Healthcare AppCessory Development's Top 3 Things You Need to Know
- Be aware that medical devices must be tested and classified as medical I, II or III and the application that drives the device must now be tested and approved to the same level.
- The FDA defines a medical device as “an instrument, machine, or other apparatus which is (i) intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease in man.”
Even though it is not explicitly identified in that statute, software is also considered a “device”.
The FDA has, however, now issued regulation guidance indicating that they anticipate applying their authority to and regulate “mobile medical applications”. This means that the FDA will determine if the application meets their definition of “mobile device” by altering the mobile platform into a “regulated medical device.” This would include mobile apps that connect to a medical device and act as an extension of it, an AppCessory by definition.
- Personal medical information can be subject to Health Insurance Portability and Accountability Act (HIPAA) rules.
To determine whether software controlling a device falls under the HIPAA rules, two questions must be answered: Who will be using the application? And what information will it contain?
HIPAA rules apply only to protected health information. Although there are exceptions for educational and employment records, protected data includes information that identifies an individual that has received service by a covered entity. It doesn’t matter if this is also publicly available because it reveals that an individual has received a service. Also covered is information as it relates to health care services, or payment for services as well as a patient’s physical or mental health.
Complete analysis is necessary whether the AppCessories will be used by a covered entity, such as hospital, doctor, clinician or health plan, and if it will include any protected health information: design it in accordance with HIPAA utilizing proper security encryption, & device testing.
As patient rights continue to grow involving their access to Personal Medical Records, the information included in their data bundle will soon expand to include information from AppCessory devices. HIPAA is not synonymous with health data. When collected voluntarily by consumer input the data is outside of the scope of HIPAA. However, there is a privacy and security obligation when it comes to Protected Health Information (PHI) to ensure that no one has inappropriate access to a patient’s information without permission. New personal medical device AppCessories will need to provide information to users, their designated list of family and providers use appropriate trust bundles – while at the same time protecting that information.