ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA Requirements

#1
Greetings,

We are a contract manufacturer of medical devices and I am revising our QMS for 13485:2016. Section 4.2.5 Control of Records (3rd sentence) "The organization shall define and implement methods for protecting confidential health information contained in records in accordance with applicable regulatory requirements" My question is, Do we need to show compliance with HIPAA even though we are not a covered entity or even a Business Associate.

We have zero contact with any Personnel Health Information.

Can we claim an exemption from this section?

Perhaps a statement in our Control of Records section of our Quality Manual stating we will not receive any such information from our clients?
 
Elsmar Forum Sponsor

Marcelo

Inactive Registered Visitor
#2
Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

Hello GoSpeedRacer, and welcome to the Cove!

Does your company handle "confidential health information"?
 
#3
Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

No, we have never had any customer where we dealt with confidential health information.
 

Marcelo

Inactive Registered Visitor
#4
Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

Then I would say this requirement is non-applicable.

Howeverrrrrrrr, the standard only permits exclusions of design and development controls, and only if applicable regulatory requirements permit so (not the case) and non-applicability of items in Clauses 6, 7 or 8 (not the case). So I think you have a problem.

The real problem is that that specific requirement should not be in 4.2.5. I've noted this (and several other dozen problems) when translating the standard to be published in Brazil. Another obvious case is the requirement of the medical device file in 4.2.3, which was intended to be only for manufacturers, but now cannot be non-applicable for others that are not the manufacturer due to being in clause 4 :-(.
 
Last edited:

Ronen E

Problem Solver
Staff member
Moderator
#5
Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

If you absolutely have to -

The org has to define and implement methods and so on. You can define that your method is to avoid receiving any confidential health info by including a generic contract clause stating that your clients shall not provide to you or require you to accept such info from them. Convoluted, I grant, but still compliant. Isn't it?

You could also document some letter on file showing that you've researched the regulatory requirements that might apply to you and concluded that they're all N/A, so there'd be no clash between the above contract clause and the law/regulations.
 
#6
Hello Ronen,
I am leaning towards the path you have laid out.
1. We add to our standard contract something that says we don't receive any HIPAA data. (for New customers)
We put a statement on file stating we have reviewed current customers and attest that we have not received any health information (Existing customers) and of course We train our folks to know what is and is not Health Information

Thank you for your insight!
 

Access2hc

Involved In Discussions
#7
Hi - there's never any harm in placing a clause/requirement in your SOPs that says 'in the event of .."

but first, it would be good to understand from you what you've termed as personal health information.. because I've noted you've also used "HIPAA data' which is a term that does not exist..


hope it helps

Cheers,
Ee Bin
@Access2HC
 
#8
Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

What is the definition of confidential health information? Is it any information given by a patient to a doctor? Is it the same information that a medical device manufacturer would hear in clinical trials?
 

Ronen E

Problem Solver
Staff member
Moderator
#9
Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

Hello youngm and welcome to the Cove :bigwave:

What is the definition of confidential health information?
The answer depends on the context. In the EU there are some Directives governing handling such information. They contain their definitions.

Cheers,
Ronen.
 
#10
Being in compliance with HIPAA involves not only ensuring you provide the appropriate patient rights and controls on your uses and disclosures of protected health information, but you also have the proper policies and procedures in place. If audited or the subject of a compliance review you will be required to show the government you have all the necessary documentation in place for safeguarding patient Protected Health Information and indicate how you addressed all required security safeguards. This starts with the understanding the fundamentals of a HIPAA compliance.
 
Last edited by a moderator:
Thread starter Similar threads Forum Replies Date
C ISO 13485 :2016 - CAPA - Does every CAPA need to be checked by regulations? ISO 13485:2016 - Medical Device Quality Management Systems 9
P ISO 13485:2016 MDSAP Certification Fee Survey ISO 13485:2016 - Medical Device Quality Management Systems 6
K Contamination Control - Class Is medical devices (Clause 6.4.2 ISO 13485:2016 (E)) ISO 13485:2016 - Medical Device Quality Management Systems 12
H ISO 13485:2016 Gap Analysis by NB ISO 13485:2016 - Medical Device Quality Management Systems 7
S SOP for ISO 13485:2016 Quality related Software validation ISO 13485:2016 - Medical Device Quality Management Systems 9
JoCam Difference between Approval and Registration - ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 2
K ISO 13485:2016, Clause 4.2.3 Medical Device File ISO 13485:2016 - Medical Device Quality Management Systems 4
T Document control ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 5
A We are ISO 13485:2016 should we be audited to ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 16
E Equipment Qualification - IQ/OQ per ISO 13485:2016 section 7.5.6 Process validation ISO 13485:2016 - Medical Device Quality Management Systems 7
S Clinical Evaluation - Is this an ISO 13485:2016 requirement? ISO 13485:2016 - Medical Device Quality Management Systems 4
L ISO 13485:2016 Clause 8.4 - Analysis of Audit Observations ISO 13485:2016 - Medical Device Quality Management Systems 8
S When is ISO 13485:2016 6.4.2 Contamination Control appropriate? ISO 13485:2016 - Medical Device Quality Management Systems 11
L Templates for three ISO 13485:2016 SOPs ISO 13485:2016 - Medical Device Quality Management Systems 8
C What falls under the 'Customer Property' according to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 10
M Is it possible to get iso 13485:2016 certified as a one man band ISO 13485:2016 - Medical Device Quality Management Systems 1
F ISO 13485:2016 Quality Policy Requirements Other ISO and International Standards and European Regulations 3
M Contract Manufacturers and MDF Responsibilities, ISO 13485:2016, Clause 4.2.3 ISO 13485:2016 - Medical Device Quality Management Systems 3
J ISO 13485:2016 sample exam/test ISO 13485:2016 - Medical Device Quality Management Systems 3
M Informational Questionário – Análise crítica sistemática – ISO 13485:2016 (Portuguese-only) Medical Device and FDA Regulations and Standards News 0
M Informational ISO 13485:2016 under systematic review Medical Device and FDA Regulations and Standards News 5
C Updates on Documentation for outsourced OEM from ISO 13485:2003 to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 4
GStough Informational SN EN ISO 9001:2015 and SN EN ISO 13485:2016 on Same Certificate? Registrars and Notified Bodies 7
E MDSAP Audit - Our QMS conforms to ISO 13485:2016 and FDA GMP Canada Medical Device Regulations 9
Ronen E Informational ISO 13485:2016 Transition Period End - 1 March 2019 ISO 13485:2016 - Medical Device Quality Management Systems 0
B ISO 9001:2015 vs ISO 13485:2016 for MDR Compliance EU Medical Device Regulations 4
T ISO 13485:2016 - Processes exempt from process validation ISO 13485:2016 - Medical Device Quality Management Systems 12
C Medical device manufacturing (class 2 ISO 13485:2016) - Is a Deviation allowed? Other Medical Device Related Standards 5
J EU ISO 13485:2016 Recertification Audit - Effect of 10 Minor Nonconformances EU Medical Device Regulations 2
E Template of a Management Review Agenda or Report in compliance with ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 6
J ISO 13485:2016 Section 6.2 - Documenting the process for establishing competence ISO 13485:2016 - Medical Device Quality Management Systems 6
Q Any good Checklists for ensuring SOPs cover ISO 13485:2016 and 21CFR 820? ISO 13485:2016 - Medical Device Quality Management Systems 3
H Transition to ISO 13485:2016 together with ISO 9001:2015 ISO 13485:2016 - Medical Device Quality Management Systems 12
B Classes/ Online Training on ISO 13485:2016 and FDA QSR Part 820 ISO 13485:2016 - Medical Device Quality Management Systems 5
T Software Validation Certificate (ISO 13485:2016) ISO 13485:2016 - Medical Device Quality Management Systems 19
D ISO: 13485:2016 Sec. 7.5.2 (C) - Requirements for cleanliness of product or contamination control ISO 13485:2016 - Medical Device Quality Management Systems 2
M Internal Audit Assessment Criteria - ISO 13485:2016 Internal Auditing 21
C Software validation (4.1.6 ISO 13485:2016) ISO 13485:2016 - Medical Device Quality Management Systems 20
L Does anybody have quiz's available? ISO 13485:2016 Training Material Training - Internal, External, Online and Distance Learning 2
G ISO 13485:2016 and regulatory requirements - Contract Manufacturing ISO 13485:2016 - Medical Device Quality Management Systems 22
S ISO 13485:2016 and GDRP EU 2016/679 ISO 13485:2016 - Medical Device Quality Management Systems 5
JoshuaFroud Interpretation of Clause 5.5.2 in ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 2
R CNC Software Validation requirements as per ISO 13485:2016 Other ISO and International Standards and European Regulations 8
A ISO 13485:2016 Applicable regulatory requirements ISO 13485:2016 - Medical Device Quality Management Systems 2
R ISO 13485:2016 Registration - NC on full cycle of internal audits ISO 13485:2016 - Medical Device Quality Management Systems 7
C Will anyone please share training material for ISO:13485:2016 for best practices Training - Internal, External, Online and Distance Learning 0
T ISO 13485: 2016 Internal Audit - Is sampling on projects allowed? ISO 13485:2016 - Medical Device Quality Management Systems 6
D Where I can find an ISO 13485:2016 Audit Schedule example? ISO 13485:2016 - Medical Device Quality Management Systems 4
S What records are required to show compliance to ISO 13485:2016? ISO 13485:2016 - Medical Device Quality Management Systems 1
B Non Applications in ISO 13485:2016 for component contract manufacturers ISO 13485:2016 - Medical Device Quality Management Systems 2

Similar threads

Top Bottom