Medical device manufacturers need to understand patient privacy law and how to comply with it.

Jordan MacAvoy, Reciprocity Labs

Concern for protecting and safely handling private health information continues to grow, especially with the reliance on electronic transmission. Federal regulations such as the Health Insurance Portability and Accountability Act (HIPAA) provide guidelines to help ensure that healthcare providers, institutions and their business partners protect patient records.

While it’s clear what health entities should do to ensure private health data safety, the role of medical devices in this effort is less well understood.

Understanding protected health information (PHI)

Numerous medical devices can collect and transmit data. For example, m-health devices monitor vital signs, transmit patient records to doctors and allow remote examinations on mobile phones, tablets, and other portable medical devices. These devices often carry personal records such as patient names, phone numbers, addresses, insurance information, Social Security numbers and health information. HIPAA’s privacy rule requires the protection of private health information, which applies to covered entities, hybrid entities and business associates.

HIPAA also has a security rule to ensure the confidentiality, integrity and availability of health information. And it creates standards for administrative, technical and physical safeguards for private patient information. These standards include:

• Confidentiality — A patient’s private health information must not be disclosed to a third party unless the patient authorizes it.
• Integrity — The data should be valid, and the users of the information should trust its reliability.
• Availability — The data should be available for use, especially in life-or-death situations.

Covered entities

HIPAA defines healthcare providers, medical clearinghouses and health plans as covered entities. These are individuals and organizations that transmit health information electronically. The transmission may be for claims, payments, treatments and operations.

Hybrid entities

HIPAA defines hybrid entities as organizations that perform covered and non-covered functions. For example, a university may have a medical center that transmits patient information electronically and runs other operations.

Business associates

According to HIPAA, business associates are organizations that run operations on behalf of a covered entity. If your business includes the disclosure of private patient information, you’re a business associate. This includes processing claims, consulting, accounting, legal matters, financial services and data management, among others.

How does HIPAA affect manufacturers?

For device manufacturers, compliance begins with understanding user needs. If you’re creating devices for use by covered entities, the device design must support information protection. HIPAA requires that health organizations and providers create policies to protect private information and achieve compliance. As these entities strive to achieve compliance, your device must support their quest by incorporating features that ensure the safety of patient data and HIPAA compliance.

Ensuring medical device HIPAA compliance

There is no defined requirement for medical devices under HIPAA. Manufacturers need to study the compliance environment and create devices that help covered entities achieve compliance. Here are some guidelines:

• Read the HIPAA rules and understand what counts as PHI and how you can protect it. Consider discussions with covered entities to address grievances when it comes to HIPAA compliance.
• Include security features that control access to information according to the covered entity’s rules. For example, enabling password features to access a system, tracking the users through personal IDs, and encrypting internal and external transmissions.
• Consider providing transmission options that conceal patient names while providing relevant information such as patient health history and room numbers to ensure privacy and availability.
• Consider incorporating advanced privacy measures such as biometric authentication through fingerprints for critical data.
• Sign a business associate agreement with the covered entity you’re in contract with. This agreement should demonstrate that you understand how to follow the privacy and security rules. The documents should also show how you plan to protect, use and disclose PHI in your hands.
• Create a stable workflow that ensures all data is captured and secured correctly. This ensures the reliability of data and keeps the information secure from the source to the storage.
• Understand which operating systems and software are in use and check for upgrades and compatibility issues that may affect PHI safety. Frequent security patches may be necessary to ensure security.

Protecting yourself from HIPAA violations

As a device manufacturer, your company stands to lose should you remain noncompliant. PHI exposure often comes with investigations, loss of business, lawsuits and compensation to affected clients. Understanding HIPAA compliance, incorporating control features and securing your information pipeline are vital to your business.

Jordan MacAvoy is VP of marketing at Reciprocity. He previously served in executive roles at Fundbox and Intuit, via its acquisition of the SaaS marketing and communications solution Demandforce.

The opinions expressed in this blog post are the author’s only and do not necessarily reflect those of Medical Design and Outsourcing or its employees.