The European Union’s General Data Protection Regulation (GDPR), which was put into effect on May 25, 2018, is often considered to be one of world’s toughest laws when it comes to privacy and security. The regulations lay down privacy and security standards, imposing obligations on any/ all organizations having an impact on the people of EU, whether related to targeting or collecting data. The regulations are timely as they come at a time when more and more people are entrusting their personal data with cloud services and the occurrence of breaches is increasing exponentially. Analogous to GDPR in US is the U.S. Health Insurance Portability and Accountability Act (HIPAA). While one may assume that both GDPR and HIPAA have no influence on medical devices, that is not the case! HIPAA is a federal legislation that ‘requires creation of national standards to protect sensitive patient information from being disclosed.’[1]
The US Department of Health and Human Services issued and implemented the Privacy Rules which, when read with HIPAA, addresses the use and disclosure of individual’s health information. This is the ‘protected health information’ (PHI) that related entities would be subject to. The goal of both these laws, amongst the rest, is to draw an appropriate balance- to ensure that individual’s health information is properly protected while allowing proper flow of information essential for providing and promoting high-quality healthcare. This flow of information is critical for protecting public’s health and well-being. The purpose of these laws is to permit use of information while protecting people’s privacy.
Given how these laws are developing and progressing, they are playing a primary role in the activities of pharmaceutical companies and medical devices companies. Any time the companies are involved in collection of data that concerns health, it concerns GDPR and/or HIPAA. The GDPR has defined “data concerning health” as personal data relating to a person’s physical or mental health well-being, including services which reveal the person’s health status. In addition, GDPR also allows the right to be forgotten which refers to “the ability of individuals to limit, de-link, delete, or correct the disclosure of personal information on the internet that is misleading, embarrassing, irrelevant, or anachronistic.”[2] All software privacy and security rules stipulate consent and access to personal records, which with the right to be forgotten, introduce an indispensable obligation on software (including software as medical devices) to support deletion of records. When it comes to HIPAA, the law provides “portability of insurance between employers, standard transaction codes to improve accountability, and safeguarding of individually identifiable health information for patient privacy.”[3] Of these three elements, privacy has the strongest influence on medical device design. If the device relates to or deals with health information, HIPAA necessitates addressing patient privacy in its design. Protected health information under HIPAA includes any individual identifiable information that is transmitted and maintained in any form or medium.[4] This identifiable information must be safeguarded against inappropriate disclosures. This information could include ECG traces, histories of patient drug therapy, defibrillators, or beside patient monitors recording patient information, etc.
As a device manufacturer, the GDPR and HIPAA affect you in at least two ways:
- To protect identifiable data/ health information that comes into their possession;
- To be compliant with the requirements laid down by HIPAA and/ or GDPR- this is not limited to the device but also to the organization.
While these laws and regulations lay down what is to be protected, they don’t necessarily state the manner in which this protection is to be offered. The need therefore is for manufacturers to design their own set of policies. Compliance with established standards also requires training the personnel on the definitions of protected health information and how to handle this information. When it comes to the GDPR, this impact assessment is mandated in Article 35 of the regulations, designed to evaluate practices, assess risks and mitigate measures in regards to collection, storage, processing and managing protected health information.
In summary, both GDPR and HIPAA are designed to enhance privacy and security, which makes them actively cross paths with the medical device industry in many ways. Regulations such as the GDPR has no limited territory, given its enforceable on anybody having an impact on the people of EU. Aforementioned topics such as impact assessments, compliance and the right to be forgotten are some of the many facets of these laws and regulations. If you are a medical device manufacturer and wondering if you are compliant with GDPR and/ or HIPAA, EMMA International’s team of experts can help! Give us a call at 248-987-4497 or email info@emmainternational.com to see how we can help.
[1] Centers for Disease Control and Prevention, Health Insurance Portability and Accountability of 1996 (HIPAA). (last accessed: August 29, 2022). Available at- https://www.cdc.gov/phlp/publications/topic/hipaa.html
[2] Michael J. Kelly and David Satola, The Right to be Forgotten, University of Illinois Law Review (2017)
[3] Medical Device and Diagnostic Industry (July 2003), HIPAA’s Influence on Medical Device Technology. Available at- https://www.mddionline.com/news/hipaas-influence-medical-device-technology
[4] HIPAA Journal (Jan 2022), What is considered protected health information under HIPAA?. Available at- https://www.hipaajournal.com/what-is-considered-protected-health-information-under-hipaa/#:~:text=Health%20information%20such%20as%20diagnoses,and%20contact%20and%20emergency%20contact