HIPAA Compliance for Nephrology and Dialysis Centers

What makes HIPAA compliance distinct for nephrology and dialysis is the combination of chronicity, physical layout, and mandatory federal reporting. An end-stage renal disease patient is typically treated three times a week for years, so a dialysis center accumulates an unusually deep longitudinal record on every patient — and is also one of the few outpatient settings where care is delivered in an open bay, with chairs, monitors, and conversations visible and audible across the floor.

The open treatment floor is a physical-safeguards problem

In most specialties, PHI exposure is a digital question. On a dialysis floor it is also a physical one. Machine screens display patient names and treatment parameters within sight of neighboring chairs; staff discuss fluid removal and lab values in earshot of other patients; clipboards and access ports sit in shared space. HIPAA’s physical safeguards at 45 CFR § 164.310 and the incidental-disclosure provisions require centers to angle monitors, lower voices, and position workstations so that routine care does not broadcast one patient’s information to the patient three feet away.

Mandatory CMS reporting does not lower the security bar

Dialysis facilities must submit clinical and patient data to CMS through the End-Stage Renal Disease Quality Reporting System (EQRS, the successor to CROWNWeb). That reporting is required, but it does not relax security obligations — the credentials, transmission, and staff access to that system are all in scope, and a facility still has to protect the data it extracts and uploads.

Home dialysis and remote monitoring extend the perimeter

Peritoneal dialysis cyclers and home hemodialysis machines increasingly transmit treatment data back to the clinic and to device manufacturers. The moment ePHI leaves the patient’s home and flows through a device maker’s platform, that vendor is a business associate and needs a BAA. Transplant coordination — sharing records with transplant centers and organ procurement organizations — adds another set of external data flows to account for.

The Security Risk Analysis and the 2026 proposed rule

Every nephrology practice and dialysis organization must perform a Security Risk Analysis under 45 CFR § 164.308(a)(1)(ii)(A), and for this specialty it has to reach the remote-monitoring vendors, the EQRS workflow, and the physical floor — not just the EHR. The HIPAA Security Rule update proposed in the NPRM published in December 2024 (not yet final; a 240-day compliance window would begin once a final rule is published) would require asset inventories, network maps, encryption, and multi-factor authentication, which for a multi-site dialysis organization means mapping every machine, monitoring feed, and connected facility.

How Medcurity helps

Medcurity helps nephrology practices and dialysis organizations run and document a Security Risk Analysis that actually reflects how they operate — covering remote-monitoring vendors, the EQRS reporting workflow, and the physical-safeguard realities of an open treatment floor. The platform is $499/year (about $42/month), and multi-site dialysis groups can request a quote. Pair your risk analysis with our HIPAA compliance checklist to make sure nothing on the floor or in the data feed is missed.

Frequently Asked Questions

Does the open layout of a dialysis floor create HIPAA risk?

Yes. Visible machine screens, overheard treatment discussions, and shared workstations are incidental-disclosure and physical-safeguard concerns under 45 CFR § 164.310. Centers should position monitors and workstations, and train staff on conversation discipline, so routine care does not expose one patient’s information to others nearby.

Is CMS EQRS reporting covered by HIPAA?

The data submission to EQRS (formerly CROWNWeb) is federally required, but the system access, credentials, and transmission remain within HIPAA’s scope. Facilities must secure how staff access EQRS and protect the patient data they extract and upload.

Do we need a business associate agreement with our dialysis machine vendor?

If the machine or monitoring platform transmits, stores, or processes patient treatment data on your behalf — common with home dialysis cyclers and remote monitoring — the vendor is a business associate and a BAA is required before that data flow begins.

How long do dialysis centers need to retain records?

Retention is set by state law and CMS conditions for coverage, often several years, and dialysis records tend to span years of continuous treatment. The practical HIPAA implication is that you must keep that large, long-lived store of PHI secured and access-controlled for its entire retention life.