Introduction: Revisiting the Role of Information Security in MedTech
In our previous article “The Benefits of Integrating an Information Security Management System to Medical Device Manufacturers,” we discussed the impact of having an information security management system related to compliance with the Health Insurance Portability Accountability Act (HIPAA). In this article, we will provide insights into HIPAA, what it is and what it is not, and which medical device manufacturers are affected by this Act.
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) safeguards electronic health information (PHI) and applies to medical device manufacturers that process or transmit PHI. Companies must primarily comply with Part 164, which mandates security measures similar to ISO 27001/27002.
Key Takeaways on HIPAA Compliance
- HIPAA applies to MedTech manufacturers acting as “covered entities” or “business associates.”
- Part 164 requires measures to ensure the security, confidentiality, and availability of PHI.
- Safeguards include administrative, physical, and technical protections.
- Requirements align closely with ISO 27001/27002 (e.g., Annex A).
- Compliance is crucial for accessing the US market.
HIPAA’s Core Purpose: Protecting Patient Data
HIPAA is a US law (45 CFR Part 160, 162 & 164) aimed at protecting the health records of individual patients. It requires companies (e.g., medical device manufacturers) handling such protected data to implement and follow certain physical, network, and process-related security measures.
The HIPAA is similar to the recently introduced electronic patient record (ePA) in Germany, which is currently accessible to all patients on a voluntary basis.
Who is Affected by HIPAA?
Generally, HIPAA applies to all health insurers, healthcare billing centres, and healthcare providers such as hospitals, doctors, and clinics that bill insurers electronically.
Overview of HIPAA Parts 160, 162, and 164
- Part 160: Describes general administrative requirements, mainly affecting the statutory framework, such as pre-emption of state law, compliance enforcement and investigations, penalties, and hearing procedures.
- Part 162: Covers administrative requirements for different roles under HIPAA. If medical device manufacturers intend to provide their medical devices for reimbursement from a health plan or healthcare provider, they need to ensure that their devices match medical data code set requirements. However, all requirements in Part 162 apply to healthcare clearinghouses and health plans, which act as health data processing organisations (refer to EU GDPR 2017/679) and are defined as covered entities under the HIPAA.
Why HIPAA Matters for Medical Device Manufacturers
So, if HIPAA is for covered entities like healthcare clearinghouses and health plans, what makes it important for manufacturers?
Medical device manufacturers who transmit or process personal health information (PHI) in electronic form to or from doctors or patients via standardized interfaces (e.g., cloud network exchange) are affected. Additionally, putting a device into service or maintenance means that a service technician can access PHI. All these activities aim to provide healthcare and meet the definition of such a covered entity.
A medical device company meets the Privacy Rule’s definition of a healthcare provider if it furnishes, bills, or is paid for healthcare in the normal course of business. Furthermore, as a business associate supporting a physician in analysing data or maintaining patient data as a data host (e.g., medical devices that collect and maintain patient health data on servers), they fall under the definition of a covered entity.
Compliance Requirements for Medical Device Manufacturers
These medical device manufacturers need to fulfil specific ANSI ASC X12 standards, a data transmission standard in the field of electronic data interchange (EDI), which is mainly used in the USA. Additionally, these manufacturers need to ensure compliance with Part 164 (Security Standards for PHI Protection). Part 164 is the most relevant, if not the only relevant section of HIPAA applicable to medical device manufacturers providing medical devices to the US market and meeting the definition of a “covered entity” as a healthcare (service) provider.
Part 164 requires implementing security standards for the protection of electronic protected health information. The need to ensure the confidentiality, integrity, and availability (CIA) of PHI throughout its lifecycle is paramount. Security measures can be tailored to the size, complexity, and capabilities of the organisation. Even the costs of security measures may be considered (similar to ISO 14971 requirements regarding the implementation sequence of safety measures).
Security Safeguards Under Part 164
The implementation of safety measures includes:
- Administrative safeguards: Security management processes, risk management and analysis, workforce security (including sanction policies for employees), training and awareness, supplier controls (including subcontractors), access controls (to computer systems), periodic security updates, protection from malicious software, data backup plans, disaster recovery plans, testing and revision procedures, and data criticality analysis.
- Physical safeguards: Facility access control, contingency operations, maintenance of records, workstation use and security, device and media controls, data backup, and storage.
- Technical safeguards: Access control policies (e.g., unique user identification), emergency access, encryption and decryption, audit controls, and integrity controls.
- Organisational requirements: Contracts with business associates (supplier control) to ensure that these business associates comply with the applicable requirements of Part 164 and that subcontractors are also covered by the same requirements.
Finally, there are documentation requirements for these entities (availability, time limits, and retention requirements).
How HIPAA Aligns with ISO 27001/27002 Standards
Do all these safeguard requirements in HIPAA Part 164 sound familiar to you? If yes, it might be because you might know the ISO 27001/27002 information security management standard. Especially, Annex A of ISO 27001 lists most of these security measures to be implemented when you want to comply with ISO 27001/27002 standards.
Personal Comment from the Author:
Driving HIPAA compliance programs for medical device manufacturers sometimes shows poor evidence of having different prioritization of management systems (ISO 13485 vs. ISO 27001). In the digital age, medical device organizations are recommended to combine these two management systems effectively.
Often, IT departments know the requirements of information security measures but are not aware of the ISO 13485 and other applicable requirements known by quality departments (and vice versa). Once an auditor mentions “HIPAA”, quality and regulatory departments start think about how HIPAA compliance can be achieved (once it is understood) and spend a lot of time and money to add these requirements to product delevopment plans. Tip: Talk to each other, often IT departments know the ISO 27001 requirements and it might be that most of the medical device infrastructure is already HIPAA compliant and it is only a question of how it is documented.
If you do not maintain systems that handle PHI (e.g., transmit, analyze, review, service ), you likely do not need to comply with HIPAA. If you have single-use devices or disposables, it is very unlikely that you need to comply with HIPAA in the normal course of business.
Selling medical devices to the US market to sales organizations alone, does not require HIPAA compliance, as long as there is no maintenance service of medical devices containing PHI or transmitting PHI to doctors, healthcare organizations, or business associates. Of course, having business associates in the US for relevant devices will impose HIPAA applicability which needs to be embedded into agreements.
Also, be careful if you are providing data storage centers for PHI; you most likely should comply with HIPAA, regardless of where these data centers are located.
If you are looking for a Gap Assessment template regarding HIPAA (US) and GDPR (EU) please reach out to sales@eumediq.eu.
Coming soon: HIPAA part 164 and ISO 27001 correlation.
If you’re looking for support in implementing ISO 27001 into your ISO 13485 environment, we are happy to assist you too!