduct a tabletop incident response exercise
- Complete encryption deployment for ePHI at rest and in transit
240-Day Compliance
- Complete all mandatory safeguard implementations
- Update and execute all new BAAs
- Conduct initial compliance audit against the finalized rule
- Document all policies, procedures, and evidence
- Train all workforce members on updated requirements
Key Takeaways
Determine your status: If your device or service touches PHI on behalf of a covered entity, you are a HIPAA business associate — full stop.
The 2026 NPRM raises the bar: Encryption, MFA, network segmentation, annual pen testing, and 24-hour incident reporting are likely to become mandatory requirements, not optional best practices.
Align HIPAA with FDA cybersecurity: Both frameworks address overlapping security concerns. A unified risk assessment and security program can satisfy both, reducing duplication and cost.
Legacy devices are the hardest problem: The HIMSS survey found 60% of healthcare organizations cannot adequately protect unpatchable medical devices. Documented compensating controls and migration plans are essential.
Start now: Even before the NPRM is finalized, the proposed requirements reflect current cybersecurity best practices. Organizations that begin implementation now will have a significant advantage when compliance deadlines arrive.
Sources and Further Reading
- HHS HIPAA Security Rule NPRM (January 2025): Federal Register document 2024-30983
- OCR January 2026 Cybersecurity Newsletter: HHS guidance on system hardening for medical devices
- FDA Cybersecurity in Medical Devices Guidance (September 2023)
- NIST SP 800-66 Rev. 2: Implementing the HIPAA Security Rule
- AAMI TIR57: Principles for medical device security risk management
- IEC 81001-5-1: Health software and health IT systems cybersecurity