According to Verizon’s Data Breach Investigations Report – 2020, data breach incidents in the healthcare vertical have risen to 521 from 304 in 2019. Due to rising threats and attacks on the connected medical devices, healthcare professionals are now emphasizing on implementing security measures to safeguard patient data. HIPAA provides guidelines to healthcare service providers on how to protect and use this vital Patient Health Information (PHI).
Purpose of HIPAA Compliance in Medical Devices
HIPAA compliance aids in the safe creation, receipt, maintenance, and transmission of the PHI between the hospitals and the medical service providers. The compliance serves two purposes: first, it identifies which patient information should be protected whether in transit or at rest, and second, it gives instructions to establish best practices for handling patient’s personal health information. This PHI data may include lab results, imaging reports, insurance details, diagnosis, and billing information. HIPAA guidelines are applicable to all, including the doctors, hospitals, healthcare providers, and clearing houses who handle the Electronic Protected Health Information (ePHI). Let’s look at this in a little more detail.
Covered Entity, Business Associate and Business Associate Agreement
Covered Entity (CE): Entities that handle patient data and transmit them electronically. Typically, CE includes hospitals, research organizations, medical service providers, and insurance organizations etc.
Business Associate (BA): Entities that perform activities on behalf of the CE and provide the services of creating, receiving, maintaining, and transmitting ePHI data. The solution providers, cloud service providers, engineering services firms, sub-contractors, and quality management consultants are typically called BAs.
Business Associate Agreement: It is a legal contract between the business associate and the covered entity. This includes the PHI that the business associates may access, how they can utilize the data, and terms about returning or discarding the data upon task completion.
Following its formalization in the US in 1996, HIPAA has been amended four times to protect PHI in the areas of security, privacy, breach notifications, and omnibus regulations. You should consider various HIPAA compliance touchpoints if you are developing a connected medical device solution for a covered entity that will be used in administrative care for a wider healthcare canvas. There are some significant challenges which the solution developer may face during implementation such as managing large amount of data, security compliances, lack of knowledge, different development platforms, infrastructure, and so on.
Let us look at the key HIPAA compliance touchpoints in the connected medical device product development ecosystem.
1. HIPAA security rule – protecting the patient data
This rule addresses safeguarding patient data while in transit and at rest. This security standard for the protection of ePHI applies to the systems and the individuals accessing patient data. Role-based Access Control (RBAC) is useful to define various access levels and to interact with systems.
Technical safeguard of the system
Technical safeguards include the technologies used to protect the ePHI data. It must be encrypted using NIST standards while being transmitted from the hospital premise to the cloud.
Access control, firewall, and logging
-
- PHI access by only authorized users
- Least privileged access model and different access policies for different user categories
- Authenticate the user’s integrity and validity
- Periodic procedures for auditing and reviewing the access data lists
- Logging of each PHI access activity for information modification
Physical safeguard of the system
The physical safeguard in HIPAA focuses on the physical access of the medical device where ePHI data is stored. This involves on-premise data storage, or the data transmitted to cloud or central storage and available at the data centre. Access control solution on premise can prevent unauthorized physical access of the medical device. The device should also ensure protection from tamper, theft, and DDoS attacks.
Administrative safeguard of the system
The administrative safeguard in HIPAA focuses on the risk analysis and audit controls of the procedures and policies. Medical devices should provide the required information on login, security events, breaching incidents, any unauthorized access, or any anomaly in ePHI, to execute and comply to regular audit controls. The device should log and store any configuration update, configuration history, which helps to identify sign-ins, IP addresses and multifactor authentications.
HIPAA has a mandate on contingency plan for disaster. The key provisions for the medical system such as system availability, reliability, backup, disaster recovery, and security should be configured to address HIPAA concerns. The Service Level Agreements (SLAs) should be defined between the covered entity and the business associate to meet the specific business expectations if the latter is involved in consulting or services.
2. HIPAA privacy rule – using and sharing the patient data
While the security rule outlines the required safeguards for ePHI data, the privacy rule defines how ePHI data is used and shared. It specifies how and when the ePHI data is used or released as well as the information flow between the parties to provide quality patient care. It also authorizes the patients to get the required information from the covered entity and obtain a copy. As per the HIPAA privacy rule, the covered entity must respond to the patient in 30 days and maintain the logs with backup data in the medical system.
3. HIPAA breach notification and omnibus rule
The HIPAA breach notification rule requires covered entities to notify the patient about the breach of their ePHI. It also includes the reason for the breach, details of the data breach, unauthorized personal details, and a mitigation plan.
The omnibus rule gives additional requirements for covered entities and business associates. It entails updation of the BAA with the required modifications of the omnibus rule, keeping new signed copies to stay compliant, and refreshing the privacy policy to reflect the omnibus changes.
Wrapping up
With increasing number of healthcare solutions being connected and built on the cloud, HIPAA compliance is becoming crucial for healthcare solution providers. We, at eInfochips, help global healthcare customers in their NPI programs by providing engineering services and engaging with them for concept to manufacturing efforts. We have strong expertise in medical device development with a deep understanding of process and compliance requirements. We have experience in developing HIPAA compliant solutions for diagnostics and patient monitoring and telehealth solution segments.
Curious to know how our medical device offerings can best suit your business needs? Contact us right away.