Virtually all sectors of the health care industry are feeling the impact of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") privacy regulations, and our customers are no exception.

Compliance with the Privacy Rule was required commencing on April 14, 2003. The Privacy Rule applies to three types of "covered entities": (1) health care providers that engage in certain electronic transactions; (2) health plans; and (3) health care clearinghouses. Covered entities are required to enter into "business associate agreements" with vendors and other third parties that receive protected health information in the course of providing services on behalf of the covered entity.

Cholestech Is Not A HIPAA Covered Entity

Cholestech provides diagnostic products for health care professionals to use in testing for cholesterol and related lipids, blood glucose, liver enzymes and hs-CRP. Cholestech's activities manufacturing and selling products such as the Cholestech LDX^® System do not cause it to be a health care provider, a health plan or a health care clearinghouse, as those terms are defined by HIPAA. Therefore, Cholestech is not a HIPAA covered entity.

In the commentary to the proposed Privacy Rule published in the Federal Register on December 28, 2000, the Department of Health and Human Services ("HHS") clarified this issue, stating, "... Device manufacturers are not health care providers simply by virtue of their manufacturing activities" (page 82568).

HHS also agreed with one commenter who noted that "... an entity does not become a 'covered entity' by providing a device to an individual on which protected health information may be stored, provided that the company itself does not store the individual's health information" (page 82621).

Cholestech does not store any health information of its customers. During a product demonstration, we may request a blood sample from a volunteer to show how our equipment works. We do not retain any information relating to these samples or the test results and, therefore, receive no protected health information from our customers.

Cholestech Is Not A HIPAA Business Associate

Cholestech is not a business associate of its customers that are HIPAA covered entities for two reasons: (1) we do not perform services on behalf of customers (we simply sell our medical devices); and (2) we do not retain protected health information of our customers (as discussed above). Therefore, our customers are not required to enter into HIPAA business associate agreements with Cholestech.

If you have questions regarding this information or about Cholestech Systems, call 877.441.7440.