Although physicians may not be involved with the cybersecurity of medical devices, they are still obligated to comply with HIPAA and the HITECH Act.
The Food and Drug Administration (FDA) has drafted new guidance related to medical device cybersecurity and the relationship with HIPAA.
Building on previous writings from 2014, the FDA issued an updated draft guidance Oct. 18, 2018, entitled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices – Draft Guidance for Industry and Food and Drug Administration Staff.
The guidance defines cybersecurity as “the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.” Translated into “HIPAA language,” this requires the availability and integrity of the device-and its data-remain intact.
The broad scope of the guidance encompasses FDA medical device premarket submissions for effective cybersecurity risk management, continued cybersecurity management to reduce the risk of physical harm to patients, and satisfying HIPAA requirements.
While not binding at the moment, the guidance is important because it references laws that are in effect. The guidance incorporates HIPAA’s Privacy Rule, Security Rule, and Breach Notification Rule as well as the Federal Food, Drug, and Cosmetic Act (and related laws, e.g., the Medical Device Amendments of 1976) for branding and labeling provisions.
The guidance identifies two types of devices, Tier 1 and Tier 2. Tier 1 devices are said to carry a higher cybersecurity risk and have two associated criteria:
Tier 1 devices include pacemakers, brain stimulators, and nerve stimulators. The guidance makes sense given the parts of the body that are affected by the devices.
By way of contrast, a Tier 2 device is “[a] medical device for which the criteria for a Tier 1 device are not met.” This includes an electronic device that creates, receives, maintains, or transmits protected health information (PHI) or is used in medical treatment but does not impact a body part vital to life.
The guidance recommends complying with the National Institute of Standards and Technology (NIST) and the Federal Information Processing Standards (FIPS). This should not come as a surprise for two reasons. First, the government is required to use these standards internally. Second, both NIST and FIPS are expressly stated in a variety of laws and regulations, including the HIPAA Final Omnibus Rule.
There is a specific section in the guidance entitled Maintain Confidentiality of the Data. The FDA intertwines HIPAA and the obligations between a covered entity and a business associate as well as maintaining data confidentiality. In this context, confidentiality falls under the HIPAA umbrella.
For the purposes of this guidance, other harms such as loss of confidential PHI are not considered patient harms. Although protecting the confidentiality of PHI is beyond the scope of this document, it should be noted that manufacturers and/or other entities, depending on the facts and circumstances, may be obligated to protect the confidentiality, integrity, and availability of PHI throughout the product lifecycle in accordance with applicable federal and state laws, including HIPAA.
Therefore, while physicians may not be involved with the cybersecurity of the device, they are still obligated to comply with HIPAA and the HITECH Act. Standards such as HIPAA Authorizations that give patients both notice and the right to opt out of having their PHI sold to a pharmaceutical company or medical device manufacturer, a comprehensive annual Risk Assessment, and a Business Associate Agreement are all required. Physicians should do their due diligence on companies in relation to those entities’ compliance with the FDA, HIPAA, and the HITECH Act.
Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.
Asset Protection and Financial Planning
December 6th 2021Asset protection attorney and regular Physicians Practice contributor Ike Devji and Anthony Williams, an investment advisor representative and the founder and president of Mosaic Financial Associates, discuss the impact of COVID-19 on high-earner assets and financial planning, impending tax changes, common asset protection and wealth preservation mistakes high earners make, and more.
How to reduce surprise billing in your practice
November 15th 2021Physicians Practice® spoke with Kristina Hutson, a product line developer at Availity, about surprise billing events in independent healthcare practices and what owners and administrators can do to reduce the likelihood of their occurrence.