Does HIPAA apply to your mobile app or biotech venture?

Linking health data to personal identifiers brings HIPAA into play

The line between collection and identification is the key for life sciences

In contrast to the variety and individuality of the requirements that organizations have to comply with FDA’s regulatory environment, HIPAA (and the related ACA and HITECH legislation) has a single focus and limited compliance requirements. HIPAA as it impacts your information management strategy has two “simple” mandates; protect patient/consumer personal health care data and ensure accessibility by the individual to whom the data’s owner. The typical problem is not “what to do” but “do I have to?”, many organizations are caught by surprise when they find they are required, based on their product, to comply with HIPAA and the HITECH act. (HHS and CMS provide a chart to determine if you are bound by HIPAA)

The general rule of thumb is: if you have provided a service (or product) to an individual that collects data on their activities and this information can be connected directly to the consumer/patient via name or some other unique identification then you are bound by HIPAA’s information security directives (mainly HIPAA 5010 and HITECH). If the service (or product) is supposed to be used to change the consumer’s health then you are also bound by HIPAA’s marketing guidance (see 45 CFR 164 for details), which limits the communication you can have for the purposes of altering the ability to upsell individuals.

What isn’t clear from either FDA or HIPAA is the line between consumer personal improvement (e.g. Fitbit’s steps goal) and medical advice (e.g. a linkage between step goals and diabetes risk). Life science companies that collect individual’s information directly should ensure that their information security processes can stand up to a HIPAA audit. Health and Human Service’s has been clear that any organization handling “patient” information should expect an audit. The final report by the Office of the Inspector General specifically called for increased audits to reduce the number of breaches and the ineffectual governance seen in the pilot program (see here for a synopsis and here for the original report).

Understand your vendor and partner relationships to know you risk envelope

For pharmaceutical and biotech companies HIPAA’s information security directives are largely limited to clinical trials and programs such as some cost waiver programs that provide direct interaction between individual consumers and companies. Note that the Center for Medicare and Medicaid (CMS) is main auditor for these drug supply programs rather than Health and Human Services which is in charge of HIPAA information security audits.

Where HIPAA rules changes is when a life sciences company has a business associate agreement “BAAs” with an organization that directly collects consumer/patient information. A BAA is a letter of understanding that the company will have the potential access to personal identifiers and as such the BA will handle all information with the assumption of HIPAA regulated information is being passed between the two organizations. For life science companies the HIPAA compliance aspect has the same technical requirements as 21 CFR part 9. This means that FDA compliance and HIPAA compliance are- from a technical and process perspective- the same, it is the details that are different.

For life science companies that are HIPAA regulated and have partners that have signed BAAs, you must ensure that their compliance. This means that as part of your compliance practice you should have vendor management and partner management processes to ensure that they have made their best effort to ensure to reduce the potential for breaches of patient/consumer information that they have in their possession.

Similar to complying with FDA regulations, the key is ensuring that the business rules by which your organization runs are repeatable, auditable and treated as part of a record management process.

Overview of the information security sections of the HIPAA omnibus

 HIPAA is a complex multi-part document dealing with everything from patient-physician relationships to billing for services. Typically, it is broken into three main parts: Privacy, Security and shareability. As with FDA, the HIPAA regulations are codified and included in CFR as part 45 (you can find it here).

The basic tenets, as it applies to information management are laid out in part 165 section 308. As with all regulations it is complicated. The key is that the ISO 9000 and ISO 27001 provide an excellent framework for managing your information risk for both HIPAA and FDA. 

What is the role of technology in managing these requirements?

The technical requirements outlined above are a small subset of the features that any Enterprise Content Management (ECM) software system has out-of-the-box.

Here at ThinkDox we believe that Laserfiche provides an excellent platform to stay FDA and HIPAA compliant. The DoD 5015.2 certification means it has the audit control and basic information saftey that is required for any countries regulations. The integrated workflow and forms modules provide process controlsd that surpass any EMR or Clinical trials management software. As part of the implementation you can expect us to build your processes and retention rules based on both best practices and your practices.

We compliment the software package with our services. This provides you with continual support as you improve your information management practices and align your platform and processes.