On February 20, 2003, a final security rule 45 CFR Part 142 was issued. Read it here: HIPAA Final Security Rule 2003-02.
On August 14, 2002, the HIPAA privacy rule was modified. Read it here: HIPAA Modified Final Privacy Rule 2002-08.
On December 28, 2000, a final privacy rule 45 CFR Part 160 and 164 was issued. HHS provides the rule and related guidance at: https://www.hhs.gov/hipaa/for-professionals/privacy/index.html.
Medical device manufacturers that produce devices that will maintain patient data in should be aware of HIPAA privacy and security requirements to assure appropriate features are incorporated in their devices to allow healthcare providers to comply with these aspects of HIPAA. In addition, medical device, pharmaceutical and biologics manufacturers that collect individual patient information as part of research or clinical trials need to be aware of these rules as they can affect their internal systems and data handling to assure that the healthcare institutions that provide the patient information are compliant with the regulations.
Three other educational documents providing explanations of the HIPAA Privacy and Security Regulations from the NEMA are:
| Resource |
|---|
| NEMA HIPAA Security Intro Overview |
| NEMA HIPAA Med Dev Issues Presentation |
| NEMA HIPAA Med Dev Remote Services Paper |
A partial checklist of privacy and security requirements to consider are:
- Locally managed logins for all operators
- Password control (size, content, pattern, age)
- Use account maintenance (disable, onetime, reports)
- Auto logoff
- Device to device authentication (device ID and list)
- Log all security events, changes to configuration
- Access to audit logs restricted
- Configuration lockdown
- Secured operating system-integrity control on data
- Emergency access to device
We hope you find this Regulatory Roadmap on HIPAA Privacy and Security useful. If you have any suggestions to improve this Roadmap or to create similar Roadmaps on other topics let us know by leaving a message below:
