Compliance with HIPAA is an ongoing effort coordinating a company’s people, processes, and technologies.

Natalie LeFlore

Medical device manufacturers often overlook the possibility that their devices may be subject to compliance with the Health Insurance Portability and Accountability Act (HIPAA), particularly its privacy and security rules pertaining to protected health information. Information is considered protected health information if it meets two requirements: it is individually identifiable, meaning that it contains identifiers such as a name or date of birth that may identify the individual to which it pertains and it consists of data regarding that individual’s health.

It may seem that most information generated or transmitted by a medical device falls into the category of protected health information, so why the confusion around the need for compliance? It may have to do with the type of entities that are subject to compliance with HIPAA. HIPAA specifically pertains to two types of entities: Covered entities, which are either healthcare providers, clearinghouses, or insurers; and business associates, which are any third-party that receives, transmits, maintains, or creates protected health information on behalf of a covered entity. In order to decide whether HIPAA applies to them, medical device companies need to take a good look at their operations and apply these distinctions.

Who Should be in Compliance?

It depends. Some medical device companies will fall into the category of a business associate; some will not. Some companies will even fall into this category in one area of their operations and not in others.

There are definite instances in which medical device companies will find themselves defined as a business associate. One example of this is when the medical device itself generates protected health information and the device company has contracted with a covered entity, such as a doctor’s office or hospital, so that the device will transmit electronic protected health information directly to the provider. In this case, compliance with HIPAA requirements is mandated.

Another example of when a medical device company would be considered a business associate is when another covered entity shares protected health information with the medical device company. This may be done so that the device company can conduct an analysis on the usefulness of a certain medical device for a particular patient based on the patient’s history and condition. If the conditions for classification as a business associate have been met, the two entities are required to execute a business associate agreement. In a business associate agreement the two parties agree to protect protected health information in a manner that is HIPAA compliant. Usually, the business associate agreement is initiated by the covered entity as a portion of their vendor contract. Per HIPAA regulations, the agreement outlines the manner in which the business associate will comply with all HIPAA laws, secure and protect all protected health information entrusted to them by the covered entity, and report any HIPAA breaches, as appropriate. Often times, the covered entity will require the business associate to divulge proof of compliance with HIPAA (such as policies and procedures, training records, etc.) before entering into the business associate agreement with the company.

On the other hand, there are definite instances in which a medical device company is not considered a business associate or required to be HIPAA compliant (outside of FDA regulations). Most of these instances occur when the device company strictly sells and/or maintains medical devices. The medical devices do not create, maintain, transmit, or receive protected health or electronic protected health information on behalf of any covered entity, and there is no receipt of patient information from a covered entity by the device prior to sale. Other instances include cases in which medical devices are primarily used by the general public. This includes things such as wearable devices, like Fitbits and Fuelbands, as well as other health monitoring devices such as the Beddit sleep monitor.

What Does it Mean to be a Business Associate?

One common misconception is that there are no significant HIPAA requirements for business associates. While that may have been partially true prior the Omnibus Final Rule of 2013, things have definitely changed. Business associates are required to comply with many aspects of the HIPAA privacy and security rules and should be sure to research and familiarize themselves with all requirements. Most important, business associates are liable for any breaches of PHI that happen within their entities.

What Should Medical Device Companies be Doing for Compliance?

The most important thing a company can understand about HIPAA is that compliance is not a static point in time or process. At no point will any company be given a HIPAA stamp of approval assuring that you are compliant with all HIPAA rules and regulations from that moment forward. Compliance with HIPAA is an ongoing effort coordinating a company’s people, processes, and technologies.

The first thing a company should do is get educated. It is now 2015 and the HIPAA Omnibus Final Rule has been in place for almost two years. There are plenty of resources available to aid in the understanding of HIPAA’s many requirements. It would be advisable to understand HIPAA’s regulations even if you are not sure they apply. It is always better to be over-prepared than caught off guard if the need for compliance ever arises.

Next, medical device companies should be proactive. HIPAA is not particularly prescriptive technically, and integrating compliance with its laws may be easier to do upon device development rather than trying to comply with the HIPAA laws as an afterthought.

Last, companies should always be aware of the current technical climate. It seems that every month there is a new software virus, data breach, or cybersecurity threat making headlines. Medical device companies should stay up to date on the most recent risks and potential threats to the security of the data they maintain. A great place for a company to start would be with information released FDA. In October of 2014, FDA released voluntary guidance on security for medical device manufacturers and for those in the industry with networked medical devices. These are great resources for a medical device company to utilize when considering the security of its medical devices.

Natalie LeFlore is senior consultant at Compliagent, where she guides clients in all aspects of regulatory compliance with an emphasis in HIPAA/HITECH and associated privacy and security compliance rules.

[Image courtesy of STUART MILES/FREEDIGITALPHOTOS.NET]