E
ehoqa
We are a manufacturer of a prescription-based medical device in the US. We sell to hospitals/doctors and to patients with prescriptions. In light of HIPAA rules and obligations of covered entities and business associates, we realize we don't collect much patient information. We are wondering if our current procedure in collecting patient information meets a regulation or standard regarding patient info (if there is one?).
Here's the info we currently have from receiving prescriptions before we ship our product:
1. the prescribing doctor
2. the patient's name
3. the size & preferred color of our product.
We also have the ship-to address and credit card number associated with the order, though those are not necessarily the patient's address and credit card.
My questions are:
As a medical device manufacturer in supplying prescription-based products, is our current procedure for collecting patient information adequate? (i.e. does it meet a regulation or standard, if there is one regarding having the minimum patient information?)
If we need to change our procedure in collecting patient information, are we obligated to use a minimum number of patient identifiers? Do we need to go further to require another identifier such as patient's birthday?
As I mentioned, we just have the doctor's name/contact, patient's name, and product. Shipping address and payment information may or may not be the patient's. Internally we don't need to collect more information for our purposes of selling the products and keeping our orders straight, but I want to make sure we are not breaking any rules by not having enough patient information. I hope this make sense!
I realize it's the holiday season so this question may not get much attention. I hope someone can answer or point me in the right direction of where to look.
Here's the info we currently have from receiving prescriptions before we ship our product:
1. the prescribing doctor
2. the patient's name
3. the size & preferred color of our product.
We also have the ship-to address and credit card number associated with the order, though those are not necessarily the patient's address and credit card.
My questions are:
As a medical device manufacturer in supplying prescription-based products, is our current procedure for collecting patient information adequate? (i.e. does it meet a regulation or standard, if there is one regarding having the minimum patient information?)
If we need to change our procedure in collecting patient information, are we obligated to use a minimum number of patient identifiers? Do we need to go further to require another identifier such as patient's birthday?
As I mentioned, we just have the doctor's name/contact, patient's name, and product. Shipping address and payment information may or may not be the patient's. Internally we don't need to collect more information for our purposes of selling the products and keeping our orders straight, but I want to make sure we are not breaking any rules by not having enough patient information. I hope this make sense!
I realize it's the holiday season so this question may not get much attention. I hope someone can answer or point me in the right direction of where to look.