HIPAA regulations that apply to Covered Entities
There are three main sets of HIPAA regulations that apply to Covered Entities and Business Associates:
The Privacy Rule requires Covered Entities and Business Associates to adopt appropriate safeguards to protect the privacy of personal health information (PHI), including individual medical records; and, set limits and conditions on the uses and disclosures that may be made of such information. The Privacy Rule also gives individuals rights over their health information, including the right to examine and obtain a copy of their health records, and to request corrections. In general, unless the individual has provided written consent (called an “Authorization”), an individual’s PHI can only be accessed by a member of the workforce of a Covered Entity or Business Associate for treatment or payment purposes or to perform specific health care operations. PHI can only be released to third parties outside the Covered Entity or Business Associate under specific exceptions permitted by the Privacy Rule. Examples of these exceptions include disclosures and access: required to defend the Covered Entity in a legal action brought by a patient of the Covered Entity; required by law, or for health and safety or law enforcement purposes; pursuant to a valid subpoena or court order; or, to prevent potential harm to the individual or others.
The Security Rule requires the implementation of physical, administrative, and technological safeguards to support confidentiality and data integrity of electronic PHI and to prevent unauthorized use of and guard against physical hazards to electronic PHI. The Security Rule requires Covered Entities and Business Associates to:
- Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain or transmit;
- Identify and protect against reasonably anticipated threats to the security or integrity of the information;
- Protect against reasonably anticipated, impermissible uses or disclosures; and
- Ensure compliance by employees, officers, and volunteers who are part of the Covered Entity or Business Associate’s workforce.
The Breach Rule requires Covered Entities and their Business Associates to investigate and mitigate any security or other incidents that involve potential unauthorized access to, or use, or disclosure of, PHI. Except in very limited instances, any unauthorized access to a Covered Entity’s PHI constitutes a breach. Breaches that impact fewer than 500 individuals must be reported to impacted individuals within 60 days of discovery and reported on an annual basis to HHS. Breaches that impact 500 or more individuals must be reported to HHS, the media, and the impacted individuals within 60 days of discovery.
The process to design and develop, maintain and decommission medical devices while considering their associated cybersecurity risks is the best way to build security into devices. Manufacturers need to embed these practices into their processes for developing medical devices. This is considered a secure development lifecycle. Emergo by UL can help manufacturers by reviewing, assessing, recommending and developing a secure development lifecycle for their products. We can provide templates, training, industry best practices and guides on:
HIPAA applies to more than you think
When talking about HIPAA, we often think about healthcare providers who transmit PHI in electronic form. However, a medical device company meets the Privacy Rule’s definition of “health care provider” if it furnishes, bills, or is paid for “healthcare” in the normal course of business. “Healthcare” under the Rule means care, services, or supplies related to the health of an individual. Thus, a device manufacturer is a health care provider under the Privacy Rule if it needs protected health information to counsel a surgeon on or determine the appropriate size or type of prosthesis for the surgeon to use during a patient’s surgery, or otherwise assists the doctor in adjusting a device for a particular patient. Similarly, when a device company needs protected health information to provide support and guidance to a patient, or a doctor concerning a particular patient, regarding the proper use or insertion of the device, it is providing “healthcare” and, therefore, is a health care provider when engaged in these services.
By contrast, a medical device company is not providing “healthcare” if it simply sells its appropriately labeled products to another entity for that entity to use or dispense to individuals.
HIPAA gets trickier for the second class of organizations: business associates, which are used by covered entities in the course of doing business. Organizations such as consulting and law firms, quality and regulatory consultants, and pharmacy benefits managers are also bound by HIPAA regulations when they receive or send PHI.
Medical device and pharmaceutical companies, too, can be classified as business associates. When a physician transmits PHI to a medical device or pharmaceutical manufacturer for data analysis, for example, the manufacturer is now responsible for safeguarding that information. The company must be using a system capable of adequate data protection to stay compliant with HIPAA rules.
It is important to remember that medical devices in and of themselves are not protected health information for HIPAA purposes. However, information in or from the device may be protected health information to the extent that it otherwise meets the definition.
Privacy Security Consulting for Medical Device, IVD Companies
Emergo by UL's data privacy team has extensive experience in helping medical device and in-vitro diagnostic manufacturers navigate patient privacy regulatory requirements for global markets. We have in-depth expertise with US and European data privacy requirements and can help you address manufacturer needs for a range of connected devices.