Regulatory Open Forum

Dear all,

Please I need your  advice on the process to help my company ( medical device manufacturer) to be HIPPA compliant.

I 've uploaded the rule 45 CFR Part 160 from HHS website but I'm still confused on what I have to do as regulatory Affairs person to achieve this goal.

I' m not yet familiar to this requirement.

Thank you in advance for your help.

Rgds,

------------------------------
Nadine Adia
Quebec QC
Canada
------------------------------

This message was posted by a user wishing to remain anonymous

In both the companies for which I have worked in regulatory affairs, I have only been involved in regulatory aspects related to HEALTH AUTHORITIES. Compliance with HIPPA, enforced by other aspects of the government, have been managed by privacy officers, legal, and others. Further, I've never seen RAPS get into that content either.
Original Message:
Sent: 03-Mar-2021 12:48
From: Nadine Adia
Subject: HIPPA regulatory compliance process

Dear all,

Please I need your  advice on the process to help my company ( medical device manufacturer) to be HIPPA compliant.

I 've uploaded the rule 45 CFR Part 160 from HHS website but I'm still confused on what I have to do as regulatory Affairs person to achieve this goal.

I' m not yet familiar to this requirement.

Thank you in advance for your help.

Rgds,

------------------------------
Nadine Adia
Quebec QC
Canada
------------------------------

Hi Nadine,

My comment is more directed to the response you got that it has not been a regulatory issue and RAPS has never gotten into the content.  Both MDR and ISO 13485 address confidential health information so in our organization that means regulatory is involved with protecting confidential health information.

Specifically in ISO 13485:2016, Section 4.2.5 Control of Records, The organization shall define and implement methods for protecting confidential health information contained in records in accordance with the applicable regulatory requirements.

In the US, you are exactly correct, that would be HIPPA.

Best regards,

------------------------------
D Michelle Williams
VP - Operations
United States
------------------------------

Original Message:
Sent: 03-Mar-2021 15:06
From: Anonymous Member
Subject: HIPPA regulatory compliance process

This message was posted by a user wishing to remain anonymous

In both the companies for which I have worked in regulatory affairs, I have only been involved in regulatory aspects related to HEALTH AUTHORITIES. Compliance with HIPPA, enforced by other aspects of the government, have been managed by privacy officers, legal, and others. Further, I've never seen RAPS get into that content either.
Original Message:
Sent: 03-Mar-2021 12:48
From: Nadine Adia
Subject: HIPPA regulatory compliance process

Dear all,

Please I need your  advice on the process to help my company ( medical device manufacturer) to be HIPPA compliant.

I 've uploaded the rule 45 CFR Part 160 from HHS website but I'm still confused on what I have to do as regulatory Affairs person to achieve this goal.

I' m not yet familiar to this requirement.

Thank you in advance for your help.

Rgds,

------------------------------
Nadine Adia
Quebec QC
Canada
------------------------------

Watch this feature interview from the Association of Clinical Research Professionals TV recorded on 26Feb2021 regarding HIPAA compliance. 


------------------------------
Aldwin Aldana
Director, Clinical QA and GxP Compliance
Cambridge MA
United States
------------------------------

Original Message:
Sent: 03-Mar-2021 12:48
From: Nadine Adia
Subject: HIPPA regulatory compliance process

Dear all,

Please I need your  advice on the process to help my company ( medical device manufacturer) to be HIPPA compliant.

I 've uploaded the rule 45 CFR Part 160 from HHS website but I'm still confused on what I have to do as regulatory Affairs person to achieve this goal.

I' m not yet familiar to this requirement.

Thank you in advance for your help.

Rgds,

------------------------------
Nadine Adia
Quebec QC
Canada
------------------------------

Nadine,

Why does your company need to comply with HIPAA?  If it's a device manufacturer, it is probably not a "covered entity" or "business associate" under HIPAA and therefore the HIPAA regulations do not apply to it (see below). Clearly your company needs to institute protections of the data it receives and holds (e.g. from sites in a clinical trial), but I don't believe HIPAA is the regulation you need to follow (unless for some reason you are a covered entity/business associate).

§ 160.102 Applicability.
(a) Except as otherwise provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to the following entities: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
(b) Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate.

------------------------------
David Jensen PhD, RAC
Regulatory Affairs Scientist
Durham NC
United States
------------------------------

Original Message:
Sent: 03-Mar-2021 12:48
From: Nadine Adia
Subject: HIPPA regulatory compliance process

Dear all,

Please I need your  advice on the process to help my company ( medical device manufacturer) to be HIPPA compliant.

I 've uploaded the rule 45 CFR Part 160 from HHS website but I'm still confused on what I have to do as regulatory Affairs person to achieve this goal.

I' m not yet familiar to this requirement.

Thank you in advance for your help.

Rgds,

------------------------------
Nadine Adia
Quebec QC
Canada
------------------------------

Original Message:
Sent: 3/5/2021 9:11:00 AM
From: David Jensen
Subject: RE: HIPPA regulatory compliance process

Nadine,

Why does your company need to comply with HIPAA?  If it's a device manufacturer, it is probably not a "covered entity" or "business associate" under HIPAA and therefore the HIPAA regulations do not apply to it (see below). Clearly your company needs to institute protections of the data it receives and holds (e.g. from sites in a clinical trial), but I don't believe HIPAA is the regulation you need to follow (unless for some reason you are a covered entity/business associate).

§ 160.102 Applicability.
(a) Except as otherwise provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to the following entities: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
(b) Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate.

------------------------------
David Jensen PhD, RAC
Regulatory Affairs Scientist
Durham NC
United States
------------------------------

Original Message:
Sent: 03-Mar-2021 12:48
From: Nadine Adia
Subject: HIPPA regulatory compliance process

Dear all,

Please I need your  advice on the process to help my company ( medical device manufacturer) to be HIPPA compliant.

I 've uploaded the rule 45 CFR Part 160 from HHS website but I'm still confused on what I have to do as regulatory Affairs person to achieve this goal.

I' m not yet familiar to this requirement.

Thank you in advance for your help.

Rgds,

------------------------------
Nadine Adia
Quebec QC
Canada
------------------------------

Dear all,

Thank you so much for your helpful feedback.
Indeed we are a custom made medical device manufacturer and we use generally patient information to work and as  @Ted Heise said we have also sometime representative present at a case to aid in proper use of the device during the surgery .

My questioning follows an ISO 13485:2016 audit specifically  Section 4.2.5 Control of Records as explained by @D Michelle Williams.

Is HIPPA a self certified process or ​is there a company (eg: FDA) that is authorized for certification?

Thank you.
Rgds,

​​​

------------------------------
Nadine Adia
Quebec QC
Canada
------------------------------

Original Message:
Sent: 05-Mar-2021 10:15
From: Ted Heise
Subject: HIPPA regulatory compliance process

 

 

I agree that proper protection of clinical trial data is a different matter than HIPAA compliance, but also know that it's not uncommon for medical device manufacturers to be business associates, and thus subject to HIPAA requirement.

 

This could happen when a company representative is asked to be present at a case to aid in proper use of the device.  Examples include setting operating parameters for a recently implanted cardiac rhythm device or support for proper operation of a complex device introducer.

 

Hope that is helpful!

 

Best regards,

 

Ted

 

--

Theodore (Ted) Heise, PHD, RAC

Vice President Regulatory and Clinical Services

 

MED Institute Inc.

1330 Win Hentschel Blvd.

West Lafayette, IN  47906-4149 USA

765.463.1633 ext. 4444

http://medinstitute.com

theise@medinstitute.com

 

 

 

 

Original Message:
Sent: 3/5/2021 9:11:00 AM
From: David Jensen
Subject: RE: HIPPA regulatory compliance process

Nadine,

Why does your company need to comply with HIPAA?  If it's a device manufacturer, it is probably not a "covered entity" or "business associate" under HIPAA and therefore the HIPAA regulations do not apply to it (see below). Clearly your company needs to institute protections of the data it receives and holds (e.g. from sites in a clinical trial), but I don't believe HIPAA is the regulation you need to follow (unless for some reason you are a covered entity/business associate).

§ 160.102 Applicability.
(a) Except as otherwise provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to the following entities: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
(b) Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate.

------------------------------
David Jensen PhD, RAC
Regulatory Affairs Scientist
Durham NC
United States

Original Message:
Sent: 03-Mar-2021 12:48
From: Nadine Adia
Subject: HIPPA regulatory compliance process

Dear all,

Please I need your  advice on the process to help my company ( medical device manufacturer) to be HIPPA compliant.

I 've uploaded the rule 45 CFR Part 160 from HHS website but I'm still confused on what I have to do as regulatory Affairs person to achieve this goal.

I' m not yet familiar to this requirement.

Thank you in advance for your help.

Rgds,

------------------------------
Nadine Adia
Quebec QC
Canada
------------------------------

This message was posted by a user wishing to remain anonymous

As someone who has worked in both Regulatory and Legal departments, I really think this subject matter is better off in a Legal department. If you don't have enough resources for your Legal department to own it, you should at least have them review and consider whether outside counsel is needed or not. This covers issues that those of us trained in Regulatory might not identify as well.
Original Message:
Sent: 05-Mar-2021 09:11
From: David Jensen
Subject: HIPPA regulatory compliance process

Nadine,

Why does your company need to comply with HIPAA?  If it's a device manufacturer, it is probably not a "covered entity" or "business associate" under HIPAA and therefore the HIPAA regulations do not apply to it (see below). Clearly your company needs to institute protections of the data it receives and holds (e.g. from sites in a clinical trial), but I don't believe HIPAA is the regulation you need to follow (unless for some reason you are a covered entity/business associate).

§ 160.102 Applicability.
(a) Except as otherwise provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to the following entities: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
(b) Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate.

------------------------------
David Jensen PhD, RAC
Regulatory Affairs Scientist
Durham NC
United States

Original Message:
Sent: 03-Mar-2021 12:48
From: Nadine Adia
Subject: HIPPA regulatory compliance process

Dear all,

Please I need your  advice on the process to help my company ( medical device manufacturer) to be HIPPA compliant.

I 've uploaded the rule 45 CFR Part 160 from HHS website but I'm still confused on what I have to do as regulatory Affairs person to achieve this goal.

I' m not yet familiar to this requirement.

Thank you in advance for your help.

Rgds,

------------------------------
Nadine Adia
Quebec QC
Canada
------------------------------

Thanks anonymous , it's clear.

------------------------------
Nadine Adia
Quebec QC
Canada
------------------------------

Original Message:
Sent: 08-Mar-2021 11:57
From: Anonymous Member
Subject: HIPPA regulatory compliance process

This message was posted by a user wishing to remain anonymous

As someone who has worked in both Regulatory and Legal departments, I really think this subject matter is better off in a Legal department. If you don't have enough resources for your Legal department to own it, you should at least have them review and consider whether outside counsel is needed or not. This covers issues that those of us trained in Regulatory might not identify as well.
Original Message:
Sent: 05-Mar-2021 09:11
From: David Jensen
Subject: HIPPA regulatory compliance process

Nadine,

Why does your company need to comply with HIPAA?  If it's a device manufacturer, it is probably not a "covered entity" or "business associate" under HIPAA and therefore the HIPAA regulations do not apply to it (see below). Clearly your company needs to institute protections of the data it receives and holds (e.g. from sites in a clinical trial), but I don't believe HIPAA is the regulation you need to follow (unless for some reason you are a covered entity/business associate).

§ 160.102 Applicability.
(a) Except as otherwise provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to the following entities: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
(b) Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate.

------------------------------
David Jensen PhD, RAC
Regulatory Affairs Scientist
Durham NC
United States

Original Message:
Sent: 03-Mar-2021 12:48
From: Nadine Adia
Subject: HIPPA regulatory compliance process

Dear all,

Please I need your  advice on the process to help my company ( medical device manufacturer) to be HIPPA compliant.

I 've uploaded the rule 45 CFR Part 160 from HHS website but I'm still confused on what I have to do as regulatory Affairs person to achieve this goal.

I' m not yet familiar to this requirement.

Thank you in advance for your help.

Rgds,

------------------------------
Nadine Adia
Quebec QC
Canada
------------------------------