Over the past few years, the behavioral health industry has seen a number of exciting advancements to medical device technology that could prove revolutionary for delivering quality treatment to their patients. Between wearable mHealth devices, neurostimulators, and more, this is an exciting time to invest in new behavioral health technologies. However, when it comes to medical device HIPAA compliance, how can behavioral health professionals know if the data they are collecting is being kept private and secure?
The Food and Drug Administration (FDA) has published guidance to help educate providers about appropriately and responsibly sharing protected health information (PHI) collected using medical devices. PHI is any demographic information transmitted, received or maintained in any medium that can be used to personally identify a patient. Common examples of PHI include a patient’s name, address, phone number, email address, Social Security number, insurance ID number, and any part of a medical record, to name a few.
If patients request copies of information that was recorded or stored on a device, the guidance states that providers have the right to share PHI with the individual who made the request.
Patients continue to play an active role in their own healthcare, and the FDA is well aware of this involvement. This guidance was created to help medical device users share that information properly.
So as per this FDA guidance, behavioral health providers are permitted to share patient information that is collected using medical devices. However, the FDA expresses that their guidance does not institute any legally enforceable actions, nor does it impact any federal, state or local laws. That includes HIPAA and the HIPAA Privacy Rule.
So the question now becomes: how can behavioral health providers ensure that the data they share with patients using medical devices is HIPAA compliant?
Medical Device HIPAA Compliance
HIPAA regulation considers healthcare providers, such as behavioral health providers, as covered entities. Covered entities are defined as any individual or organization directly involved in the transmission of PHI. This transmission can be in the form of payment, treatment or operation.
As per HIPAA regulation, covered entities must address HIPAA privacy standards that specifically outline how and when providers may grant their patients access to copies of their PHI. That includes any data that is collected by medical devices. HIPAA compliance requires that patients who request information are granted access to their PHI, with the exception of psychotherapy notes, data not related to treatment, or data that is being collected as part of criminal or administrative proceedings.
Additionally, all behavioral health practitioners who are using medical devices in their treatment should have a medical device HIPAA Compliance policy in place. This policy should account for which employees within your organization have access to which devices, where devices are stored, user access controls, and how logs are kept monitoring the use of each device.