The human factor is something of huge consideration within the HIPAA and healthcare landscape. With that industry being a huge target already within the world of cybercrime, where do medical devices as well as their manufacturing companies, fall within HIPAA regulations?
When the Department of Health and Human Services (HHS) created HIPAA guidelines, there were two regulatory fields within it. First you have the HIPAA privacy rule, which regulates our private health information and then there is the HIPAA security rule, which puts regulations within the manner that healthcare providers control and protect our health information.
A covered entity is any provider in healthcare that bills electronically for services – which is essentially all healthcare professionals. That means that most medical device companies are not covered entities, but if they sell to patients and bill Medicare, they may be considered a covered entity, and therefore bound by HIPAA. Companies can work around this by having a division within a larger organization that sells to patients, rendering only that division as a covered entity – and the only part that must be HIPAA compliant.
What is Covered?
The information that HIPAA covers is PHI or any information that is health-related and can identify an individual or patient. Patients will allow for some disclosure of PHI with authorization, but those uses and disclosures are identified by HIPAA rules and regulations. These rules and regulations then break down even further, identifying when that disclosure must be obtained. Within an organization, using information is not restricted, but once the information leaves the boundaries of that entity, it must comply with HIPAA privacy regulations.
Because medical devices can store, analyze, and transmit patient data, they must be designed with HIPAA guidelines in mind. The efficiency with which we can share data among providers is a lifesaving advancement, but one that must be kept in mind when transmitting this data from the boundary of one provider to another. This also means that the patient must give consent for a device to receive their personal data. And let’s not forget the regulations imposed by the FDA that these devices must also adhere to.
Medical device manufacturers have their work cut out for them to create products that meet all of these regulations and standards, but they must also consider that cybercriminal activity is lurking around every corner in healthcare, and their part in the industry is no exception. With an employee workforce that has access to technology that creates machines and the software that runs them, they must also ensure that they are complying with the highest of cybersecurity standards to protect their business as well as the business of the patients who will use their machines.