FEATURED PRODUCT: Interpretation of FDA's (QSR) With QSIT references
A
complete compendium to FDA's Quality System Regulation (QSR) with relative
references to FDA's Quality System Inspection Technique (QSIT). Now ONLY $99 (limited time)
Search This Site
Medical Devices and HIPAA
The Health Insurance Portability and Accountability Act
(HIPAA) became federal law on August 21, 1996 and will become compliant
mandatory on April 14th, 2005. This federal standard is stirring up a big buzz
across the nation as hospitals burn the midnight oil to meet compliance.
How does "Insurance" make it's way into the "I" in "HIPAA". We won't get into
the history too deep here but note that it stems from insurance reform. In short
– HIPAA was developed by the US's department of Health and Human Services (HHS)
and stemmed from the desire to standardize the electronic transfer of data. In
essence the Insurance industry was suffering from a lack of norm when it came to
medical transaction and billing data.
For those of us who work in the Hospital Information System (HIS) industry the
work HIPAA has become an everyday word for protecting confidentiality and
ensuring information security, as well as providing an overall improvement to
the quality of data.
HIPAA Scope
The main focus of HIPAA is entirely on Health Information. The scope is not
exclusively for products but services as well. What does Health Information
consist of?
HEALTH INFORMATION- The term `health information' means any information, whether
oral or recorded in any form or medium, that--
(A) is created or received by a health care provider, health plan, public health
authority, employer, life insurer, school or university, or health care
clearinghouse; and
(B) relates to the past, present, or future physical or mental health or
condition of an individual, the provision of health care to an individual, or
the past, present, or future payment for the provision of health care to an
individual.
This essentially covers most if not all information related to health that
applies to an individual. This includes any information that applies to a
person’s physical, mental, or functional condition – these would all require
HIPAA. Non health care services do not (under the definition of HIPAA) require
compliance with the standard.
SECURITY STANDARDS AND PRIVACY STANDARDS
There are two methods that HIPAA uses for protection. Namely security standards
– including ensuring that information can not be corrupted, damaged or lost and
Privacy standards – ensuring that information is kept from
inappropriate disclosures. In short these address the underlying principle of
maintaining confidentiality.
It is not acceptable any longer to have information backed up on a floppy and
kept in a drawer. The problem with this is that the information can become lost
permanently in a fire – destroying both the record on the server and the backup
on the floppy. This important detail has resulted in services sprouting up that
work to store your information in “warehouses”. Some of these services have
nicely integrated with the overall move of hospitals towards adopting Picture
Archiving and Communication Devices or PACS.
In this day and age radiology ‘light boxes’ are ever changing to the more
efficient PACS systems. In essence x-rays are either captured directly on
digital media or are scanned in at a later time. In both instances the images
are kept and even diagnosed from computer systems. Diagnosis is made off of high
resolution monitors (2MP or in the case of mammography 5MP monitors).
This move to the digital media has nicely co-evolved with the implementation of
HIPAA. Hospital administrators looking to implement PACS type devices should
specifically asked to ensure that the products are HIPAA compliant. A quick scan
of manufacturers (at the time this article was written) showed that only a
handful of PACS suppliers actually advertised as HIPAA compliant.
Third Party (off site) storage of Health Information should be initiated with an
Agreement (or contract). Such agreements ought to be drafted up by a lawyer
specialized in HIPAA. The reason being that the agreements can become complex
especially if there are several parties privy to receiving the Health
Information stored.
From the FDA’s perspective compliance to these and other Part 11 components are
usually a matter of demonstrating it through validation techniques. Software has
a way of getting complex – especially when designed to work and interact with
other pieces of software. When this is the case strange things can occur as a
result of unintended clicks of the mouse. We won’t get into the crux of how
validation is done here. For a detailed overview of validation you can find an
excellent guidance document posted by the FDA: General Principles of Software
Validation.
In conclusion, HIPAA will make hospitals and other institutions better effective
places by ensuring that information is sent, transmitted and received with high
degree of efficacy and efficiency. In turn we can begin to reap the rewards of
our current technology applied to our medical treatment.
Please keep posted at Medical Device School for more information related to
HIPAA.
Site Map »
Media package available for advertisers looking to advertise on this site.