Last week, FDA’s Center for Devices and Radiological Health (CDRH) announced the availability of a Draft Guidance on “Dissemination of Patient-Specific Information from Devices by Device Manufacturers” to clarify that “manufacturers may share patient-specific information recorded, stored, processed, retrieved, and/or derived from a medical device with the patient who is either treated or diagnosed with that specific device.” Draft Guidance at 4 (emphasis added). Beyond that fairly axiomatic statement, however, FDA’s discussion is a little confusing – at least to those of us living in the medical privacy world and feeding on a steady diet of HIPAA regulations. To be clear: the Draft Guidance does not, for the most part, appear to conflict with the HIPAA Privacy Rule. It fails, however, to reference certain HIPAA requirements that, at least on their face, appear relevant here. In fact, FDA does not analyze whether a device manufacturer would even be subject to HIPAA in the first instance and appears to make several assumptions in that regard.
By way of background, the Privacy Rule and Security Rule only apply to a medical device manufacturer (or any other entity) that is otherwise a Covered Entity (CE) or Business Associate (BA). CEs include health plans, healthcare clearinghouses, and health care providers that electronically transmit Protected Health Information (PHI). PHI is “individually identifiable health information held or transmitted by a [CE] or its [BA], in any form or media . . . that relates to the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.” 45 C.F.R. § 160.103.
FDA’s expansive definition of “patient-specific information” in the Draft Guidance appears to be, at least in part, inconsistent with HIPAA’s definition of PHI. See Draft Guidance at 4. In fact, much of the “patient-specific information” appears to center on clinical data – some of which may not be individually identifiable (e.g., “pulse oximetry data, heart electrical activity, and rhythms as monitored by a pacemaker.” Id.). Under HIPAA, that data alone, unless tied to an identifier, would not necessarily constitute PHI.
In any event, generally speaking, a device manufacturer could be a HIPAA-regulated CE if it acted as, say, a covered health care provider. In fact, HHS’s Office for Civil Rights (OCR) (the agency responsible for enforcing HIPAA), has expressly addressed such scenarios, addressing various circumstances in which a CE provider may share PHI with a medical device company absent a patient’s authorization, including instances in which:
[t]he device manufacturer or its representative may be present in the operating room, as requested by the surgeon, to provide support and guidance regarding the appropriate use, implantation, calibration or adjustment of a medical device for that particular patient. (This would be treatment by the device company as a health care provider. As noted in the prior example, treatment disclosures between health care providers are not subject to the minimum necessary standards.)
OCR, FAQ #490 (emphasis added). The manufacturer also could be a BA – if it created, received, maintained, or transmitted PHI on behalf of a CE health care provider or provided services to the provider that involve the disclosure of PHI. Accordingly, although the answer is not always clear-cut, there are a number of instances where a device manufacturer may be a HIPAA-regulated entity.
FDA correctly observes that sharing patient-specific information is not required under the Federal Food, Drug, and Cosmetic Act; however, in addition to not addressing the manufacturer’s status under HIPAA, it likewise makes no mention of HIPAA’s requirement under 45 C.F.R. § 164.524 that ensures Individuals’ Right under HIPAA to Access their Health Information. It’s a somewhat odd omission given that OCR just, over the past several months, released a series of detailed guidance on this longstanding regulatory requirement: Individuals’ Right (Jan. 2016); Newly Released FAQs on Access Guidance (Mar. 2016); and New Clarification – $6.50 Flat Rate Option is Not a Cap on Fees for Copies of PHI (May 2016). The closest FDA comes to specifically acknowledging HIPAA’s requirement is its general recognition that “[i]n many cases, patient-specific information from a medical device is accessible by the patient’s health care provider and patients can contact their health care provider to obtain such information.” Draft Guidance at 5.
Indeed, the only reference to HIPAA is FDA’s statement that HIPAA’s “protections are intended to prevent manufacturers from sharing this [individually identifiable health] information with [CEs] (e.g., health plans, health care providers that electronically transmit health information) without the patient’s consent.” Id. However, HIPAA was not crafted to prevent such activity. In fact, as discussed, manufacturers are not per se subject to HIPAA unless they otherwise are a CE, or a BA. Moreover, even if HIPAA were to apply to a device manufacturer in this context, patient authorization for the manufacturer to share the PHI with the individual’s health care provider would not be required in the vast majority of circumstances. Pursuant to a number of codified exceptions under the Privacy Rule, PHI may be used or disclosed without patient authorization for, among other things, treatment, payment, and health care operations purposes. See 45 C.F.R. 164.506; see also Summary of the HIPAA Privacy Rule.
Again, FDA’s Draft Guidance does not necessarily conflict with HIPAA, but device manufacturers should always independently determine whether they are subject to HIPAA – in addition to otherwise evaluating their status under FDA’s Draft Guidance.
FDA is accepting comments on its Draft Guidance until August 9, 2016.