Need help to understand HIPAA requirements

[Ajit Basrur]

Could I know what would be the HIPAA requirements for a medical device specification developer?

Thank you!

 

[Marc]

I would think that data security would be the main aspect Summary of the HIPAA Security Rule

 

[Ajit Basrur]

Thanks Marc.

I was reviewing 190-Who must comply with HIPAA privacy standards and find that HIPAA privacy standards apply only to the below ... so wanted to know the scope for a medical device specification developer who is not identified below.

Who must comply with HIPAA privacy standards?
Answer:
As required by Congress in HIPAA, the Privacy Rule covers:

• Health plans
• Health care clearinghouses
• Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers

 

[Marc]

It may not call out medical device specification developers specifically, but it doesn't take much imagination to 'assume' that any medical device that data can be exported from would have to address security risks.

As you know it's far afield of my areas of expertise so I was just throwing out a thought. I know that it's a big issue to health care providers. Health software (e.g.: Epic) is being heavily scrutinized these days.

 

[mihzago]

HIPAA applies to all Business Associates, so if you are a developer working for a company that provides services to a Covered Entity (e.g. hospital, doctors office, etc.) and your services include for example processing or storing PHI, then there are a number of requirements you have to comply with. In particular I would look at the Security Rule, which contains requirements for Administrative, Physical and Technical Safeguards.

 

[akp060]

HIPAA applies to all Business Associates, so if you are a developer working for a company that provides services to a Covered Entity (e.g. hospital, doctors office, etc.) and your services include for example processing or storing PHI, then there are a number of requirements you have to comply with. In particular I would look at the Security Rule, which contains requirements for Administrative, Physical and Technical Safeguards.

But wouldn't that be applicable only if there is BAA between these two entities? Can you please throw some light on these things are carried out? As in if I am a developer storing, processing and PHI through a cloud service provide (CSP) and also having access to the PHI at back-end, but having a BAA with the CSP, will I be considered as a Business Associate and how likely is it that the covered entity will require me to execute a BAA with them?

 

[mihzago]

Any CA that uses a third party to do any processing on PHI must have a BAA with that third party, otherwise they're out of compliance with HIPAA, which can lead to big fines.
Search these article titles to read some examples (I can only post one direct link):
- Lack-of-business-associate-agreement-leads-to-750000-HIPAA-fine
- ocr-announces-fine-for-lack-of-baa-and-failure-to-terminate-former-employees-access-to-phi/
- Florida contractor physicians' group shares protected health information with unknown vendor without a business associate agreement - December 4, 2018
- No Business Associate Agreement? $31K Mistake – April 20, 2017

So, yes, you are considered a BA, even if the CA you work with is stupid enough not to have a BAA with you.
You could also be liable if you don't implement appropriate protections:
Liability of Business Associates for HIPAA Penalties | Holland & Hart Health Law Blog

 

[Tidge]

Could I know what would be the HIPAA requirements for a medical device specification developer?

(emphasis added by myself)

It is not in my nature to completely separate the development of specifications and the development of the software product, but I will do my best.

The software specifications should at least include:

Accessibility: There are multiple dimensions to this, but access to Patient Health Information (PHI) needs to be strictly limited to authorized persons identified by the responsible organization. Shifting to the software implementation - the software cannot include elements of the design which allow the developer to get into the system/database (no back-doors, no master passwords). The specifications ought to include requirements for multi-factor authentication and possibly a mechanism which restricts access to the system to only specified locations. Multi-factor handshaking protocols and/or encryption may be useful when distributing the PHI between different systems.

Confidentiality: Under no circumstances should any element of PHI be visible except to authorized persons. This includes patient names. It is possible to design databases in such a way that the most user-facing information (e.g. the key to individual records) is not identifiable as an individual. Encryption methodologies can also be specified on this front.

I recommend including detailed specifications for audit trails which record every access of the PHI records, beyond just the creation and modification of the records. The audit trails aren't going to reduce the risk related to Accessibility/Confidentiality but they will provide a mechanism to assess the effectiveness of those controls in an implemented system.

 

[mihzago]

Thanks Marc.

I was reviewing 190-Who must comply with HIPAA privacy standards and find that HIPAA privacy standards apply only to the below ... so wanted to know the scope for a medical device specification developer who is not identified below.

The HITECH Act expanded the law to also include Business Associates to comply with applicable HIPAA requirements.

 

[tantepetunia]

Hi Team,

What are the legal requirements regarding data retention (PHI,PII,server log file) in the USA, Canada and Europe. Probably stated in PIPEDA, GDPR, or HIPAA but can't found a satisfying response.

Regards,