As computational power continues to grow exponentially, medical devices are becoming capable of storing more and more patient data. While this can help improve diagnostic decision-making for physicians, it does come with a significant caveat. As more patient data is stored in digital forms, the risk of information theft is on the rise.

In a draft letter, FDA regulators detailed concerns with the loss of medical information through security loopholes.

For hospitals, the Health Insurance Portability and Accountability Act (HIPAA) places strict regulations on a patient's health data. The Health Information Technology for Economic and Clinical Health (HITECH) Act also places strict regulations on privacy. Since both HITECH and HIPAA are a huge concern for healthcare providers, medical device manufacturers must be attentive to the security of their systems.

In particular, manufacturers should answer three questions to determine if medical device data is subject to HITECH and HIPAA regulations.

Is the patient health information qualified as Protected Health Information?

Is a Covered Entity involved in any way with a patient's healthcare data?

Does The Covered Entity have a relationship with a Business Associate?

For patients, protected health information is data that is transformed through any medium. When this data is transmitted electronically, it must follow both the Security Rule and the HIPAA Privacy Rule. To make this data individually identifiable, protected health information umts identify a patient or have information that can be used to identify a patient.

If patient data cooled by a medical device can not be identified on an individual basis, then the device does not fall under HIPAA and HITECH regulations.