ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA Requirements

GoSpeedRacer

Registered
Greetings,

We are a contract manufacturer of medical devices and I am revising our QMS for 13485:2016. Section 4.2.5 Control of Records (3rd sentence) "The organization shall define and implement methods for protecting confidential health information contained in records in accordance with applicable regulatory requirements" My question is, Do we need to show compliance with HIPAA even though we are not a covered entity or even a Business Associate.

We have zero contact with any Personnel Health Information.

Can we claim an exemption from this section?

Perhaps a statement in our Control of Records section of our Quality Manual stating we will not receive any such information from our clients?
 

Marcelo

Inactive Registered Visitor
Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

Hello GoSpeedRacer, and welcome to the Cove!

Does your company handle "confidential health information"?
 

GoSpeedRacer

Registered
Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

No, we have never had any customer where we dealt with confidential health information.
 

Marcelo

Inactive Registered Visitor
Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

Then I would say this requirement is non-applicable.

Howeverrrrrrrr, the standard only permits exclusions of design and development controls, and only if applicable regulatory requirements permit so (not the case) and non-applicability of items in Clauses 6, 7 or 8 (not the case). So I think you have a problem.

The real problem is that that specific requirement should not be in 4.2.5. I've noted this (and several other dozen problems) when translating the standard to be published in Brazil. Another obvious case is the requirement of the medical device file in 4.2.3, which was intended to be only for manufacturers, but now cannot be non-applicable for others that are not the manufacturer due to being in clause 4 :-(.
 
Last edited:

Ronen E

Problem Solver
Moderator
Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

If you absolutely have to -

The org has to define and implement methods and so on. You can define that your method is to avoid receiving any confidential health info by including a generic contract clause stating that your clients shall not provide to you or require you to accept such info from them. Convoluted, I grant, but still compliant. Isn't it?

You could also document some letter on file showing that you've researched the regulatory requirements that might apply to you and concluded that they're all N/A, so there'd be no clash between the above contract clause and the law/regulations.
 

GoSpeedRacer

Registered
Hello Ronen,
I am leaning towards the path you have laid out.
1. We add to our standard contract something that says we don't receive any HIPAA data. (for New customers)
We put a statement on file stating we have reviewed current customers and attest that we have not received any health information (Existing customers) and of course We train our folks to know what is and is not Health Information

Thank you for your insight!
 
A

Access2hc

Hi - there's never any harm in placing a clause/requirement in your SOPs that says 'in the event of .."

but first, it would be good to understand from you what you've termed as personal health information.. because I've noted you've also used "HIPAA data' which is a term that does not exist..


hope it helps

Cheers,
Ee Bin
@Access2HC
 
Y

youngm

Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

What is the definition of confidential health information? Is it any information given by a patient to a doctor? Is it the same information that a medical device manufacturer would hear in clinical trials?
 

Ronen E

Problem Solver
Moderator
Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

Hello youngm and welcome to the Cove :bigwave:

What is the definition of confidential health information?

The answer depends on the context. In the EU there are some Directives governing handling such information. They contain their definitions.

Cheers,
Ronen.
 
J

JillianWright

Being in compliance with HIPAA involves not only ensuring you provide the appropriate patient rights and controls on your uses and disclosures of protected health information, but you also have the proper policies and procedures in place. If audited or the subject of a compliance review you will be required to show the government you have all the necessary documentation in place for safeguarding patient Protected Health Information and indicate how you addressed all required security safeguards. This starts with the understanding the fundamentals of a HIPAA compliance.
 
Last edited by a moderator:
Top Bottom