Medical device, equipment and supplies manufacturers face extra scrutiny from the FDA, especially when it comes to protected health information (PHI) like social security numbers, names, addresses and demographic data. To be HIPAA compliant, medical manufacturers need to ensure that their devices have proper authorization and cybersecurity safeguards to protect PHI.
When do you need to worry about HIPAA?
HIPAA protections are meant to safeguard personal information about patients. Medical devices, equipment or supplies that transmit, receive or record health information must be HIPAA compliant and protect patient information.
If PHI is going to be collected, your devices need to ensure that data is only sent or received by authorized parties with the patient’s explicit consent. This has many implications, including the need to have all users sign off on a PHI-related authorization agreement as well as having the manufacturer keep records of this authorization for each account. Although simple, even this step requires an account management system with sufficient storage and a disaster recovery system for safeguarding data. If you are anxious about your software’s ability to handle these fundamental business needs, look to Datix. With 25 years of experience supporting software infrastructure, account management and disaster recovery, Datix is your one-stop-shop for all your software needs. Learn simple solutions to relive your software anxieties.
The FDA addresses some of the issues related to releasing patient information in the 2017 guidance called “Manufacturers Sharing Patient-Specific Information from Medical Devices with Patients Upon Request.” The guidance outlines that legally-approved medical devices may “share patient-specific information about a patient with that patient at that patient’s request.” This is a complicated way of saying that manufacturers are allowed to share a patient’s information with them (for instance, allowing a patient to see their own heart rate data that is being tracked by a medical device). However, the guidance is clear that HIPAA standards for sharing information must still be followed. To follow HIPAA standards, medical manufacturers should maintain secured logs of medical device use and create access controls to limit who can see collected PHI data.
With the rise of hacking, especially in the medical sector, products should use encryption to protect sensitive data and secured networks. Hackers go after medical records through devices for crimes like identity theft and are even able to take over wireless medical devices with ransomware and force victims to pay for their device to be released. In 2109, the healthcare records of over 35 million individuals were “compromised, exposed, or impermissibly disclosed” (Healio). To prevent hacking, medical devices must be secured and have security protocols in place from conception. The FDA is aware of the cybersecurity threat and collaborated with MITRE to update their Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook in 2022 for healthcare organizations that could face medical device cybersecurity issues. The playbook updates emphasize extensive training, considering the widespread impacts of cybersecurity incidents and making it easy for professionals to find cybersecurity tools. If you are uncertain how to protect against cybersecurity threats, look to a partner like Datix. As a one-stop shop for ERP-related software and infrastructure, our consultants are experts in hosting and managed services to ensure that your system is safe from threats.
Handling PHI is one of the many challenges that medical manufacturers face in regard to compliance. Read more about how to ensure compliance by maximizing your software.
For medical manufacturers, Datix is the software consultant of choice. We recognize that each manufacturer is unique and requires a tailored solution to meet their business goals. Our team will partner with you every step of the way to bring your organization to the next level.