HIPAA and Device Design: What You Don't Know Can Hurt YouHIPAA and Device Design: What You Don't Know Can Hurt You
November 1, 2002
Originally Published MPMN November 2002
HIPAA and Device Design: What You Don't Know Can Hurt You
Manufacturers will soon have one more regulatory requirement to keep in mind as they develop new products. They will now have to consider how their devices can best help users to comply with the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which will go into effect on April 14, 2003. According to this rule, all individually identifiable health information must be protected against deliberate or inadvertent misuse or disclosure.
While device makers are not covered by the regulation, many of their customers are. And the penalties for noncompliant covered entities are steep. Civil monetary fines can reach $25,000 per year; criminal penalties range from $50,000 and one year imprisonment to $250,000 and 10 years of imprisonment.
Given those consequences, it stands to reason that users of medical equipment will want to do business with companies that design HIPAA-compliant devices. Many medical devices, especially those with electromechanical components, either create or process protected health information. Manufacturers that find ways to safeguard this information will have an edge in this competitive marketplace.
The task of making devices HIPAA friendly, however, may be easier said than done. There is no single method of compliance—under the Privacy Rule, each covered entity can devise its own plan. This makes it especially difficult for manufacturers to develop products that will be effective for many different types of users.
According to Rob Fricke, managing director of Advanced Mechanical and Electronic Systems at TIAX (Cambridge, MA), manufacturers may be tempted to choose one of two paths to satisfy customers. One approach is to create a Swiss Army knife type of device that has a specific feature for each type of compliance methodology. The downside, he says, is that manufacturers could price themselves out of the market and design overly complicated devices.
Another strategy, Fricke says, is to build a custom product for each customer. Cost is again an issue, because expanding product lines would slow down production.
The answer, says Fricke, lies somewhere in the middle. "If device manufacturers want to sell their products in a competitive marketplace, they have to think about creating feature sets that can address many different styles of compliance without getting too specialized."
According to Fricke, three major areas should be considered up front when designing a device: authentification and authorization requirements to enter into a system, encryption and protection of stored information, and physical protection of the device (by placing a hood around a computer monitor to protect information from prying eyes, for example).
Ideally these feature sets should be discussed at the earliest stages of planning. "Business decisions will have to be made," says Fricke, "preferably before designing the product." He adds that if the compliance features can be built into the design requirements, as opposed to implementing them in later stages of development, the cost will be minimal.
"These are the things to consider," Fricke says. "They are not insurmountable; you just have to approach them in the right way."
Copyright ©2002 Medical Product Manufacturing News
You May Also Like