FDA Guidance on Device Data Sharing Aligns With HIPAA: Attorney

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By Michael D. Williamson

June 10 — An FDA draft guidance on manufacturers providing information collected by medical devices to patients is generally compliant with HIPAA, an attorney said June 9.

The draft guidance is “very patient friendly,” but it may present problems for device makers, Patricia Wagner, a Washington-based attorney with Epstein Becker & Green P.C, told Bloomberg BNA.

Some device manufacturers may not know when it is appropriate to share health data collected by devices to patients, especially because there are different interpretations of the key health privacy law, the Health Insurance Portability and Accountability Act (HIPAA).

Allowing patients access to information collected by medical devices used to treat or diagnose them is consistent with federal laws that require patients have access to their own medical records, Chris Lavanchy, with the patient safety organization ECRI Institute told Bloomberg BNA. “Today, many medical devices have the ability to store data and transfer it to medical records, so this seems like a natural progression in providing patient access.”

The Food and Drug Administration issued the document June 9, but it's dated June 10, when the agency published a notice (81 Fed. Reg. 37,603) in the Federal Register.

Comments (FDA-2016-D-1264) are due Aug. 9.

HIPAA Confusion

The draft guidance clarifies that manufacturers aren't prohibited from sharing patient-specific information recorded, stored, processed, retrieved and/or derived from a medical device with the patient who is either treated or diagnosed with that device, the Food and Drug Administration said in a June 9 e-mail on the document.

The agency “understands that patients may seek access to accurate, usable information from medical devices so that they can be more engaged with their healthcare providers in making sound medical decisions,” according to the e-mail.

However, the guidance said device manufacturers are prevented under HIPAA from sharing this information with covered entities, such as health plans and health-care providers that electronically transmit health data, without the patient's consent. Nevertheless, the FDA acknowledged in the guidance that patient-specific data from medical devices often is accessible by patients' health-care providers.

Wagner argued, though, that HIPAA was never meant to prohibit patient data collected by devices from being shared with providers. The FDA shouldn't have said this in the draft guidance because it is “just wrong” and “doesn't make sense,” she told Bloomberg BNA.

Aside from that specific incorrect information, Wagner said she believed the document is “very much aligned” with HIPAA.

“One thing HIPAA provides is a right of access to medical records. This is very much following in line with that standard,” she told Bloomberg BNA.

Advice for Device Makers

The FDA believes that device manufacturers should take certain considerations into account when sharing patient-specific information to help to ensure it is usable by patients and to avoid the disclosure of confusing or unclear information that could be misinterpreted, the document said. Specifically, the draft guidance recommended that device makers take appropriate measures to ensure that the information provided is interpretable and useful to the patient and to prevent the disclosure of confusing or unclear information that could be misinterpreted.

Furthermore, manufacturers should include relevant context when it provides patient-specific information to the affected patient “to avoid circumstances where this information may be misinterpreted, thus leading to incorrect or invalid conclusions,” the document said.

Making sure the device information sent to patient isn't misinterpreted “could present some challenges for manufacturers because many patients won’t have sufficient knowledge to interpret medical data,” Lavanchy told Bloomberg BNA. It also is “unclear how far FDA will take this recommendation,” he said.

Overall, the ECRI Institute anticipates that many patients, “especially younger ones who have grown up with access to their medical records, will welcome having access to device data so that they can play a bigger role in making decisions about their health care,” according to Lavanchy. The ECRI Institute is based in Plymouth Meeting, Pa.

Manufacturers, for their part, may grapple with many of the same health privacy-related questions providers and other entities have had to address as a result of this draft guidance, Wagner told Bloomberg BNA. For example, if a patient calls a device maker and explains that she is Jane Smith and that she wants information from the device she's using, how can the manufacturer verify it is actually Jane Smith on the line, Wagner asked.

Ultimately, device makers should take certain precautions into account to prevent the unintended sharing of information, according to Wagner.

To contact the reporter on this story: Michael D. Williamson in Washington at mwilliamson@bna.com

To contact the editor responsible for this story: Brian Broderick at bbroderick@bna.com

For More Information

Request Health Care on Bloomberg Law