November 6, 2015
The Office of Inspector General’s (OIG) 2016 Work Plan, released Nov. 3, 2015, calls for increased scrutiny of protections of electronic protected health information (ePHI) with respect to “networked medical devices.” Furthermore, the OIG indicated its plan to determine the “extent to which hospitals comply with contingency planning requirements of the Health Insurance Portability and Accountability Act (HIPAA)” regarding their use of electronic health records (EHR) systems. Thus, the OIG has indicated that there will be heightened focus on the HIPAA Security Rule, which addresses the administrative, physical and technical safeguards of ePHI (45 CFR Part 160 and Subparts A and C of Part 164).
The OIG specifically indicated that it will examine whether the U.S. Food and Drug Administration (FDA) is providing sufficient oversight of “networked medical devices” in hospitals. With this statement of priorities for 2016, the OIG has affirmed that the proliferation of devices, with their ability to store health information, creates real risks to the privacy and security of ePHI. Although the list of devices that store and transmit ePHI is vast and growing rapidly, the OIG specifically mentioned “dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records (EMRs) and the larger health network.” The OIG also recognized that these devices may create risks, whether they are wired or wireless.
The OIG also stated, “Medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms to assist health care providers in assessing the vulnerability and risks associated with ePHI that is transmitted or maintained by a medical device.” In highlighting the MDS2 forms, the OIG has effectively signaled that HIPAA-covered entities that use networked medical devices should document the ways in which they have considered the disclosure statements for such devices as part of their HIPAA security risk assessments and overall HIPAA compliance plans.
Although it was not mentioned in the 2016 Work Plan, anyone using networked medical devices should bear in mind that improper disposal of such devices carries significant HIPAA risks. Specifically, for any of these devices that store ePHI locally, there is a risk of a HIPAA violation if the device is not stripped of all ePHI or otherwise destroyed prior to disposal. Indeed, in 2013, Affinity Health Plan Inc. entered a $1.2 million settlement agreement with the U.S. Department of Health and Human Services for returning multiple photocopiers to a leasing agent without first erasing the data contained on the hard drives of the copiers. See: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/affinity-agreement.html
The FDA, too, has indicated that it is concerned about cybersecurity of medical devices. In 2014, the FDA issued “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices” and “Guidance to Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software.” In these guidance documents, the FDA indicated that medical device manufacturers should consider cybersecurity in the design and development of medical devices and that they should consider cybersecurity with respect to the functionality of medical devices that use off-the-shelf software. Of course, the data at issue with medical devices is very likely to be ePHI.
As for EHRs, the OIG Work Plan reiterated that “the HIPAA Security Rule requires covered entities to have a contingency plan that establishes policies and procedures for responding to an emergency or other occurrence that damages systems that contain protected health information.” As a result, the OIG plans to “compare hospitals' contingency plans with government- and industry-recommended practices.”
The issues of cybersecurity with respect to medical devices will continue to grow as the proliferation of devices and EHR systems continues. Covered entities will need to be vigilant in addressing the HIPAA considerations as they use and dispose of these devices and as they continue the shift to electronic health records systems. Similarly, manufacturers of medical devices and developers of EHR systems will need to ensure that security is a fundamental part of design and production.