ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA Requirements

#1
Greetings,

We are a contract manufacturer of medical devices and I am revising our QMS for 13485:2016. Section 4.2.5 Control of Records (3rd sentence) "The organization shall define and implement methods for protecting confidential health information contained in records in accordance with applicable regulatory requirements" My question is, Do we need to show compliance with HIPAA even though we are not a covered entity or even a Business Associate.

We have zero contact with any Personnel Health Information.

Can we claim an exemption from this section?

Perhaps a statement in our Control of Records section of our Quality Manual stating we will not receive any such information from our clients?
 
Elsmar Forum Sponsor

Marcelo

Inactive Registered Visitor
#2
Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

Hello GoSpeedRacer, and welcome to the Cove!

Does your company handle "confidential health information"?
 
#3
Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

No, we have never had any customer where we dealt with confidential health information.
 

Marcelo

Inactive Registered Visitor
#4
Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

Then I would say this requirement is non-applicable.

Howeverrrrrrrr, the standard only permits exclusions of design and development controls, and only if applicable regulatory requirements permit so (not the case) and non-applicability of items in Clauses 6, 7 or 8 (not the case). So I think you have a problem.

The real problem is that that specific requirement should not be in 4.2.5. I've noted this (and several other dozen problems) when translating the standard to be published in Brazil. Another obvious case is the requirement of the medical device file in 4.2.3, which was intended to be only for manufacturers, but now cannot be non-applicable for others that are not the manufacturer due to being in clause 4 :-(.
 
Last edited:

Ronen E

Problem Solver
Staff member
Moderator
#5
Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

If you absolutely have to -

The org has to define and implement methods and so on. You can define that your method is to avoid receiving any confidential health info by including a generic contract clause stating that your clients shall not provide to you or require you to accept such info from them. Convoluted, I grant, but still compliant. Isn't it?

You could also document some letter on file showing that you've researched the regulatory requirements that might apply to you and concluded that they're all N/A, so there'd be no clash between the above contract clause and the law/regulations.
 
#6
Hello Ronen,
I am leaning towards the path you have laid out.
1. We add to our standard contract something that says we don't receive any HIPAA data. (for New customers)
We put a statement on file stating we have reviewed current customers and attest that we have not received any health information (Existing customers) and of course We train our folks to know what is and is not Health Information

Thank you for your insight!
 
A

Access2hc

#7
Hi - there's never any harm in placing a clause/requirement in your SOPs that says 'in the event of .."

but first, it would be good to understand from you what you've termed as personal health information.. because I've noted you've also used "HIPAA data' which is a term that does not exist..


hope it helps

Cheers,
Ee Bin
@Access2HC
 
Y

youngm

#8
Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

What is the definition of confidential health information? Is it any information given by a patient to a doctor? Is it the same information that a medical device manufacturer would hear in clinical trials?
 

Ronen E

Problem Solver
Staff member
Moderator
#9
Re: ISO 13485:2016 Clause 4.2.5 - Control of Records - HIPAA

Hello youngm and welcome to the Cove :bigwave:

What is the definition of confidential health information?
The answer depends on the context. In the EU there are some Directives governing handling such information. They contain their definitions.

Cheers,
Ronen.
 
J

JillianWright

#10
Being in compliance with HIPAA involves not only ensuring you provide the appropriate patient rights and controls on your uses and disclosures of protected health information, but you also have the proper policies and procedures in place. If audited or the subject of a compliance review you will be required to show the government you have all the necessary documentation in place for safeguarding patient Protected Health Information and indicate how you addressed all required security safeguards. This starts with the understanding the fundamentals of a HIPAA compliance.
 
Last edited by a moderator:
Thread starter Similar threads Forum Replies Date
S Electronic Signatures - Non-Conformance - ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 30
D Question regarding where "validations" fit according to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
D Question on using audit checklist ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 20
M Customer Property - ISO 13485:2016 Clause 7.5.10 ISO 13485:2016 - Medical Device Quality Management Systems 9
H QMS ISO 13485:2016 - ISO14971 IEC60304 etc ISO 13485:2016 - Medical Device Quality Management Systems 6
B Operational Procedures for ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 7
Ed Panek ISO 13485:2016 Section 5.5.3 ISO 13485:2016 - Medical Device Quality Management Systems 3
S Inventory Listing and ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 3
M ISO 13485:2016 Certification Scope ISO 13485:2016 - Medical Device Quality Management Systems 4
D Reports under change management | ISO 13485:2016 & ISO 9001:2015 ISO 13485:2016 - Medical Device Quality Management Systems 3
M ISO 13485:2016 internal audit checklist Medical Device and FDA Regulations and Standards News 8
M How Specific in an ISO 13485:2016 Scope for a Contract Manufacturer ISO 13485:2016 - Medical Device Quality Management Systems 9
0 ISO 13485:2016 Chapter 8 Integration of the subsections ISO 13485:2016 - Medical Device Quality Management Systems 3
T ISO 13485:2016 Clauses related to process matrix ISO 13485:2016 - Medical Device Quality Management Systems 3
J Can signed agreements over-ride review of every "contract" under ISO 13485:2016? ISO 13485:2016 - Medical Device Quality Management Systems 2
Q EN ISO 13485:2016/AC:2018 - AC:2018 being stated in the applicable harmonized standard listing Other ISO and International Standards and European Regulations 1
J Leveraging another company's ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 5
M ISO 13485-2016 online certification ISO 13485:2016 - Medical Device Quality Management Systems 3
S Supplier Management ISO 13485: 2016- Which supplier needs to fill in a self assessment form? ISO 13485:2016 - Medical Device Quality Management Systems 6
D Definition of equipment for ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
M ISO 13485:2016 Complaint Definition Clarity Customer Complaints 2
C ISO 13485 :2016 - CAPA - Does every CAPA need to be checked by regulations? ISO 13485:2016 - Medical Device Quality Management Systems 9
P ISO 13485:2016 MDSAP Certification Fee Survey ISO 13485:2016 - Medical Device Quality Management Systems 6
K Contamination Control - Class Is medical devices (Clause 6.4.2 ISO 13485:2016 (E)) ISO 13485:2016 - Medical Device Quality Management Systems 12
H ISO 13485:2016 Gap Analysis by NB ISO 13485:2016 - Medical Device Quality Management Systems 7
S SOP for ISO 13485:2016 Quality related Software validation ISO 13485:2016 - Medical Device Quality Management Systems 13
JoCam Difference between Approval and Registration - ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 2
K ISO 13485:2016, Clause 4.2.3 Medical Device File ISO 13485:2016 - Medical Device Quality Management Systems 4
T Document control ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 5
A We are ISO 13485:2016 should we be audited to ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 16
E Equipment Qualification - IQ/OQ per ISO 13485:2016 section 7.5.6 Process validation ISO 13485:2016 - Medical Device Quality Management Systems 7
S Clinical Evaluation - Is this an ISO 13485:2016 requirement? ISO 13485:2016 - Medical Device Quality Management Systems 4
L ISO 13485:2016 Clause 8.4 - Analysis of Audit Observations ISO 13485:2016 - Medical Device Quality Management Systems 8
S When is ISO 13485:2016 6.4.2 Contamination Control appropriate? ISO 13485:2016 - Medical Device Quality Management Systems 11
L Templates for three ISO 13485:2016 SOPs ISO 13485:2016 - Medical Device Quality Management Systems 8
C What falls under the 'Customer Property' according to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 29
M Is it possible to get iso 13485:2016 certified as a one man band ISO 13485:2016 - Medical Device Quality Management Systems 1
F ISO 13485:2016 Quality Policy Requirements Other ISO and International Standards and European Regulations 18
M Contract Manufacturers and MDF Responsibilities, ISO 13485:2016, Clause 4.2.3 ISO 13485:2016 - Medical Device Quality Management Systems 3
J ISO 13485:2016 sample exam/test ISO 13485:2016 - Medical Device Quality Management Systems 3
M Informational Questionário – Análise crítica sistemática – ISO 13485:2016 (Portuguese-only) Medical Device and FDA Regulations and Standards News 0
M Informational ISO 13485:2016 under systematic review Medical Device and FDA Regulations and Standards News 5
C Updates on Documentation for outsourced OEM from ISO 13485:2003 to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 4
GStough Informational SN EN ISO 9001:2015 and SN EN ISO 13485:2016 on Same Certificate? Registrars and Notified Bodies 7
E MDSAP Audit - Our QMS conforms to ISO 13485:2016 and FDA GMP Canada Medical Device Regulations 9
Ronen E Informational ISO 13485:2016 Transition Period End - 1 March 2019 ISO 13485:2016 - Medical Device Quality Management Systems 0
B ISO 9001:2015 vs ISO 13485:2016 for MDR Compliance EU Medical Device Regulations 4
T ISO 13485:2016 - Processes exempt from process validation ISO 13485:2016 - Medical Device Quality Management Systems 12
C Medical device manufacturing (class 2 ISO 13485:2016) - Is a Deviation allowed? Other Medical Device Related Standards 5
J EU ISO 13485:2016 Recertification Audit - Effect of 10 Minor Nonconformances EU Medical Device Regulations 2

Similar threads

Top Bottom