Essentially, the HIPAA model depends on purchasers demanding compliance
of products that are currently on the market in comparison to the FDA’s
barrier for entry: CEs purchasing products or services from a BA and
individual consumers purchasing products or services from a CE must have
the requisite bargaining power and knowledge to ensure CE or BA
compliance prior to purchase.173 If CEs or BAs do not choose to fully comply
with HIPAA, consumers or CEs accept the risk or file a complaint with the
OCR.174 In contrast, for BAs who have less bargaining power, CEs may
demand more stringent requirements than HIPAA compliance requires,175
potentially resulting in additional barriers to market or lack of good faith and
fair dealing when BAs agree to terms they cannot meet.176 HIPAA’s lack of
preemptory power, wide variation of bargaining power between parties, and
“after the fact” compliance management is a poor fit for mass-produced or
developed digital health products and services with fewer opportunities for
significant change after development or manufacture.177 When a
manufacturer has developed a product or service offering before selling to a
Accountability Act. In contrast, approval-based compliance with continuing obligations
provides a better fit both to ensure compliance before market entry in order to safeguard safety
in the digital health marketplace and ultimately instill consumer confidence; see Part III, The
U.S. Food and Drug Administration: Reluctant Leader.
173. Deven McGraw et al., Business Associate Compliance With HIPAA: Findings
From a Survey of Covered Entities and Business Associates, MANATT, https://www.
Although HITECH updates made clear BAs’ independent HIPAA compliance, somewhat
removing complete reliance on a pull model, Congress presupposes that the OCR knows of a
particular organization and holds it accountable. While the OCR could use various measures
to ascertain BAs, such as registration of Business Associate Agreements or annual disclosures
of BAs, Congress has not yet required such actions of Covered Entities; compare Part II,
HIPAA with Part II, FDCA (particularly note substantial activities required of organizations
seeking to market products in the United States).
174. How to File a Health Information Privacy or Security Complaint, U.S. DEP’T
HEALTH & HUMAN SERVS., http://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/
index.html (last visited Aug. 10, 2016) (explaining that despite a complaint process,
complaints filed after product development cannot prevent data exposure or potential physical
injuries, simply because enforcement action occurs after development and product release).
175. See McGraw et al., supra note 173 (noting how variability in compliance terms can
create market issues: in particular, with unpredictable expectations some organizations may
face a significant barrier to entry in the market, reducing competition).
176. Id. (describing that some BAs may agree to terms without fully understanding
obligations, and some CEs may not have the requisite resources to conduct risk assessments
on all BAs to ensure compliance).
177. See Part II, HIPAA Security Rule and accompanying notes (noting that HIPAA
works more effectively for organizations that manage ongoing HIPAA compliance, such as
health care providers) (explaining that such organizations can plan additions and changes to
privacy and security programs, and HIPAA requirements heavily reference privacy and
security business processes (explaining that for medical devices, substantial issues identified
after the fact can involve recalls, costing significant amounts of money)).