HIPAA, HITECH and Interoperability compliance route

[Deepa]

Hiii friends,

Am looking for the details on the HIPAA, HITECH and Interoperability compliance to medical devices.

1. Firstly, would like to seek some advice on whether HIPAA - privacy & security rules are applicable to a medical device manufacturer?
2. How is the interoperability rules set out in the FDA guidance be complied?
3. Also, how are these related to each other.
4. If it is applicable to a medical device manufacturer (of radiotherapy equipment's), how do we comply - self certification or 3rd party assessment required?

It seems so vague for me to start with the compliance. Please help me out!

Regards,
Deepali

 

[yodon]

I'll try to get the ball rolling but I need some clarification.

1. HIPAA, as you know, is intended to protect patient info. So if your device is collecting or handling protected information, you need to be sure the system adequately protects the information. If you, say, collect complaints that contains protected information, you'll need to properly protect it (and probably have procedures / training to ensure your staff understands the responsibilities).

2. Can you clarify which FDA guidance on interoperability you are trying to comply with? What specific issues with compliance are you having?

3. I suppose if your device is handling protected information and you're passing that data to another system, you'd likely need to protect it (e.g., send encrypted, ensure destination is authorized, etc.).

4. What "it" are you asking about? Many tests are best facilitated by 3rd-party labs who have proper equipment and expertise.

 

[Deepa]

Thank you so much for the clarification,

2. Am referring to the requirements of 45 CFR Parts 170 and 171 Interoperability_Federal register & the recent requirement of FHIR and US-CDI

4. "It" - we just manufacture a SaMD software that is used to record patient demographics for radiotherapy and vitals during each fraction of treatment, which in either case, we don't get the PII from an hospital (our customer) but the data is transferred to TPS (both print/ electronically), this is what the "it" I had mentioned earlier.

Regards,
Deepali