This guidance specifically addresses medical devices that have been legally approved by the FDA, which maintain, process, or transmit medical data. It states: “manufacturers may share patient-specific information about a patient with that patient at that patient’s request.”
Patient-specific information is defined by the FDA as any information that is unique to a patient, their treatment, or their diagnosis that a medical device has “recorded, stored, processed, retrieved, and/or derived” during the use of that device.
As per the guidance, manufacturers may share patient-specific information with patients, with the caveat that:
“This guidance does not affect any federal, state or local laws or regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. § 300gg; 29 U.S.C. 1811 et seq.; 42 U.S.C. § 1320d et seq.) and the associated HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164), which may otherwise be applicable to the provision of patient-specific information.”
This means that, though the FDA guidance on sharing data suggests that manufacturers and providers may share data with their patients, this sharing should not interfere with pre-established HIPAA standards.
So the next question becomes, what are the HIPAA standards that medical device HIPAA compliance should take into account when sharing patient data?
HIPAA Compliant Patient Disclosures
Regardless of whether providers are disclosing patient information gathered by a medical device or otherwise, HIPAA regulation sets specific standards for how and when records may be disclosed to patients. Generally, these standards fall under the HIPAA Privacy Rule, which outlines standards for patient authorizations for disclosures of their protected health information (PHI), in addition to patients’ rights to access, and situations in which providers may deny patients access.
PHI is defined as any demographic information that can be used to identify a patient. Electronic protected health information (ePHI) is any information stored in an electronic format, which includes patient-specific information that is collected, maintained, or transmitted by medical devices.
Patients are allowed access to their PHI under HIPAA regulation. Providers are generally required by HIPAA regulation to grant patients access to their PHI upon request. That means that patients have the right to inspect and/or obtain a copy of their PHI. Regulation also allows patients to request that their PHI be transmitted to a “designated individual or entity of the individual’s choice.” Patients have the right to access any PHI that a provider maintains for as long as they maintain it, regardless of the format in which it is stored.
There are several exceptions to rules regarding patient access to their PHI. Any information that is not used to make decisions about individual patients does not need to be remitted. That includes “certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals.”
Additionally, providers never need to provide patients access to psychotherapy notes or any information being used in a “civil, criminal, or administrative action or proceeding.”
Though there are various other standards that apply to patient access to PHI, these are the basics that should be kept in mind when considering medical device HIPAA compliance and granting patients access to ePHI collected, maintained, or transmitted by medical devices.
Medical Device Compliance
In order to protect the information that is being handled by medical devices, an effective HIPAA compliance program should be in place within all health care organizations. An effective HIPAA compliance program should necessarily include an asset and medical device policy. This policy should apply to all medical devices within an organization that handle or access PHI in any way. The policy should state that:
- Logs must be kept to track by whom, when, and for what purpose a medical device was accessed.
- The location of the device within the physical premises of an office must be tracked.
- If the location of a device moves, that must be tracked.
- User access controls must be in place to determine which employees will have access to each device.
- User access should be limited based on an employee’s role within the organization.
- Facility access controls, such as locking doors and other physical security measures must be implemented and documented in order to protect medical devices.
The most important thing to remember about medical device HIPAA compliance is that it’s only one part of your organization’s compliance. Creating an effective HIPAA compliance program should allow you to address all elements of the law, allowing you to minimize your risk of a violation and protect yourself against breaches and fines