Originally Published MDDI July 2003
The April compliance dates for the Privacy Rule have come and gone. Is your company meeting its HIPAA responsibilities?
Gerald R. Larocque, PhD, and Robert Fricke, PhD
In 1996 President Clinton signed a legislative bill titled the Health Insurance Portability and Accountability Act (HIPAA). The law was meant to provide portability of insurance between employers, standard transaction codes to improve accountability, and safeguarding of individually identifiable health information for patient privacy.
The third provision will have significant implications for medical device design. Last April, one element involving personal medical information—the Privacy Rule—went into effect. The provision was seen as necessary because of the high reliance on electronic information that supports the portability and accountability portions of the legislation.
To remain competitive, device manufacturers need to understand how these mandates will affect their customers. Medical products that facilitate compliance policies and procedures will have an edge over those that don't. In many cases, HIPAA-compliance features are likely to set a new threshold for market success.
How HIPAA Affects Device Design
|Gerald R. Larocque|
Of the three HIPAA provisions—portability, accountability, and privacy —the privacy rules have the greatest impact on medical device design. If a medical device creates or handles health information, patient privacy must be addressed in its design requirements. Our aim in this article is to provide a basis for adjusting design requirements in response to HIPAA.
Definition of Protected Health Information. HIPAA defines protected health information as any health information for an identifiable person that is transmitted or maintained in any form or medium. It includes both paper and electronic records. Examples include ECG traces, images from cardiac catheters, and histories of patient drug therapy. Once created, identifying information must be safeguarded against inappropriate disclosure until it is either destroyed or purged of the identifying elements.
Covered Entity or Business Associate? HIPAA defines a covered entity as an organization responsible for handling protected health information. Examples include healthcare providers, health plans, and healthcare clearinghouses. Because they are the primary customers for device makers, providers (e.g., hospitals, clinics, medical offices) are the focus of this article.
Healthcare providers are now obliged to protect health information, but how they do so is up to them. Thus, a variety of approaches to HIPAA compliance is likely. In turn, the device companies that serve these providers will need to meet a range of related requirements.
HIPAA affects device manufacturers in two ways:
- The device manufacturer must safeguard any patient data that comes into its possession.
- To satisfy its customers, a manufacturer must provide sufficient features in its products to facilitate HIPAA compliance.
A device manufacturer may itself be a covered entity. This is the case if it sells products directly to patients and is reimbursed federally or privately. In other cases, it may be a so-called business associate as a result of contractual relationships with its customers. In either case, the Privacy Rule affects competitive device design in similar ways. If the manufacturer is in custody of protected health information, it must safeguard that information.
Protection of Information. HIPAA requires that patient health information be protected and made available for healthcare use. The healthcare provider must guarantee confidentiality, integrity, and availability.
Confidentiality is the guarantee that a patient's data will not be inappropriately disclosed to a third party. Disclosure is only allowed if the patient authorizes it. This authorization is transferred to the business associates of the provider in a predetermined way. In cases where identifying information is removed from health data, HIPAA privacy rules no longer apply. This may occur, for example, when clinical studies aggregate information for statistical analysis. But removing all identifying information can be difficult to accomplish, given how broadly it is interpreted under the legislation. It includes zip code, service date, and birth date in addition to such specific identifiers as name and social security number.
Data integrity means that information is valid, and the user of the information can be confident in its reliability. Take, for instance, a reported heart rate of 60. Users must be confident that it is not actually 160, and that the first digit has not been dropped by the reporting system. Integrity can be ensured through such software tools as checksums, parity bits, and cyclical redundancy codes. Tools for preserving integrity are available as well.
Data availability is important in medical situations where life-and-death decisions are based on the most-current data. In some cases, the term simply means that networks are operational; in other cases, that data from the devices are archived periodically in case of device damage, failure, or loss (especially of portable devices). Availability also implies the need for emergency access to files that are password-protected—a situation that raises additional design and implementation issues.
Medical Device Design for HIPAA Compliance
A critical point under HIPAA is that it's not the device that must comply—it's the organization. Compliance is geared toward the operating environment of the device users, not the physical attributes of equipment or systems. This distinction should guide the way designers think about devices.
But what are the guidelines for device manufacturers? To explore this question, we interviewed representatives of Philips Medical (Andover, MA), a major medical equipment manufacturer; MediSpectra (Lexington, MA), a smaller product development firm; Genzyme (Cambridge, MA), a well-known biotechnology company; and Brigham and Women's Hospital (Boston).
Despite the different perspectives of these individuals, a number of common themes emerged:
- Since HIPAA provides no specific guidelines on how to protect patient information, each institution will need to set its own policies.
- The principal challenge to device designers will be to facilitate alternative approaches to compliance.
- Covered entities may need technical advice from device makers to avoid unwanted side effects from seemingly conservative policies. (Such advice, for example, could help prevent the inadvertent disabling of important device features while implementing privacy measures.)
- The introduction of new, compliance-facilitating products may be complicated by the long life of many medical devices and the economic issues related to their replacement.
- The long-term protection of patient information may lead to significant complications in performing necessary qualification testing of new devices.
Considerations Regarding Instrumentation. Elisabeth George is vice president of quality and regulatory at Philips Medical. She cited several challenging issues with a number of Philips products based on personal computers (PCs). She has seen significant demand from hospitals to develop systems that are "HIPAA compliant." Since there is no established standard of compliance other than the requirement that patient data must remain confidential, Philips Medical has trained its personnel on the definition of protected health information and how to handle it. Philips also provides products that support a range of relatively standard security options. George noted that hospitals typically do not want manufacturers to impose approaches by design. Instead, they want the flexibility to use devices consistent with internal policies.
The device options Philips provides include password-based access control, records of activity, and automatic transfer (with user-selected timeouts) to "screen-saver" modes, with password-controlled return to operation. Philips also offers a variety of display formats. For example, displays that present information to nursing stations can show conventional presentations with room number, patient name, and status information; bed number with identity otherwise concealed; or no directly identifying information at all.
With these options, Philips' equipment can easily support the preferences of HIPAA compliance staff at covered entities. In some products, Philips also provides more-advanced authentication options, including such biometric approaches as thumbprint-based access control.
There is a basic trade-off between the need for confidentiality and the need for quick, emergency access in critical situations, George said. For example, defibrillators and bedside patient monitors routinely record patient identity, which causes the record to fall within the scope of HIPAA protection. Nonetheless, safety concerns require that medical personnel have rapid access to this equipment—and no one wants to risk access denial due to a lost or forgotten password.
Considerations for Communicating Protected Information. Under HIPAA, interesting issues arise regarding data transfer over communications networks, and remote access to devices. Many Philips products offer remote access to expedite device servicing. This process can permit service personnel to see the information. In some instances, Philips' customers have eliminated the remote-service option. Although this addresses one aspect of confidentiality, trade-offs are inevitable. For example, in many instances, a service engineer can at least partially troubleshoot and sometimes even repair a device using remote access. If this access is denied, the engineer must travel to the site. This increases instrument downtime due both to travel time and related delays.
For electronic communication, common electronic security technologies will likely play a significant role. For example, George believes that external communications (e.g., dial-in access and wireless communications) should probably be encrypted. Treatment of internal networks within institutions is less clear. It is, however, policy at Philips Medical to encrypt internal transmissions of private information.
In one case, a Philips implementation conflicted with hospital security standards. Philips recognized the well-known security weaknesses of the Wired Equivalent Protocol or WEP, a wireless network standard to secure communications. Accordingly, it had implemented a security approach on top of WEP. This solution was based on specific operating-system software that was delivered as part of the product. A problem arose in the case of a specific hospital that required all Microsoft-security-related patches to be installed within 30 days of release. In this case, one of the patches effectively disabled the security enhancement provided by Philips and, hence, actually weakened the communications security.
Considerations Regarding Clinical Trials. The medical device community has raised a number of interesting issues regarding the handling of protected patient information during clinical trials. Pamela Weagraff is vice president, regulatory, clinical, and quality at MediSpectra. She referred to a number of complications that arise while conducting trials, particularly long-term ones, in the context of HIPAA. The complication appears largely to arise from differing interpretations of requirements and differing approaches to implementation.
A number of issues arose during trials of MediSpectra's tissue-spectroscopy product designed to assist in early detection of cervical cancer. As a relatively small company, MediSpectra faces challenges in accommodating differences among jurisdictions. For example, Texas and California have recently enacted legislation that defines manufacturers as covered entities in those states. The required content of various clinical study documents to meet HIPAA policy interpretations may be different in these states than in others. As a result, complications arise when data are pooled for a study performed over time and at multiple institutions.
Discussions with Genzyme also highlighted issues with clinical trials. Robert Yocher is vice president, regulatory affairs, at Genzyme. He noted that the original requirements for informed consent included eight parts. HIPAA has added another 10.
Selecting individuals for trials requires access to protected health information and, thus, the informed consent of the patients. The effects of this, said Yocher, are particularly acute at smaller institutions, which may be just starting to realize the implications of HIPAA. In contrast, Yocher noted, large institutions recognized the need for compliance with the HIPAA requirements as long ago as 18 months.
Yocher noted that issues of informed consent must be addressed at the start of a clinical trial. At the same time, "devices are primarily evolutionary—not revolutionary." Consequently, he said, the informed consent must state how long and for what purpose the patient information will be used. The problem is that continuing evolution of devices requires continual use of data. This encourages device companies to retain data at the end of a trial. Yocher believes that internal review boards are likely to object to protocols that call for "keeping data forever"; there is a need to educate such boards regarding the law and its intent.
Manufacturers must be alert to these issues and should examine methods to summarize, retain, and work with data without subjecting them to HIPAA restrictions. A notable exception is the case of adverse event reporting, which exempts hospitals from the HIPAA privacy requirements. Hospitals, according to Yocher, still need to better understand this exemption to facilitate device manufacturers' obtaining access to information needed to satisfy FDA requirements. He also notes that HIPAA does not regulate "incidental disclosure" of data in the course of normal operations.
A Hospital Perspective. Monte Brown, MD, is vice chairman, Department of Medicine at Brigham and Women's Hospital, and assistant professor, Harvard Medical School. He is familiar with customer self-service and e-billing considerations. Brown is concerned about general information technology issues, particularly regarding equipment purchases. In his opinion, equipment and infrastructure upgrades present significant issues. For example, operating-system upgrades pose compatibility problems with existing software, and raise questions of how best to secure legacy systems and software. For instance, how secure must systems be? Is it sufficient to just lock the door? Must this system also work on another system? This situation underscores how compliance plans reflect back to the manufacturer. Brigham tends to rely on such access controls as secure sign-ons and audit trails to track access since, in Brown's opinion, merely "locking the door" to a system isn't enough.
These approaches require the supplier to support the features. As part of a network of hospitals, Brigham's systems must be able to operate at multiple medical centers, so the hospital personnel value portable solutions. Particularly with respect to major purchases (for which his purchase cycle is on the order of 18 months), Brown says he is going to look for compliance.
Brown noted that his institution has not yet defined its security policies in terms of wireless access. The hospital has responded to HIPAA concerns by, for example, banning the use of wireless personal digital assistants (PDAs) by physicians where confidential information is involved. PDAs also present a number of compatibility concerns. Some of the common packages used by physicians work only on pocket PCs, and fewer work with older operating systems.
Brown believes hospital organization is the key to achieving HIPAA compliance. His institution is just beginning to identify equipment that needs to be reviewed. Central to that process is identifying a responsible officer and an organizational strategy.
Appropriate training is also essential. Together, these steps provide an infrastructure to deal with such problems as privileges earned once access to a system is obtained: What range of access is granted? What identifying information of the user is tracked and retained?
HIPAA legislation has serious implications for device design. Depending on the device, the impact will range from negligible (for a purely mechanical system), to substantial (for complex electromechanical, information-rich systems). But while HIPAA requirements may seem intricate, they can be regarded as adding a new variable to the medical design device space. To be effective, this addition must be factored in from the start.
Post your questions and comments for the authors on-line in MD&DI's Author Forums. Select the Author Forums link at www.devicelink.com/mddi.
Copyright ©2003 Medical Device & Diagnostic Industry