Healthcare AppCessory Development's Top 3 Things You Need to Know
- Be aware that medical devices must be tested and classified as medical I, II or III and the application that drives the device must now be tested and approved to the same level.
- The FDA defines a medical device as “an instrument, machine, or other apparatus which is (i) intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease in man.”
Even though it is not explicitly identified in that statute, software is also considered a “device”.
The FDA has, however, now issued regulation guidance indicating that they anticipate applying their authority to and regulate “mobile medical applications”. This means that the FDA will determine if the application meets their definition of “mobile device” by altering the mobile platform into a “regulated medical device.” This would include mobile apps that connect to a medical device and act as an extension of it, an AppCessory by definition.
- Personal medical information can be subject to Health Insurance Portability and Accountability Act (HIPAA) rules.
To determine whether software controlling a device falls under the HIPAA rules, two questions must be answered: Who will be using the application? And what information will it contain?
HIPAA rules apply only to protected health information. Although there are exceptions for educational and employment records, protected data includes information that identifies an individual that has received service by a covered entity. It doesn’t matter if this is also publicly available because it reveals that an individual has received a service. Also covered is information as it relates to health care services, or payment for services as well as a patient’s physical or mental health.
Complete analysis is necessary whether the AppCessories will be used by a covered entity, such as hospital, doctor, clinician or health plan, and if it will include any protected health information: design it in accordance with HIPAA utilizing proper security encryption, & device testing.
As patient rights continue to grow involving their access to Personal Medical Records, the information included in their data bundle will soon expand to include information from AppCessory devices. HIPAA is not synonymous with health data. When collected voluntarily by consumer input the data is outside of the scope of HIPAA. However, there is a privacy and security obligation when it comes to Protected Health Information (PHI) to ensure that no one has inappropriate access to a patient’s information without permission. New personal medical device AppCessories will need to provide information to users, their designated list of family and providers use appropriate trust bundles – while at the same time protecting that information.
The FDA regulates medical devices subjecting them to a three-tier system.
Class I devices are considered low risk and although they must be safety tested and approved they are subject to the least amount of controls and do not require pre-market approval.
Class II devices are considered to represent an intermediate level of safety risk. Manufacturers of class II medical devices are subject to special controls such as required safety testing and certification as well as to file a pre-market notification called 510K. The intention of the 510K filing is to show that the device is “substantially equivalent” to another Class II device.
Class III devices are the highest risk and are usually those that support human life, are of substantial importance in preventing impairment of human health, or present a potential, unreasonable risk of illness or injury. Class III medical devices require pre-market approval and a scientific evaluation and which can be quite expensive and intricate.
HIPAA Rules apply to HIPAA “covered entities” and their “business associates.”
“Covered Entities” include health care providers if they conduct certain transactions electronically, such as submitting claims to health plans and health plans including group health plans, entity.
“Business Associates” are entities that handle “protected health information” on a covered entity’s behalf, such as a pharmacy benefit manager health information exchange organization.
They do not apply to health care consumers or to other types of entities.
Blue Button is government’s Health IT symbol for a patient’s access to their own healthcare data. Blue Button+ expands on the concept and includes the patient’s ability to get records in both human-readable and machine-readable format; and to send them wherever they choose. This enables a patient to do everything from sharing their data with multiple third parties to printing their own physical copy.
“Covered Entities” include health care providers if they conduct certain transactions electronically, such as submitting claims to health plans and health plans including group health plans, entity.