First a little history: It was back in 2009 when Robert Klepinski wrote his article “A Quick HIPAA Check for Medical Device Companies,” hospitals and doctors were familiar with HIPAA regulations. It was definitely a new and growing concern at that time, especially for those companies that were making medical devices and dealing with protected health information (PHI). Klepinski states” that organizations controlled by the HIPAA privacy regulation are called covered entities.”
Let’s fast forward to 2013 to an article written by Seth Mailhot regarding the FDA Law Update by Sheppard Mullin, an international law firm that handles corporate and technical matters. In addition to HIPAA, a new group is on the scene: Health Information Technology for Economic and Clinical Health (HITECH).
Cybersecurity concerns increase daily and the FDA has released guidelines to deal with growthing concerns. The report says “The agency does not regulate the sale or general consumer use of smartphones or tablets nor does it regulate mobile app distributors such as the ‘iTunes App store” or the “Google Play store.” For in-depth reading of this concern, please go to this link.
A medical device manufacturer needs to answer three questions in order to determine whether the collection of patient information by a medical device is subject to HIPAA and HITECH:
• Does the information qualify as Protected Health Information?
• Is a Covered Entity involved?
• Does a Business Associate relationship exist with a Covered Entity?
Some clarification here as determined by Sheppard Mullin.
- ‘A Covered Entity is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a covered transaction.’
- ‘A Business Associate is a person who either creates, receives, maintains, or transmits PHI for a regulated activity on behalf of a covered entity, or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to a covered entity, where the service involves the disclosure of PHI.’
If the electronic data collected is individually identifiable, it falls under PHI. It must receive special handling by way of HIPAA as well as the Security Rule. This is the crux of the matter… is it individually identifiable? Some data is collected just for research purposes and databases. This data is just that, data and not individually identifiable. It is free and clear.
Cyber security will be an ongoing concern as newer technology is developed and as medical networks expand. The idea of a totally connected medical information system sounds quite useful and it most certainly can be, but it comes with some heavy duty concerns.
Yes, you no longer have to call the patient's hospital (three states away) to get the latest EKG done last month and have it faxed, but the wireless road of transmitting data is not a clear one. The FDA, HIPAA, HITECH and all other concerns must remain fully involved as changes keep coming. Here is a link that shows how the U.S. and also Australia are looking at these challenges as written by Jaime Novoa of Mobil World Capital (10/29/2013) in Barcelona. This is indeed a worldwide concern.