Legal: Take Care Not to Trigger HIPAA When Outsourcing Medical 3D Printing

Want to write a piece for 3DHEALS Expert Corner? Email us:

3D printed heart

3D printed heart -copyright Materialise

Written by Erik Birkeneder and Valerie Breslin Montague
Doctors are increasingly printing 3D models of a patient’s anatomy to plan for surgery or to aid in diagnosis.  For instance, a cardiac surgeon may take an MRI or CT scan of a patient’s heart to create a plastic model of the heart to plan a valve repair. However, many hospitals do not have 3D printing equipment in-house, so the hospital may send the MRI or CT scans to a company that specializes in 3D printing. Sending these scans outside the walls of the hospital could trigger the privacy and security requirements of HIPAA.

When health care providers send data with certain patient “identifiers” to third parties, the arrangement generally triggers HIPAA. In the case of 3D printing, the substance of what is transmitted, oftentimes a scan of an organ or body part, may not be deemed to be “identifiable” under HIPAA. For example, patient identifiers include the obvious information like names and social security numbers, but also include “biometric identifiers, including finger and voice prints,” “full face photographic images and any comparable images,” and “any other unique identifying number, characteristic or code.” Although many organ, tissue, bone and other body part scans likely will not be deemed to identify a particular patient, others might, such as images that contain fingerprints or dental models.

Prior to transmitting any images or data, health care providers must analyze whether the information to be sent to the 3D printing company is subject to HIPAA (or any other state or federal laws protecting patient confidentiality). If the information does contain patient identifiable information, referred to as “protected health information” under HIPAA, either due to the content of the image, the patient’s name or record number on the image or other data identifying the patient in what is transmitted, the provider must enter into a HIPAA business associate agreement with the 3D printing company.

3D printing companies also should take care when preparing models for hospitals, physicians and other health care providers. Generally, if a 3D printing company is the recipient of protected health information, the company becomes a “business associates”, subject to a number of the HIPAA regulations, such as requirements to adopt designated policies and procedures, conduct a security risk assessment and train the company’s workforce on HIPAA compliance. The company can avoid these compliance efforts by working with its health care clients to ensure that no protected health information is transmitted during the arrangement.

Disclaimer: The foregoing is not intended to convey or constitute legal advice, and is not a substitute for obtaining legal advice from a qualified attorney. You should not act upon any such information without first seeking qualified professional counsel on your specific matter.

Erik Birkeneder is an intellectual property attorney at Nixon Peabody that focuses on health care related patents. Erik also serves as outside general counsel for a number of digital health companies and helps them navigate the unique privacy, and other regulatory hurdles that are facing this industry, including in 3D printing. He has a Master’s in Biomedical Engineering from University of Wisconsin Madison where he performed research on the impact of neuropeptides on wound healing in diabetics, and has a law degree from University of Minnesota.
Valerie Montague Breslin
Valerie Montague represents a variety of health care providers, digital health vendors, senior living facilities, nonprofit trade associations, life sciences companies and vendors of health care providers. Valerie is a Certified Information Privacy Professional/United States (CIPP/US), the preeminent credential in the field of privacy.