Need help to understand HIPAA requirements

Elsmar Forum Sponsor

Ajit Basrur

Staff member
Admin
#3
Thanks Marc.

I was reviewing 190-Who must comply with HIPAA privacy standards and find that HIPAA privacy standards apply only to the below ... so wanted to know the scope for a medical device specification developer who is not identified below.

Who must comply with HIPAA privacy standards?
Answer:
As required by Congress in HIPAA, the Privacy Rule covers:
  • Health plans
  • Health care clearinghouses
  • Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers
 

Marc

Hunkered Down for the Duration
Staff member
Admin
#4
It may not call out medical device specification developers specifically, but it doesn't take much imagination to 'assume' that any medical device that data can be exported from would have to address security risks.

As you know it's far afield of my areas of expertise so I was just throwing out a thought. I know that it's a big issue to health care providers. Health software (e.g.: Epic) is being heavily scrutinized these days.
 

mihzago

Trusted Information Resource
#5
HIPAA applies to all Business Associates, so if you are a developer working for a company that provides services to a Covered Entity (e.g. hospital, doctors office, etc.) and your services include for example processing or storing PHI, then there are a number of requirements you have to comply with. In particular I would look at the Security Rule, which contains requirements for Administrative, Physical and Technical Safeguards.
 

akp060

Involved In Discussions
#6
HIPAA applies to all Business Associates, so if you are a developer working for a company that provides services to a Covered Entity (e.g. hospital, doctors office, etc.) and your services include for example processing or storing PHI, then there are a number of requirements you have to comply with. In particular I would look at the Security Rule, which contains requirements for Administrative, Physical and Technical Safeguards.
But wouldn't that be applicable only if there is BAA between these two entities? Can you please throw some light on these things are carried out? As in if I am a developer storing, processing and PHI through a cloud service provide (CSP) and also having access to the PHI at back-end, but having a BAA with the CSP, will I be considered as a Business Associate and how likely is it that the covered entity will require me to execute a BAA with them?
 

mihzago

Trusted Information Resource
#7
Any CA that uses a third party to do any processing on PHI must have a BAA with that third party, otherwise they're out of compliance with HIPAA, which can lead to big fines.
Search these article titles to read some examples (I can only post one direct link):
- Lack-of-business-associate-agreement-leads-to-750000-HIPAA-fine
- ocr-announces-fine-for-lack-of-baa-and-failure-to-terminate-former-employees-access-to-phi/
- Florida contractor physicians' group shares protected health information with unknown vendor without a business associate agreement - December 4, 2018
- No Business Associate Agreement? $31K Mistake – April 20, 2017

So, yes, you are considered a BA, even if the CA you work with is stupid enough not to have a BAA with you.
You could also be liable if you don't implement appropriate protections:
Liability of Business Associates for HIPAA Penalties | Holland & Hart Health Law Blog
 

Tidge

Involved In Discussions
#8
Could I know what would be the HIPAA requirements for a medical device specification developer?
(emphasis added by myself)

It is not in my nature to completely separate the development of specifications and the development of the software product, but I will do my best.

The software specifications should at least include:

Accessibility: There are multiple dimensions to this, but access to Patient Health Information (PHI) needs to be strictly limited to authorized persons identified by the responsible organization. Shifting to the software implementation - the software cannot include elements of the design which allow the developer to get into the system/database (no back-doors, no master passwords). The specifications ought to include requirements for multi-factor authentication and possibly a mechanism which restricts access to the system to only specified locations. Multi-factor handshaking protocols and/or encryption may be useful when distributing the PHI between different systems.

Confidentiality: Under no circumstances should any element of PHI be visible except to authorized persons. This includes patient names. It is possible to design databases in such a way that the most user-facing information (e.g. the key to individual records) is not identifiable as an individual. Encryption methodologies can also be specified on this front.

I recommend including detailed specifications for audit trails which record every access of the PHI records, beyond just the creation and modification of the records. The audit trails aren't going to reduce the risk related to Accessibility/Confidentiality but they will provide a mechanism to assess the effectiveness of those controls in an implemented system.
 
Thread starter Similar threads Forum Replies Date
S Need help with analysing a survey on minitab Using Minitab Software 1
K A proposal for the model Quality Management - I need help for the project ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
R Probability - Need a help to solve the below question Statistical Analysis Tools, Techniques and SPC 5
8 Need Help - Runout - Function Gage Inspection, Prints (Drawings), Testing, Sampling and Related Topics 7
S New to FAIR, need help in filling it out AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 8
R Pls help --- Need expert advice on Video Measurement Measurement Uncertainty (MU) 0
Z I need help with getting a CFS in China Manufacturing and Related Processes 2
S Need help wrapping my head around confidence vs beta error Statistical Analysis Tools, Techniques and SPC 2
P Received a minor for not having good measureables/goals. Need help with KPIs. IATF 16949 - Automotive Quality Systems Standard 52
A Failed the AS9120B Exam Twice.....Need Help AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 7
Ajit Basrur Need help in Conditional Formatting for the entire row Excel .xls Spreadsheet Templates and Tools 3
H Need help on Quality Improvement Plan (QIP) Quality Tools, Improvement and Analysis 5
S Help: Need Control Self Assessment Questionnaire for HR Departmental Functions Process Audits and Layered Process Audits 0
M Need help in Calibration of Directional Coupler General Measurement Device and Calibration Topics 2
L Need HELP with Internal Audit Program ISO 13485.2003 Quality Management System (QMS) Manuals 3
J Supporting Processes - Internal Audits - Need help settling a debate IATF 16949 - Automotive Quality Systems Standard 4
A Cpk Formula seems off, need help!? Capability, Accuracy and Stability - Processes, Machines, etc. 11
A Need Help With AEA Auditor Related Situational Questions AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 1
E Transformer Overload Test - Need help IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
C I Need Help with Drafting Conventions!!! Design and Development of Products and Processes 4
M Need help on QMS Development in an AS9100C certified organization AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 10
R Need Help on Analysis: How to know potential causality model from historical data Problem Solving, Root Cause Fault and Failure Analysis 5
B Need help tracking training for my business Quality Assurance and Compliance Software Tools and Solutions 3
B Need help with a Control Plan for Encapsulation Mold / Trimming / Forming Tooling FMEA and Control Plans 9
S I need help from all of you bros Oil and Gas Industry Standards and Regulations 1
LRE67 Need help identifying this "thing" Coffee Break and Water Cooler Discussions 9
G Need help on Device Description in the Acceptance Checklist for Traditional 510(k) Other US Medical Device Regulations 2
K Need help finding a book on Documentation Book, Video, Blog and Web Site Reviews and Recommendations 8
J Need help/advice on video editing software etc..... Coffee Break and Water Cooler Discussions 8
L Need Help with Case Study Questions Manufacturing and Related Processes 16
W Help explaining the need for the Process Approach AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 4
Ron Rompen Unusual problem with Excel - Need some help Excel .xls Spreadsheet Templates and Tools 7
S Need help on new TS 16949 Rules IATF 16949 - Automotive Quality Systems Standard 5
M Need help with Network Analyzers and which DUT can be Calibrated with it Calibration and Metrology Software and Hardware 2
R Need help on defining scope for Design Verification File for Class III IVD 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 8
J Help I need your opinion on a News Letter Misc. Quality Assurance and Business Systems Related Topics 15
N Need Help Preparing for Medical Device Quality Engineer Interview Career and Occupation Discussions 2
B Need help on an application we are working on Coffee Break and Water Cooler Discussions 4
S Need help with Project Charter for my Six Sigma Green Belt Project Six Sigma 1
Q Need help on MSA study on a torque analyzer Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 3
B Need help in adding second location to FDA Registration Other US Medical Device Regulations 4
T A survey on problems during ISMS implementation - need help IEC 27001 - Information Security Management Systems (ISMS) 2
Z My first Gage R&R - Paper/Poly/Foil Material Bond Test, need help Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 15
R Need help on cost analysis for copper tube manufacturing Manufacturing and Related Processes 1
T SPSS for Analysis of Medical Data - Need help Statistical Analysis Tools, Techniques and SPC 12
T Metal Stamping Defect--Need Help with Corrective Action Manufacturing and Related Processes 5
E New to Quality & Need Help Career and Occupation Discussions 6
T Need help developing an ECO (Engineering Change order) procedure Document Control Systems, Procedures, Forms and Templates 3
S Need Help with Response Surface Optimization Using Minitab Software 4
D Need help and a Specific Regulation relating to 510(k) 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 9
Similar threads


















































Top Bottom