Is Hologic HIPAA Compliant? BAAs, Safeguards, and What Healthcare Teams Need to Know

Hologic's Role in HIPAA Compliance

HIPAA does not “certify” vendors. Instead, compliance is a shared responsibility between you (the covered entity) and any partners who create, receive, maintain, or transmit Protected Health Information (PHI) for you. When a vendor can access PHI, HIPAA generally requires a Business Associate Agreement (BAA) and appropriate safeguards. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2075/may-a-hipaa-covered-entity-or-business-associate-use-cloud-service-to-store-or-process-ephi/index.html?utm_source=openai))

As a medical technology manufacturer, Hologic can be a business associate in scenarios such as remote support, cloud analytics, or hosted portals. In those cases, the company must implement administrative, physical, and technical safeguards and follow the Minimum Necessary Standard—limiting PHI to the least amount needed for a task. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html?utm_source=openai))

Business Associate Agreements with Hologic

A Business Associate Agreement (BAA) is the contract that sets HIPAA-required duties when Hologic handles PHI on your behalf—for example, during remote service or when using cloud‑based tools. HHS guidance is clear: a HIPAA‑compliant BAA is required whenever a vendor will create, receive, maintain, or transmit ePHI for you. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2075/may-a-hipaa-covered-entity-or-business-associate-use-cloud-service-to-store-or-process-ephi/index.html?utm_source=openai))

Hologic’s corporate filings represent that the company conducts HIPAA risk analysis and enters into HIPAA‑compliant business associate agreements with relevant parties, indicating institutional processes to meet HIPAA obligations when applicable. In procurement, you should confirm BAA coverage for remote access, subcontractors, breach notification timelines, and data retention. ([hologic.com](https://www.hologic.com/sites/default/files/8-K%20%26%20Agreement.pdf))

Safeguards Implemented by Hologic

Hologic’s customer contracts reference HIPAA and commit to keeping PHI confidential when accessed in the course of services—an administrative safeguard that should align with your own privacy and security program. Their Professional Services and Sales Terms both include HIPAA compliance and PHI confidentiality language. ([hologic.com](https://www.hologic.com/sites/default/files/Hologic%20Professional%20Services%20Terms%20and%20Conditions%20V04.25.24.pdf))

On the technical side, Hologic product materials and privacy notices describe measures such as encryption and reasonable protections against unauthorized access—controls you should verify and incorporate into your risk management and vendor oversight. ([investors.hologic.com](https://investors.hologic.com/press-releases/press-release-details/2019/Hologic-Launches-Breakthrough-Business-Intelligence-Tool-Unifi-Analytics-to-Maximize-Efficiency-and-Reduce-Downtime-in-the-Mammography-Suite/default.aspx?utm_source=openai))

Data Handling Practices

For connected software, Hologic has stated that Unifi Analytics distributes data through encrypted channels and uses de‑identification in accordance with HIPAA privacy rules—helpful when you are applying the Minimum Necessary Standard in imaging operations. Confirm what telemetry, logs, and identifiers leave your environment and ensure contracts reflect those flows. ([investors.hologic.com](https://investors.hologic.com/press-releases/press-release-details/2019/Hologic-Launches-Breakthrough-Business-Intelligence-Tool-Unifi-Analytics-to-Maximize-Efficiency-and-Reduce-Downtime-in-the-Mammography-Suite/default.aspx?utm_source=openai))

Hologic’s Sales Terms distinguish “Performance Data” (owned by Hologic) from PHI and state that Performance Data does not include PHI—an important contractual boundary. Validate this distinction in your deployment, and document any PHI that might be processed during support or analytics to keep your BAA and risk analysis accurate. ([hologic.com](https://www.hologic.com/sites/default/files/Hologic%20Sales%20Terms%20and%20Conditions%20-%20V08.7.24.pdf))

Cybersecurity Measures in Medical Devices

Hologic publishes Manufacturer Disclosure Statement for Medical Device Security (MDS2) documents and cybersecurity product reports for systems such as 3Dimensions/Dimensions, SecurView, APEX, and Unifi Workspace. Use these MDS2 disclosures to map encryption, authentication, auditing, patching, and network requirements into your medical device cybersecurity program. ([hologic.com](https://www.hologic.com/support/usa/Breast-Skeletal-Products-Cybersecurity/MDS2-forms?utm_source=openai))

In parallel, review product IT notes (for example, for Unifi Connect) to understand connectivity, ports, and remote access pathways, then enforce segmentation, least privilege, and monitoring across your clinical network. ([hologic.com](https://www.hologic.com/sites/default/files/2022-09/MISC-07654_02-UNIFI-CONNECT-IT-INFORMATION.pdf?utm_source=openai))

Coordinated Vulnerability Disclosure Policy

Hologic maintains a Coordinated Vulnerability Disclosure (CVD) policy covering its products and digital assets and participates as a CVE Numbering Authority (CNA). This enables coordinated reporting, triage, and remediation of vulnerabilities—including clear handling if PHI is encountered—supporting faster, safer patch workflows in healthcare environments. ([hologic.com](https://www.hologic.com/security/coordinated-vulnerability-disclosure-policy?utm_source=openai))

FDA Warning Letter Impact

On December 18, 2024, the FDA issued a Warning Letter to Hologic concerning the BioZorb implantable radiographic marker line. Cited issues included design control deficiencies and late/insufficient Medical Device Reporting under the Federal Food, Drug, and Cosmetic Act (FD&C Act). Hologic subsequently discontinued manufacturing and placed the product on stop‑ship. ([fda.gov](https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/hologic-inc-698214-12182024))

Separately, the FDA classified related actions as Class I recall events and issued a “Do Not Use” Safety Communication. While these device‑quality findings are not HIPAA issues, they matter to your governance: strengthen vendor oversight, track field actions, and ensure your incident and risk processes address both medical device cybersecurity and postmarket safety communications. ([fda.gov](https://www.fda.gov/medical-devices/medical-device-recalls/hologic-inc-recalls-biozorb-marker-due-complications-implanted-devices))

FAQs.

What is a Business Associate Agreement with Hologic?

A Business Associate Agreement (BAA) is the HIPAA‑mandated contract you execute with Hologic whenever the company will create, receive, maintain, or transmit PHI for you (for example, through remote support or cloud analytics). HHS requires such agreements for vendors handling ePHI, and Hologic’s corporate representations indicate it enters into HIPAA‑compliant BAAs as applicable. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2075/may-a-hipaa-covered-entity-or-business-associate-use-cloud-service-to-store-or-process-ephi/index.html?utm_source=openai))

How does Hologic protect Protected Health Information?

Protection is layered. Contractually, Hologic agrees to keep PHI confidential when accessed during services. Technically, product materials reference encryption and reasonable safeguards; Unifi Analytics in particular has been described as using encrypted channels and de‑identification aligned with HIPAA privacy rules. Use each product’s MDS2 and cybersecurity report to verify encryption, access control, logging, and update practices in your environment. ([hologic.com](https://www.hologic.com/sites/default/files/Hologic%20Professional%20Services%20Terms%20and%20Conditions%20V04.25.24.pdf))

Are Hologic's medical devices HIPAA compliant?

No device is “HIPAA certified.” Compliance depends on how you deploy and operate systems, the safeguards you implement, and whether a proper BAA is in place when vendors can access PHI. Hologic supports this effort with detailed MDS2 documentation and product cybersecurity reports that you should integrate into your medical device cybersecurity and HIPAA risk analysis. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/2075/may-a-hipaa-covered-entity-or-business-associate-use-cloud-service-to-store-or-process-ephi/index.html?utm_source=openai))

What were the FDA concerns about Hologic's BioZorb product?

The FDA’s December 18, 2024 Warning Letter cited quality system and reporting violations for the BioZorb line, including design control gaps and failures to submit timely Medical Device Reports. FDA also issued a “Do Not Use” Safety Communication and classified related recall actions at the most serious level. These findings relate to device regulation under the FD&C Act rather than HIPAA, but they underscore the need for vigilant vendor and product risk management. ([fda.gov](https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/hologic-inc-698214-12182024))