Over the past few years, the behavioral health industry has seen a number of exciting advancements to medical device technology that could prove revolutionary for delivering quality treatment to their patients. Between wearable mHealth devices, neurostimulators, and more, this is an exciting time to invest in new behavioral health technologies. However, when it comes to medical device HIPAA compliance, how can behavioral health professionals know if the data they are collecting is being kept private and secure?
The Food and Drug Administration (FDA) has published guidance to help educate providers about appropriately and responsibly sharing protected health information (PHI) collected using medical devices. PHI is any demographic information transmitted, received or maintained in any medium that can be used to personally identify a patient. Common examples of PHI include a patient’s name, address, phone number, email address, Social Security number, insurance ID number, and any part of a medical record, to name a few.
If patients request copies of information that was recorded or stored on a device, the guidance states that providers have the right to share PHI with the individual who made the request.
Patients continue to play an active role in their own healthcare, and the FDA is well aware of this involvement. This guidance was created to help medical device users share that information properly.
So as per this FDA guidance, behavioral health providers are permitted to share patient information that is collected using medical devices. However, the FDA expresses that their guidance does not institute any legally enforceable actions, nor does it impact any federal, state or local laws. That includes HIPAA and the HIPAA Privacy Rule.
So the question now becomes: how can behavioral health providers ensure that the data they share with patients using medical devices is HIPAA compliant?
Medical Devices and HIPAA Compliance
HIPAA regulation considers healthcare providers, such as behavioral health providers, as covered entities. Covered entities are defined as any individual or organization directly involved in the transmission of PHI. This transmission can be in the form of payment, treatment or operation.
As per HIPAA regulation, covered entities must address HIPAA privacy standards that specifically outline how and when providers may grant their patients access to copies of their PHI. That includes any data that is collected by medical devices. HIPAA compliance requires that patients who request information are granted access to their PHI, with the exception of psychotherapy notes, data not related to treatment, or data that is being collected as part of criminal or administrative proceedings.
Additionally, all behavioral health practitioners who are using medical devices in their treatment should have a medical device policy in place. This policy should account for which employees within your organization have access to which devices, where devices are stored, user access controls, and how logs are kept monitoring the use of each device.
If you need assistance with HIPAA compliance, consider working with our TBHI affiliate, the HIPAA Compliancy Group. (When you purchase services from them, TBHI will be paid a small commission.) They can help you support your HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance. The Guard is built to address the HIPAA regulations, including guided walkthroughs of HIPAA Risk Assessments. With The Guard, you can focus on running your practice while keeping your patients’ data protected and secure.Compliancy Group’s team of expert Compliance Coaches® can also field questions and guide you through the implementation process, taking the stress out of managing compliance. Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!
Cyber Security: Top 5 Things You Can Do Tomorrow Morning to Protect Your Practice and Your Clients/Patients
Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too?
Social Media and HIPAA Compliance: Protecting Your Practice in the Digital Age
Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.