LINKING HEALTH DATA TO PERSONAL IDENTIFIERS BRINGS HIPAA INTO PLAY
THE LINE BETWEEN COLLECTION AND IDENTIFICATION IS THE KEY FOR LIFE SCIENCES
In contrast to the variety and individuality of the requirements that organizations have to comply with in the FDA’s regulatory environment, HIPAA (and the related ACA and HITECH legislation) has a single focus and limited compliance requirements. HIPAA as it impacts your information management strategy has two “simple” mandates: protect patient/consumer personal healthcare data, and ensure accessibility by the individual to the data’s owner. The typical problem is not “what to do” but “do I have to?”. Many organizations are caught by surprise when they find out that they are required, based on their product, to comply with HIPAA and the HITECH act.
The general rule of thumb is that if you have provided a service or product to an individual that collects data on their activities and this information can be connected directly to the consumer/patient via name or some other unique identification then you are bound by HIPAA’s information security directives (mainly HIPAA 5010 and HITECH). If the service or product is supposed to be used to change the consumer’s health, then you are also bound by HIPAA’s marketing guidance (see 45 CFR 164 for details), which limits the communication you can have for the purposes of altering the ability to upsell individuals.
What isn’t clear from either FDA or HIPAA is the line between consumer personal improvement (e.g. Fitbit’s steps goal) and medical advice (e.g. a link between step goals and diabetes risk). Life science companies that collect an individual’s information directly should ensure that their information security processes can stand up to a HIPAA audit. Health and Human Services has been clear that any organization handling “patient” information should expect an audit. The final report by the Office of the Inspector General specifically called for increased audits to reduce the number of breaches and the ineffectual governance seen in the pilot program (see here for a synopsis and here for the original report).
UNDERSTAND YOUR VENDOR AND PARTNER RELATIONSHIPS TO KNOW YOUR RISK ENVELOPE
For pharmaceutical and biotech companies, HIPAA’s information security directives are largely limited to clinical trials and programs such as some cost waiver programs that provide direct interaction between individual consumers and companies. Note that the Center for Medicare and Medicaid (CMS) is the main auditor for these drug supply programs rather than Health and Human Services which is in charge of HIPAA information security audits.
Where HIPAA rules changes is when a life sciences company has a business associate agreement (BAA) with an organization that directly collects consumer/patient information. A BAA is a letter of understanding that the company will have the potential access to personal identifiers and as such, the business associate (BA) will handle all information with the assumption that HIPAA-regulated information is being passed between the two organizations. For life science companies, the HIPAA compliance aspect has the same technical requirements as 21 CFR part 9. This means that FDA compliance and HIPAA compliance are—from a technical perspective—the same. It is the details that are different.
For life science companies that are HIPAA-regulated and have partners that have signed BAAs, compliance must be ensured. This means that, as part of your compliance practice, you should have vendor management and partner management processes to ensure that they have made their best effort to ensure they have reduced the potential for breaches of patient/consumer information that they have in their possession.
Similar to complying with FDA regulations, the key is ensuring that the business rules by which your organization runs are repeatable, auditable, and treated as part of a record management process.
OVERVIEW OF THE INFORMATION SECURITY SECTIONS OF THE HIPAA OMNIBUS
HIPAA is a complex, multi-part document dealing with everything from patient-physician relationships to billing for services. Typically, it is broken into three main parts: privacy, security, and shareability. As with the FDA, the HIPAA regulations are codified and included in CFR as part 45 (you can find it here).
The basic tenets, as they apply to information management, are laid out in part 165 section 308. As with all regulations, it is complicated. The key is that the ISO 9000 and ISO 27001 provide an excellent framework for managing your information risk for both HIPAA and FDA.
WHAT IS THE ROLE OF TECHNOLOGY IN MANAGING THESE REQUIREMENTS?
The technical requirements outlined above are a small subset of the features that any Enterprise Content Management (ECM) software system has out-of-the-box.
Here at ThinkDox, we believe that Laserfiche provides an excellent platform to stay FDA- and HIPAA-compliant. The DoD 5015.2 certification means it has the audit control and basic information safety that is required for any country’s regulations. The integrated workflow and forms modules provide process controls that surpass any EMR or clinical trials management software. As part of the implementation, you can expect us to build your processes and retention rules based on both best practices and your practices.
We compliment the software package with our services. This provides you with continual support as you improve your information management practices and align your platform and processes.