We understand that most of our U.S. customers are "Covered Entities" under the Health Insurance Portability and Accountability Act ("HIPAA") privacy and security regulations. As HIPAA Covered Entities, our customers are legally obligated to maintain the privacy of all patient information that they create or receive.

While Boston Scientific is not a HIPAA Covered Entity (except for certain portions of our group health plan and a small portion of our Neurovascular subsidiary, which is a hybrid entity), we recognize the impact that HIPAA privacy and security regulations have on our customers. Boston Scientific remains committed to interacting with our customers and their patients as responsible professionals who are dedicated to maintaining the privacy of information that we receive on the job, consistent with applicable law and regulations.

To perform our jobs, Boston Scientific employees may create, develop or receive information about patients' experiences with our medical devices in a variety of situations, including:

• Providing information or technical support for our products
• Interacting with other members of the health care provider team regarding a particular patient's diagnosis and treatment
• Receiving questions and suggestions about our products and services from patients, nurses, physicians and other health care providers
• Enrolling patients in clinical trials we sponsor and in our remote monitoring system for certain cardiac rhythm management patients
• Collecting information as required by the FDA and other governmental authorities relating to the quality, safety and efficacy of our devices
• Collecting, analyzing and re-analyzing our data in a continuous effort to improve the design, quality and function of our devices

We have provided training materials on HIPAA to our sales and marketing teams and expect our employees to respect each customer's explicit and implicit instructions regarding incidental exposure to protected health information while visiting that customer's site.

If you have any questions or concerns, please contact us at HIPAA@bsci.com .

HIPAA Freqeuently Asked Questions

Question: Is Boston Scientific a business associate of our customers?
Answer: Generally, no. In February 2004, the Department of Health and Human Services - Office of Civil Rights ("HHS") answered the question – "Is an authorization or business associate agreement needed to share information with a medical device company?" Click here to connect to that FAQ.

As Boston Scientific has thought for some time, and as you will see in the HHS FAQ, neither a patient authorization nor a business associate agreement is needed for medical device company representatives to receive PHI for the covered provider's treatment, payment or health care operation purposes, or for the medical device company's treatment or payment purposes.

Based on our analysis of HIPAA and this clarification from the HHS, it is clear that we should not need to enter into a business associate agreement with the vast majority of our customers. The exception to this is when Boston Scientific is providing repair services on an piece of "smart" equipment (e.g., an intravascular ultrasound console) and when you participate in our Latitude® Patient Management System. In those instances, we have incorporated a business associate agreement into our service contracts and into the process by which customers sign up to participate in the Latitude Patient Management System.

Please understand that even when we are not your business associate, Boston Scientific makes commercially reasonable efforts to ensure that all PHI is treated in a confidential fashion. Boston Scientific applauds the well-reasoned conclusion of HHS and hopes that this alleviates many of the administrative burdens on covered entities and medical device companies.

Question: Is Boston Scientific a HIPAA covered entity?
Answer: No, other than our group health plans. Our Neurovascular subsidiary is a HIPAA "hybrid" entity, with a small portion of it being a HIPAA covered entity.

Question: Are Boston Scientific representatives "health care providers" for HIPAA purposes?
Answer: Yes, but only for HIPAA purposes and not for any other purpose. The HIPAA privacy regulations (45 CFR 164.103) define "health care provider" to include "any other person or organization who furnishes, bills, or is paid for health care in the normal course of business." As a health care provider, Boston Scientific representatives may participate in treatment discussions with other health care providers. Note that Boston Scientific is not a health care provider for any other purpose, and expects that the physician leading the team of health care providers will remain responsible for all patient care decisions.