Under the Health Insurance Portability and Accountability Act, HIPAA, hospitals must ensure the patient information is protected. Manufacturers of medical devices that collect or distribute patient medical information also must confirm to HIPAA rules. When a healthcare worker uses a medical cart on wheels to bring a medical device to a patient’s bedside, the information collected by that device requires protection under HIPAA.
HIPAA compliance regulations are complex and often very difficult to understand, even more so as they relate to medical devices and patient privacy. Other U.S. Government agencies may provide guidance, depending on the extent of the agency’s involvement in healthcare issues.
This complicated law affects many businesses and organizations.
Background
Congress passed HIPAA in 1996. The stated intent of the law requires healthcare providers and other related healthcare entities to ensure the confidentiality and security of what is known as protected health information (PHI). This includes digital, paper, oral, or any other type of records.
Doctors, nurses, and anyone else can only sure the minimal amount of patient-specific information necessary to others.
FDA
The Food and Drug Administration approves all medical devices. To help keep medical device manufacturers in compliance with HIPAA, the agency has issued specific guidance to help medical device manufacturers meet the HIPAA standards.
The FDA says that “…manufacturers may share patient-specific information about a patient with that patient at that patient’s request.”
To further complicate matters, the government guidance adds that sharing the data is prohibited if providing it to the patient conflicts with any federal, state, or local laws.
HIPAA Privacy Rule
Hospitals, clinics, and other affected entities must put in place adequate safeguards to protect a patient’s privacy.
A subset of this rule addresses three specific patient rights: the right to authorize the disclosure of the person’s health records, to request and review a copy of their health records, and the right to request a correction.
Parties that Must Comply with the Privacy Rule
The various parties that must comply with the privacy rule change constantly as technology and patient care methods evolve.
Data centers and cloud service providers have a responsibility to comply with HIPAA privacy rules. Clearing houses, health plan companies, contractors, and vendors must also comply.
Exceptions to Patient Access
There are certain limitations to the information affected entities must provide a patient that the healthcare records may contain.
Healthcare companies can exclude any information in the file that does not pertain to deciding about the patient’s health. For example, if the file contains patient safety measures or management information. Providers need not disclose information related to a court proceeding of any type.
These exceptions also pertain to information gathered by medical devices.
Keeping Medical Device Use in Compliance
Hospitals must enact policies to track the use of medical devices, locations, and ultimate destination of any information obtained on a patient by a machine.
For example, physical or electronic logs of who, when, and why a medical device was accessed. The policy should always include keeping track of the device’s location.
Limiting access to the devices to need-to-know personnel is essential also, along with any location where the patient information from the device is kept.
HIPAA Approvals
Companies must take care not to assume that approval by HIPAA means the company will forever remain compliant.
Staying Compliant with HIPAA requires policies that regularly review any new technology, vendors, software, or ways of doing business.
The Wearable Device Exceptions
Manufacturers of wearable devices designed for use by the general public and not healthcare providers do not fall under HIPAA regulations.
Makers of Fitbits and snoring monitors and other similar devices marketed and sold to patients on the open market have no duty to follow HIPAA rules.