Appropriate safeguards and security procedures for medical device manufacturers fall under HIPPA require careful consideration. Not all companies that sell used or refurbished healthcare equipment fall under these requirements. For example, companies selling used medical carts without devices or any patient information systems attached have no HIPAA responsibilities.
HIPAA Sanctions
The government treats HIPAA violations very seriously. Fines can run from $100 up to $250,000 per offense, with an annual cap of $1.5 million. Violators can go to prison for up to 10 years.
The healthcare entity usually handles simple infractions.
HIPAA outlines three levels of punishment for simple infractions and makes recommendations as to the sanction for each:
- Single violation: Waring letter in the employee’s personnel file.
- Second infraction within three years: Letter of reprimand and one week suspension.
- Third infraction: Possible fines and jail time.
Types of Safeguards
You can group the safeguards vendors, and hospitals must enact to remain compliant with HIPAA into three categories: Physical, technical, and administrative.
1. Physical
Clinics and other healthcare providers and associates must physically protect the medical devices used to collect patient healthcare data and the locations where the entities store the data.
For the devices, this means positive access controls through card readers, locked rooms, log-in and log-out forms, or whatever the physical location deems appropriate.
Data storage usually refers to electronic data. Computers and other data devices must protect the data in some fashion. This includes several overlapping security measures such as password-protected computer access, firewalls, cloud storage protection, anti-ransomware, and similar proactive steps and policies.
Data disposal must also take place securely. Clinics and others need policies covering equipment recycling to protect patient data that could be left on a machine.
2. Technical
HIPAA defines technical using four categories: Access, audit, transmission, and integrity controls.
For access, healthcare entities must limit access to patient confidential material to authorized individuals. This may include nurses, doctors, accountants, healthcare administration, or others that require the information to adequately manage patient care.
Audit control refers to procedures, including the software and hardware used to record a patient’s health information.
Healthcare providers and associated groups have the responsibility to transmit and receive patient healthcare information securely.
3. Administrative
HIPAA specifies five categories of administrative safeguards entities covered under HIPAA rules must institute:
1. Designation of a HIPAA Security Policies and Procedures Manager
This person has a responsibility for planning and implementing HIPAA security policies.
2. Training
Someone on staff must approve all personnel working with patient healthcare information. This same person must also ensure all appropriate personnel have HIPAA compliance training and training in the hospital or other provider’s HIPAA policies.
3. Security Manager
This position differs from the security policies and procedures person. The security manager identifies and analyzes risks and implement measures to address the risks.
4. Privacy Information Access Manager
This person ensures that anyone with patient healthcare access not only has a need-to-know but can only access information necessary for his or her role in the patient healthcare process.
5. Evaluation Policy
Any entity under HIPAA must have a written evaluation system that outlines when and what procedures used to evaluate the security policies and procedures.
Security Breaches
HIPAA outlines specific rules for addressing any suspected improper use or disclosure of patient healthcare information.
The hospital or covered entity must assess the risk. This is done by first determining the type of patient information breached and if that information can be associated with a patient.
The person or persons receiving the information should be identified, and whether the person(s) viewed the patient data or received the patient data in electronic or paper form.
Finally, the covered provider must determine how and to what extent the leak of information was mitigated.