Following the introduction of the HITECH Act and the passing of the HIPAA Privacy and Security Rules, Pharmaceutical companies and medical device manufacturers have had to navigate HIPAA Rules for medical devices, and this has caused some of those companies a number of problems.
For any company required to record, store or transmit electronic Protected Health Information (ePHI) there are a number of considerations, the most important perhaps, is whether the entity in question is actually covered under HIPAA.
The Health Insurance Portability and Accountability Act requires covered entities to implement physical, technical and administrative controls to ensure that ePHI is kept secure. However, the rules only apply to HIPAA-covered entities. The same data covered by HIPAA can be transmitted by non-covered entities with fewer restrictions. The first question that must be answered therefore, is whether the entity in question is actually covered by HIPAA Rules.
Are Pharma Companies and Medical Device Manufacturers Subject to HIPAA Rules for Medical Devices?
HIPAA Rules cover any healthcare provider that “transmits any health information in electronic form in connection with a transaction” and since the introduction of the HITECH Act (Effective Feb. 18, 2010), HIPAA Rules for medical devices and ePHI storage and transmission also apply to Business Associates of covered entities, as well as any subcontractors used by Business Associates.
Under 45 CFR §160.103(2)(ii)(3), “a covered entity may be a business associate of another covered entity.” Even some government agencies are HIPAA covered entities. The Centers for Medicare and Medicaid Services (CMS) is considered to be a HIPAA-covered entity, and must therefore abide by HIPAA Rules.
HIPAA Rules also apply to “health information organizations, e-prescribing gateways, vendors of personal health records and other persons that facilitate data transmission and require access to PHI” These companies must have a Business Associate Agreement in place before data can be recorded, received or sent.
Therefore, pharmaceutical companies and medical device manufacturers are required to abide by HIPAA Rules, and the penalties for not doing so can be severe. Since the introduction of the HIPAA Enforcement Rule, financial penalties can be issued for non-compliance, and it is even possible for criminal charges to be filed against organizations and individuals found to be in violation of HIPAA Rules.
HIPAA Rules for Medical Devices Stipulate Allowable Uses of Users’ Data
Information recorded by medical devices is valuable. The data can, for instance, be used to construct models that help predict diseases. Data can therefore be used to reduce healthcare costs. However, HIPAA places severe restrictions on the uses of patient health data. Patient health information cannot be sold for a profit for example, although it may be possible, under certain circumstances, for data to be sold if it is first de-identified. It cannot be possible for patients to be identified from any data that is recorded and sold on.
Patients Must be Given Access to Their Data
Patients must be allowed access to their health data following the introduction of the HIPAA Privacy Rule. This naturally applies to healthcare providers who must supply patients with copies of their medical records on request; however, HIPAA Rules apply to medical devices as well. If a patient has been implanted with a medical device, under HIPAA Rules they should be allowed access to that data, if it is explicitly requested. There are exceptions to these Rules of course, but it is the responsibility of the covered entity to become familiar with the rules covering patient access to data. Failure to do so can, and does, result in substantial financial penalties, as Cignet Health recently discovered.
The Department of Health and Human Services’ Office for Civil Rights recently issued Cignet Health with a financial penalty of $4.3 million for failing to agree to patients’ requests for healthcare data access. In the case of Cignet, 41 patients were denied access to their data. Georgina Verdugo, Director of the OCR, explained this in a recent announcement. “Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements.”