Do human factors matter in medical devices?

Do human factors matter in medical devices1

Is there a relationship between medical devices and human factors? This is a question that is seriously worth exploring. According to the ANSI/AAMI HE75:2009 document, human factors is an endeavor for optimizing the production of devices, systems, and many others concerned with them through the use of emotional, intellectual, physical and sensory forms of human knowledge. Both the ways in which these elements are used to enhance production, as well as the limitations inherent into them are factored in. In essence; human factors deal with how humans and devices or machines interact with each other.

Since human factors places the human mind at the center; design and aesthetics play a very prominent role in this discipline. Being an important element of user interface; human factors and user interface have risen in prominence after the explosion of the field of IT. It however, can be put into use in several other areas. The user being the fulcrum of any area of production; human factors has the potential to be a major factor in creating and shaping user interface for a range of products.

Use in medical devices

Do human factors matter in medical devices

How about the area of medical devices? We have seen that user interface and aesthetics are core ingredients of human factors. Are these the major determinants for the field of medical devices? Yes and no. Yes, because the user is of critical importance in medical devices. A wrong instruction or wrong usage can severely compromise the use of medical devices and can go the extent of even causing harm to the user.

No, because when it comes to another equally important element of human factors, namely aesthetics, the interplay between medical devices and human factors may not appear so pronounced. Yet, while role of aesthetics may not be all that critical to medical devices; there is a related aspect, and that is design.

The role of design is very prominent when it comes to the user interface of medical devices since medical devices have to be designed to absolutely precise specifications. Even small deviations or variations can result in harm to humans. Both the patient and the organization manufacturing the devices need to face consequences as a result of these.

As far as medical devices are concerned, the FDA is tasked with regulating them for ensuring their safety and effectiveness. The incorporation of the principles of human factors into medical devices ensures that the product meets specification, design and quality standards and thus becomes faster and less expensive to market. It is because of these factors that human factors are becoming part of the design and development, as well as of the supplementary aspects of medical devices, such as Instructions for Use, labeling and even training.

FDA’s regulations on human factors in medical devices

FDA_s regulations on human factors in medical devices

Under 21 CFR 820.30; the FDA emphasizes that human factors need to be taken into consideration for the following:

  • Design input: To ensure that the needs of the patient and any others who may use the product are taken into consideration

 

  • Design verification: To make sure that the criteria for performance set for the medical are being consistently met, and

 

  • Design validation: To safeguard that the device conform to predefined user needs as well as intended uses, and to also sure that testing is carried out to ensure this function. Software validation and risk analysis are part of this testing.

The FDA has also been placing emphasis on human factors in medical devices in many guidance documents and a number of upcoming Draft Guidance documents.

Full learning on human factors in medical devices

A seminar that is being organized by GlobalCompliancePanel, a leading provider of professional trainings for the areas of regulatory compliance will offer complete learning on human factors in medical devices.

Virginia A. Lang, Principal and Founder HirLan, Inc. and HirLan International SA, will be the Director of this seminar. To gain knowledge of how human factors related to medical devices, please register for this seminar by visiting Do human factors matter in medical devices? This course has been pre-approved by RAPS as eligible for up to 12 credits towards a participant’s RAC recertification upon full completion.

A complete explanation of regulations and uses of human factors in medical devices

The core aim of this seminar is to familiarize participants with the way in which human factors can be applied into medical devices. Towards covering this, she will explain all the current and upcoming human factors requirements, using which, participants will learn how to keep costs under control and reduce the time for the manufacture and marketing of their products.

Virginia will cover the following areas at this seminar:

  • Overview of Human Factors and the FDA perspective
  • Human Factors Methods and Device Product Life Cycle
  • Human Factors and Risk Analysis & Management
  • Human Factors: What Devices Require Human Factors Evaluation and Validation?
  • Human Factors and Combination Products
  • Human Factors and Combination Products Submitted in an ANDA.

 

 

 

Knowledge of employment laws is absolutely crucial for organizations

As the new presidential administration settles in in the US, employment law could be an area in which to expect tremendous changes. While what the new president’s open and vocal support for protection of the domestic workforce will mean to employment laws may take some to fully unfold and unravel; a look at the evolution of the important employment laws and the changes taking place into them of late should serve as some kind of indication of what is to come.

One thing that is certain is that 2017 is going to be an uncertain year for employment law. Changes that could make a big difference to many organizations can be expected to be rolled out by the new administration. A fact of additional significance to employers is that there has been a steady increase in the number of employment lawsuits of late.

In 2016, enforcement actions by the Equal Employment Opportunity Commission (EEOC) gave the agency a staggering amount of between $350 and $400 million in monetary damages. This has been the highest recovery ever from the time it was created in 1965. Not surprisingly, the number of claims filed by employees with this Commission has reached record levels in the last three years.

Lack of knowledge of the law is at the root of lawsuits

Most of these lawsuits are a result of the lack of understanding that employers have of workplace issues. Companies in which the managements are ignorant about these issues or choose to overlook them end up facing a host of issues such as:

o  Discrimination suits

o  Employee turnover

o  Unplanned expenses

o  Settlements

o  Litigation

o  Lawyer fees

o  Low morale on the part of employees

o  A bad beating to their image.

The means to avoiding such scenarios is for organizations to grasp the enormity of these actions. If they have to avoid litigation and other reputation-damaging actions; they need to be aware of the employment law regulations and be compliant with these. They also need to be clear in their understanding of what to expect from the new administration.

A session to help get thorough understanding of employment laws

It is to impart understanding of these topics that a GlobalCompliancePanel, a leading global name in the field of regulatory compliance trainings, will be organizing a two-day seminar. Vanessa G. Nelson, who is founder and President of award-winning Expert Human Resources, which she founded to help companies maintain employment law compliance, avoid workplace litigation, maximize human capital, create great teams, and reduce costs, will be the Director of this course.

To get complete understanding of all the crucial aspects of human resource law, the ways by which to comply with employment laws and regulations and the potential impact on employment law from the actions of the new administration; please register for this seminar by visiting Knowledge of employment laws is absolutely crucial for organizations .

A clear roadmap to advanced human resources and employment law

The essence of this seminar is the roadmap to advanced human resources and employment law that Vanessa will lay out for the participants. Given the factors described above; this understanding is critical, no matter what the size of the organization. The right grasp of employment laws and HR practices is essential if organizations have to become successful at their business. The Director of this seminar will simplify the complex nature and the huge number and variety of employment laws and the issues relating to them.

Participants will able to learn the ways of dealing with often muddling human resource situations and how to apply relevant employment laws correctly to avoid problems. A look at the cost of litigation will perhaps give some idea about the need for employers to remain compliant with the employment laws: Without lawyer fees, a lawsuit costs $165,000 on average. The cost of a case that goes to trial is exorbitant: It is in excess of a million dollars, and comes with the strong prospect of imprisonment for noncompliance with employment.

Learn any professional courses for $10 only

GCP Offer 4

Want to enhance your regulatory compliance career by learning a new course? All that it costs is $10. Yes, GlobalCompliancePanel, a provider of professional trainings, is offering hundreds of high value regulatory compliance courses for a mere $10 each.

GCP offer 7

Regulatory compliance learning, that vital ingredient needed for professionals in any area of regulatory compliance, is a put off, because many professionals consider it expensive. But not anymore. GlobalCompliancePanel makes it possible to scale up in one’s career. What used to cost $265 is now available for $ 10, at about the price of a T-shirt. See the math: It is a saving of about 95%.

Myriad number of courses

GCp offer 9

Regulatory compliance, as we all know, is a really vast area of knowledge. With the FDA framing innumerable laws and regulations on every area that it regulates, it is imperative for regulatory professional to show compliance with the regulations. They are doomed if they fail. GlobalCompliancePanel brings hundreds of courses in all the areas of regulatory compliance to help professionals understand how to meet these stringent standards.

GCp offer 10

Want to explore what expectations the FDA has of the drug development process? Want to understand the nitty gritty of drug development and how to meet the FDA’s stringent requirements as far as IND and NDA requirements, or nonclinical or the human clinical studies required for it? Then, take a look at how GlobalCompliancePanel can help you achieve this, for just $10.

Are you working in an industry in which you are required to carry out Root Cause Analysis, but are having problems with it? Understand the fundamentals of Root Cause Analysis and get to know how to determine what caused the problem, why it happened, and what to do about it to reduce its likeliness of occurrence, with this course from GlobalCompliancePanel.

GCP offer 8

Have you understood how to get HACCP validation done for your facility? Do you have a problem in grasping its validation and verification? No worry. This recorded webinar from GlobalCompliancePanel will set you on the path to it. At just $10, it will offer you the knowledge you need for understanding how to tackle supplier and other issues and put in place a robust HACCP validation and verification program.

This is just a small sample of the many courses that are on offer for $10 each. Want to explore how many more courses are on offer at this huge discount price? Then, just visit our website to open up the possibility of unlimited learning. All that you need to spend is just $10 to enhance your learning on an area of regulatory compliance.

GCp offer 11

Contact US:

NetZealous LLC DBA GlobalCompliancePanel

john.robinson@globalcompliancepanel.com

support@globalcompliancepanel.com

Toll free: +1-800-447-9407

Phone: +1-510-584-9661

Website: http://www.globalcompliancepanel.com

Registration Link –

https://www.globalcompliancepanel.com/webinars_home?wordpress-seo-gcp-webinar-offer-2017

Like us our Facebook page: https://www.facebook.com/TrainingsAtGlobalCompliancePanel/

Follow us on Twitter: https://twitter.com/GCPanel

 

 

 

 

 

Healthcare Compliance Professional Courses @ 10$ from GlobalCompliancePanel

globalcompliancepanel1.jpg

Healthcare professionals now have a stronger reason than ever before to enroll for professional learning courses and upgrade their knowledge. GlobalCompliancePanel, a highly reputable provider of professional trainings for all the areas of regulatory compliance, will offer a pick of their healthcare compliance courses for just $10.

Healthcare professionals have always been flocking to GlobalCompliancePanel to partake of professional trainings courses that are valuable, relevant and highly interesting. They will now have more reasons for doing so and join thousands of healthcare regulatory professionals who have already benefited from GlobalCompliancePanel’s professional trainings, because it is not every day that one comes across an offer in which the professional gets to pay a mere 5% of the original price of the webinars!

These recorded webinars are on a number of topics concerning healthcare. Healthcare professionals can use these courses to augment the learning they have gained over the years and climb up in their professions with even greater ease. What’s more; healthcare professionals have such a huge number and variety of courses to choose from that they can opt for several courses of relevance to them without burning a hole in the pocket.

Why is GlobalCompliancePanel doing this? Simple: It wants more and more healthcare professionals to take up courses that are relevant and valuable to them, so that the knowledge needed for becoming successful in their careers spreads wider and goes deeper. After all, meeting regulatory compliance requirements is the number one challenge for any healthcare professional, who sees no way out of the regulatory maze without the professional trainings needed to understand them. When such a course is available at a throwaway price of $10, isn’t that a delightful thing to have?

Let us feature a couple of the topics on which GlobalCompliancePanel is offering these courses to healthcare regulatory professionals:

The HITECH Acts Impact on HIPAA

HIPAA enforcement is a matter of serious concern to many healthcare professionals. Many of them, even highly experienced ones, are clueless about some of the aspects of this enigmatic law. When HITECH combines with HIPAA; the confusion is doubled. The two laws intersect at many places, thus compounding the complexity of enforcement. This webinar from GlobalCompliancePanel offers clarity and helps them ease the confusion about this law.

Further, the nature and roles of a host of HIPAA-related items such as breach notification, business associate contracts, training of staff and security of PHI for Business Associates can be daunting to understand and implement. Webinars such as this are designed to help healthcare professionals steer clear of the stumbling blocks that they could encounter in implementing these.

Preparing a Medical Product Regulatory Requirement Plan

What happens when healthcare companies fail to meet regulatory requirements set out by the FDA and other regulatory agencies? The consequences are disastrous, and can range from penalties to having their business shut down. One of the foundations to avoiding this sort of situation is to develop a medical product regulatory requirement plan.

A medical product regulatory requirement plan charts out the regulatory requirements  that need to be met from step one, which is quite literally Day One of the start of the process of making healthcare products. A detailed and organized medical product regulatory requirement plan is indispensable to ensuring in the end that the healthcare product meets the regulatory requirements.

It is this priceless learning that this webinar from GlobalCompliancePanel imparts. And yes, at $10!

Drug Safety and Pharmacovigilance

Pharmacovigilance, a crucial area of healthcare, needs to be implemented in full according to the requirements set out in regulations from the FDA, EMA and other regulatory agencies. Drug safety being deeply tied to PV; the proper implementation of the latter is needed to ensure the former.

PV is essentially about ensuring drug safety by implementing measures throughout the process of production. A healthcare company has to comply with directions from a number of regulatory agencies in order to have its products passed by them and to gain permission to enter different markets. They cannot afford to take one wrong step in the whole process. A number of areas such as clinical trials, marketing, disease management and government are just some of the areas in which pharmacovigilance is indispensable.

This webinar from GlobalCompliancePanel is a great means to getting a complete understanding of this intricate topic. The topic is of great relevance to healthcare professionals, but what’s more; it comes at this unbelievable price tag of just $10!

Contact Details:

http://www.globalcompliancepanel.com/webinars_home

John.robinson@globalcompliancepanel.com

Support@globalcompliancepanel.com

+1-800-447-9407

 

Advocate General Opinion on Software Medical Devices

On 28 June 2017, Advocate General Sanchez-Bordona (AG) presented his opinion in case C-329/16 Syndicat national de l’industrie des technologies médicales and Philips France following a request for preliminary ruling from the Conseil d’État (France) to the Court of Justice of the European Union (CJEU) concerning the laws governing the classification of software medical devices.

The AG’s opinion is not binding on the CJEU, but it provides useful guidance on the application of the EU medical devices Directive 93/42/EEC (the MDD) to software programs.  Importantly, it confirms the position set out in the Commission’s MEDDEV 2.1/6 guidance that software which merely stores and archives data is not a medical device; the software must perform an action on data (i.e., it must interpret and/or change the data).

EU national courts use the preliminary ruling procedure if they are in doubt about the interpretation or validity of an EU law. In such cases, they may ask the CJEU for advice. The Advocate Generals provide the CJEU with public and impartial opinions to assist the Court in its decision making. The Advocate Generals’ opinions are advisory and non-binding, but they are nonetheless influential.  In the majority of cases the CJEU follows the Advocate General.

Background

Philips France (Philips) manufactures and places on the EU market a software program called Intellispace Critical Care and Anesthesia (ICCA), which is used by physicians to provide information necessary for the proper administration of medicines for the purposes of resuscitation and anaesthesia.  The software highlights possible contraindications, interactions with other medicines and excessive dosing.  Philips classified the ICCA as a medical device under the MDD and the product bears a CE mark confirming that the software complies with the applicable requirements of the MDD.

Under French law, software programs intended to support medical prescriptions are subject to national certification requirements.  The French Government’s position is that the ICCA must comply with this national certification requirement. Further, it does not consider the ICCA to be a medical device within the meaning of Article 1(2)(a) of the MDD because the function of assisting with prescriptions does not fall under any of the defined purposes within the definition of a medical device.

Philips claimed that the national certification requirement should not apply as it amounted to a restriction on import, contrary to EU law, and that the French Government was in breach of Article 4(1) of the MDD, which provides that Member States must not restrict the placing on the market or the putting into service of medical devices bearing the CE mark within their territory.

The French Conseil d’État referred to the CJEU a request for a preliminary ruling on the question of whether software equivalent to the ICCA satisfies the definition of a medical device under the MDD.

AG Opinion

The AG opinion suggests that Philips had correctly classified the ICCA as a medical device.  It highlights that since the ICCA bears a CE mark and is freely marketed in 17 EU Member States, it benefits from a presumption of conformity with the MDD.  It was a matter for the French Government to rebut this presumption, and it had failed to do so.

In reaching his conclusion, the AG highlighted a number of points, including:

  • In order to qualify as a medical device, software must have a function beyond collection and archiving of data (i.e., it must have more than a purely administrative function). Rather, it must modify or interpret the data.  The ICCA software includes an engine that allows healthcare professionals to calculate the prescription of medications and the duration of treatments.  In light of such functions, the AG considers it difficult to maintain that the ICCA does not have a diagnostic or therapeutic purpose within the scope of the definition of a medical device. The ICCA is not a software program that is limited to administrative functions, but rather software that helps determine the proper prescription for the patient.  It is therefore a medical device as it has the aim of “preventing, controlling, treating or alleviating a disease”.
  • The fact that the ICCA does not act by itself in or on the human body does not preclude it from classification as a medical device. Contributing to the principal action of correcting the human body through the taking of medicinal products is sufficient.

The above conclusion endorses the position set out in the Commission MEDDEV 2.1/6 guidance on qualification and classification of standalone software, which states:

“…if the software does not perform an action on data, or performs an action limited to storage, archival, communication, ‘simple search’ or lossless compression (i.e. using a compression procedure that allows the exact reconstruction of the original data) it is not a medical device.”

How Americans get their health insurance

With Obamacare firmly in the crosshairs of Republican lawmakers, the debate around U.S. healthcare is at a fever pitch.

While there is no shortage of opinions on the best route forward, the timeliness of the debate also gives us an interesting chance to dive into some of the numbers around healthcare – namely how people even get coverage in the first place.

How Americans get healthcare

The following infographic shows a breakdown of how Americans get healthcare coverage, based on information from Census Bureau’s surveys.

Put together by Axios, it shows the proportion of Americans getting coverage from employers, Medicaid, Medicare, non-group policies, and other public sources. The graphic also includes the 9% of the population that is uninsured, as well.

visual 1Axios via Visual Capitalist

The following definitions for each category above come from the Kaiser Family Foundation, a non-profit that uses the Census Bureau’s data to put together comprehensive estimates on healthcare in the country:

Employer-Based: Includes those covered by employer-sponsored coverage either through their own job or as a dependent in the same household.

Medicaid: Includes those covered by Medicaid, the Children’s Health Insurance Program (CHIP), and those who have both Medicaid and another type of coverage, such as dual eligibles who are also covered by Medicare.

Medicare: Includes those covered by Medicare, Medicare Advantage, and those who have Medicare and another type of non-Medicaid coverage where Medicare is the primary payer. Excludes those with Medicare Part A coverage only and those covered by Medicare and Medicaid (dual eligibles).

Other Public: Includes those covered under the military or Veterans Administration.

Non-Group: Includes individuals and families that purchased or are covered as a dependent by non-group insurance.

Uninsured: Includes those without health insurance and those who have coverage under the Indian Health Service only.

Healthcare mix by state

Here’s another look at how Americans get healthcare coverage on a state-by-state basis.

This time the graphic comes from Overflow Data and it simply shows the percent of buyers in each state that receive health coverage from public sources:

Oddly, the state that gets the highest proportion of public health coverage (New Mexico, 46.6%) is kitty-corner to the state with the lowest proportion of public health coverage (Utah, 21.3%).

Why the debate is paramount

If you ask some people what is going on with U.S. healthcare, they will tell you that things are going “sideways” – that costs are going up, but care is not improving anywhere near the same pace.

Here’s a graphic we published last year from Max Roser that puts this sentiment in perspective:

us healthcare systemVisual Capitalist via Our World in Data

It’s fair to say that care has been going sideways in the U.S. for some time, and the stakes couldn’t be higher.

So, what needs to be done to fix the problem?

Read the original article on Visual Capitalist. Get rich, visual content on business and investing for free at the Visual Capitalist website, or follow Visual Capitalist on TwitterFacebook, or LinkedIn for the latest. Copyright 2017. Follow Visual Capitalist on Twitter.

Health Buzz: The 10 Best States for Health Care

 

Health Buzz The 10 Best States for Health CareIf you want to get the best health care, you might be better off living in one of these states, according to a new ranking.

Hawaii, Iowa and Minnesota topped WalletHub’s new ranking of the best states for health care. The ranking took into account 35 metrics in the categories of cost, accessibility and health outcomes.

Among access-to-care metrics, the highest percent of insured adults (ages 18 to 64) live in Massachusetts, the District of Columbia, Vermont, Hawaii and Minnesota. The lowest live in Georgia, New Mexico, Nevada, Florida and Texas.

As for outcome metrics, like lowest cancer rate, New Mexico, Nevada, Arizona, Colorado and Utah ranked in the top five, while New York, Pennsylvania, Louisiana, Delaware and Kentucky ranked in the bottom five.

U.S. News ranks its own Best States for Health Care, in which Hawaii also stands at No. 1.

Health care concerns, though always present, have been thrust into the national conversation even more this year amid legislative attempts to reform former President Barack Obama’s health care law.

The Senate recently failed to pass a health care bill. Sens. Susan Collins (R-Maine), Lisa Murkowski (R-Alaska) and John McCain (R-Ariz.) voted against the Republicans’ attempt to overhaul the Affordable Care Act, commonly known as Obamacare.

A recent report from the Commonwealth Fund found that the U.S. has the worst health care system compared to other high-income countries. The U.S. ranked lowest for health outcomes despite outspending its peers, according to the report.

But in its own health care analysis, the Kaiser Family Foundation discovered the U.S. system has made progress, especially with “its ability to promote health and provide high-quality care, with some recent improvement in the accessibility of that care and a slowing of spending growth.”

Americans typically spend approximately $10,000 each year on personal health care, and that number is expected to rise, according to the Centers for Medicare & Medicaid Services.

WalletHub’s top 10 states for health care are listed below, and a complete list can be found here.

Overall Rank State ‘Outcomes’ Rank
1 Hawaii 1
2 Iowa 13
2 Minnesota 8
4 New Hampshire 7
5 District of Columbia 37
6 Connecticut 5
7 South Dakota 24
8 Vermont 3
9 Massachusetts 2
10 Rhode Island 10

It is important and necessary to document Software for FDA Submissions

It is important and necessary to document Software for FDA Submissions2Software project management has an important tool in the Agile methodology. The Agile methodology developed as a product of the gradual efforts at arriving at a team based methodology of iterative software development. Because of its close association with software, in terms of suitability; Agile is to software development what Lean is to manufacturing. Among the many areas in which the Agile methodology is very well suitable and adaptable; healthcare is one, since it uses software heavily.

The Agile methodology is effective in helping software project managers anticipate and address major logjams of software project management, such as vulnerability and unpredictability. By preventing project delays; Agile helps to cut costs. Since flexibility is an important characteristic of Agile; it has the ability to accommodate and take in many new changes that take place as the project develops.

Another major benefit of Agile is that it prevents piling of work at later stages of the project by reviewing project progress at every stage by validating roles, steps and processes functions. This is absolutely useful in the backdrop of severe constraints of time and money, because of which it is highly preferred and rated by Project Managers.

Is Agile perfect?

Judge_Phone

All these terrific advantages notwithstanding; Agile is not perfect. It is not suited in every setting and in every situation. If Agile has to be efficient and deliver its results optimally; it has to work in conditions where there is complete, tightly knit team coordination. In the absence of very active and strong participation from the team leaders, subject matter experts and stakeholders; Agile can prove less than suitable or successful.

Agile’s suitability for the healthcare industry is well-established. However, Agile, being a highly teamwork-dependent initiative can fail to deliver in the absence of one or more situations in which it thrives. In the absence of complete confidence by those using it in the healthcare industry of its role in saving money, time and other resources; the Agile methodology can be less than useful

Get to learn the applicability of Agile methodology to healthcare

Business.

The ways by which the healthcare industry can adapt and optimize Agile methodology for its use and overcome the deficiencies and shortfalls of this methodology for enhanced performance will be the topic of a very interesting two-day seminar that is being organized by GlobalCompliancePanel, a leading provider of professional trainings for all the areas of regulatory compliance.

The Director of this seminar is Brian Shoemaker, who consults for healthcare products companies on computer system validation, software quality assurance, and electronic records and signatures, and has worked with companies in Germany and Switzerland as well as the U.S. Please register for this session by logging on to It is important and necessary to document Software for FDA Submissions. This seminar has been pre-approved by RAPS as eligible for up to 12 credits towards a participant’s RAC recertification upon full completion.

Clarity on the suitability of Agile to IEC 62304

It is important and necessary to document Software for FDA Submissions3

A criticism that does the rounds in healthcare software industry circles is that Agile, because of its lack of documentation, runs counter to the lifecycle standards mandated in IEC 62304. Brian will clarify on this area and explain how clear processes for quality management system, risk management process, software maintenance, configuration management, and problem resolution, which go into the IEC 62304 principles actually reinforce, rather than undermine the Agile methodology. The proof of this fact is that the AAMI Agile report (TIR 45) has stated that the proper application of Agile, with its emphasis on nimbleness and ongoing learning, into a quality system and safety risk management can blend with and expedite the fulfilment of regulatory expectations of well-documented development.

Contrary for popular belief, documentation in Agile actually helps in taking advantage of iterative development. How? Since the IEC 62304 does not specify any lifecycle model; documentation can grow out of the required iterative activities. Agile, by developing incrementally and preventing last minute anxieties and worries; is highly useful in many disciplines of healthcare such as hazard analysis. When risk management is included in iteration tasks; it becomes more robust and solid.

It is because of all these reasons that this is a session that professionals across a wide spectrum of positions such as Regulatory Specialists, Quality Assurance Specialists, Documentation Specialists, Test Managers, Software Team Leaders and Lead Developers, and Project and Program Managers ought not to miss out on.

They will get thoroughly familiarized on the applicability of the Agile methodology to software documentation for FDA submissions. Over these two days of this seminar, Brian will cover the following areas:

  • Agile vs IEC 62304: an apparent contradiction?
  • The role and value of documentation
  • The REAL regulatory requirements
  • Specific documents required for an FDA submission
  • Areas where most development processes bog down
  • Iteration – well suited for risk, usability, and design reviews
  • Key practices to bridge the Agile and regulated worlds
  • Agile is not only acceptable for medical device software, but can be clearly superior.

 

 

New HIPAA rules: Make sure you are in compliance because your liability has increased

Healthcare providers have until September 23 to put into place internal policies and procedures needed to comply with sweeping changes coming to the Health Insurance Portability and Accountability Act (HIPAA).

In January, the U.S. Department of Health and Human Services (HHS) released a set of rules, known collectively as the omnibus rule, designed to supplement and modify the privacy, security, breach notification, and enforcement rules governing patient health information in HIPAA. HHS has made it clear that the September 23 compliance deadline is final. Penalties can range from $100 to $1.5 million depending on the violation.

For primary care and other physicians in private practice, compliance will mean:

  • conducting and documenting a risk analysis, which HHS defines as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of electronic protected health information (PHI) in your practice;

  • reviewing the practice’s policies and procedures for when PHI is lost or stolen or otherwise improperly disclosed, and making sure your staff members are trained in them;

  • ensuring that the electronic PHI your practice holds is encrypted so that it cannot be accessed if it is lost or stolen (see “Encrypting your patients’ health information”);

  • modifying the practice’s  electronic health record (EHR) system so that you can flag information a patient does not want shared with an insurance company;

  • having the ability to send patients their health information in an electronic format;

  • reviewing your contracts with any vendors that have access to your practice’s PHI; and

  • updating your practice’s notice of privacy practices.

Other provisions

Other provisions of the omnibus rule include restrictions on selling PHI or using it for marketing and fundraising purposes without obtaining the patient’s permission and loosening some of the restrictions on sharing PHI with family members or other caregivers of deceased patients. Disclosure is only permitted, however, to the extent that the PHI is relevant to the role the family member or caregiver played in the decedent’s treatment. Moreover, release is not permitted in cases in which the individual expressly stated before death that he or she did not want the PHI released.

The omnibus rule also permits doctors in states with compulsory vaccination laws to disclose a child’s immunization records to schools without obtaining formal authorization from parents. Physicians now can do so with only a verbal agreement, provided they document that they obtained the permission. Lastly, the rule prohibits health plans from using or disclosing genetic information for the purpose of insurance underwriting.

The rule also sets and describes the four categories of penalties for violating the rules and the dollar amounts for each.

The omnibus rule is the latest step in a process that began when Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. Among other provisions, the HITECH Act required HHS to strengthen HIPAA’s privacy and security protections for health information. HHS adopted interim rules for doing so in 2010 and finalized the rules with adoption of the omnibus rule.

Growth in EHRs drive changes

Driving many of the changes in the omnibus rule is the proliferation of EHRs and the accompanying digitization of patient information, says Jeffrey J. Cain, MD, FAAFP, president of the American Academy of Family Physicians (AAFP).

“The [original] HIPAA legislation is 15 years old now and was enacted at a time when EHRs were nothing more than a gleam in Microsoft’s eye, but now everyone’s using them, and the rules were seen to be in need of tightening up,” he says.

Angela Dinh Rose, director of health information management excellence for the American Health Information Management Association, says, “HITECH was a huge factor in pushing the adoption of health information technology, so along with that, Congress saw the need for improved privacy and security practices to protect patient information now that so much of it is becoming electronic.”

According to a study of breaches reported on the HHS Web site by Kaufman Rossin & Co., an accounting and consulting firm based in Miami, Florida, the number of individuals affected by data breaches doubled from 2010 to 2011, even though the number of entities involved in a breach declined (see “Summary of health breach information reported to HHS, 2010 to 2011,” below). The largest cause of breaches was theft (53%), followed by unauthorized access (20%) and loss (14%).

New rules for data breaches

The changes likely to have the greatest effect on medical practices are those concerning how PHI should be secured and kept private and what practices must do in case of a  breach—meaning the PHI is lost, stolen, or otherwise made available to someone who should not have it. Why? Whereas before the omnibus rule, breaches only had to be reported if they involved a “significant risk of harm,” now the presumption is that virtually any unauthorized disclosure of PHI may be a breach, unless the practice can demonstrate a low probability that the information has been compromised, explains Kenneth Rashbaum, JD, a health law attorney with Rashbaum Associates in New York, New York.

“These changes are a big deal because  the standard [of what constitutes a reportable breach] is much lower, and as a result there’s now a presumption of harm to the patient by virtue of the breah by the entity that made the disclosures,” Rashbaum says.

Given the new standard, the most important action practices can take to protect themselves against penalties, experts emphasize, is to encrypt patient data, both within the practice itself and when they are taken outside the practice in a laptop computer, smartphone, or other portable device.  Why? “In the [omnibus] rule now, they’re defining a breach as the loss of unsecured PHI,” explains Juli A. Ochs, CPA, healthcare engagement director for the consulting and accounting firm CliftonLarsonAllen LLP. “So anything that renders the data ‘unusable, unreadable, or undecipherable’ is now not considered a breach.”  (See “Encrypting your patient’s health information” below for suggestions on how to encrypt data in a way that meets HHS requirements.)

Determining risk of harm

Whenever a breach does occur, it is presumed to be reportable to HHS unless the practice can demonstrate a low risk of probability that the PHI will be compromised, meaning that anyone will be harmed as a result. Demonstrating the risk contains four components:

  • The nature and extent of the data involved. “Was the information just a list of patients? Did it include identifying data like Social Security numbers or other financial information? Were there intimate medical or psychotherapy records? Those are the types of questions that need to be asked,” says Aldo Leiva, JD, a data security and privacy attorney in Coral Gables, Florida.

  • The unauthorized person who used the PHI or to whom it was disclosed (something you can’t know if the breach resulted from a device being lost or stolen).

  • Whether the PHI was actually acquired or viewed.

  • The extent to which the risk has been mitigated after the fact. An example, Leiva says, might be having a contractor to whom the PHI accidentally was sent sign a non-disclosure agreement.

In addition, the rule requires practices to notify patients whose PHI has been breached within 60 days of discovery of the breach. If the breach affects more than 500 patients, then HHS and the local news media must be notified within the same 60-day timeframe. Practices must keep a log of all breaches regardless of the number of patients affected, and they must submit the log annually to HHS.

Another requirement of the rule is that practices and other covered entities conduct a risk analysis. The purpose of the exercise is to discover where the practice might be vulnerable to having its patient information lost or stolen—through theft of a laptop computer on which data are stored, for example—and putting in place policies and procedures to reduce those vulnerabilities.

“People get overwhelmed by this, because they think it needs to be a formal process,” Ochs says, “but it can be just everyone in the practice sitting down to talk about where are we vulnerable, assessing the risk of each vulnerability, deciding how to address it, and then documenting that they’ve gone through the process.”

In addition, practices should appoint a privacy and security officer with the responsibility for making sure the practice has policies and procedures for complying with the rules and that staff members are trained in them. Practices can—and often do—assign the responsibilities to a current employee rather than hire someone new, Ochs says. “The main thing is just that it’s assigned,” she adds.

Violators of the privacy and security rules will be fined in amounts ranging from $100 to $50,000 per violation (see “HIPAA rule violation categories and penalty amounts”). The maximum a practice or other covered entity can be fined in a year is $1.5 million.

Relations with business associates

After changes to the PHI security and breach notification rules, the omnibus rule changes of greatest interest to practices are those affecting their relationships with “business associates,” vendors that have access to a practice’s PHI. Such vendors are now directly responsible to HHS for securing and guarding the privacy of PHI in the same way that practices are, and they are subject to the same penalties.

“Before [the omnibus rule], physicians and medical organizations might be protecting patient data the way they were supposed to, but their third-party providers were not obligated except under the terms of their contract with the providers,” notes Jorge Rey, CISA, CISM, director of security and compliance for Kaufman, Rossin & Co. “Now the rules say that if you have access to patient healthcare-related information, you need to comply with all the privacy requirements.” The rule also puts subcontractors to practice vendors under HHS jurisdiction.

The increased responsibility of business associates does not let doctors off the hook entirely. That’s because even if the business associate loses PHI or has it stolen, the medical practice ultimately is responsible for notifying affected patients and reporting the breach to HHS.

Leiva notes that many health information technology (HIT) vendors and consultants include boilerplate language in their contracts absolving them from liability for data loss. Consequently, he advises reviewing all contracts with HIT vendors to ensure that their wording conforms with the omnibus rules governing relations between covered entities and their business associates. (A sample business associate agreement is available from the government at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contr…)

Greater patient control

The third part of the omnibus rule affecting doctors’ practices concerns patients’ rights related to their own health information.

The rules gives patients the right to:

  • obtain copies of their health information in an electronic format within 30 days of requesting it, with one 30-day extension permitted, and

  • instruct his or her doctor not to share information about a test or treatment for which the patient has paid out-of-pocket with his or her insurance company.

In addition, the rule requires practices to update their notice-of-privacy practices (NPPs) to reflect the changes to patients’  rights included in the omnibus rule and requires sending the updated NPP to all patients and posting it prominently in the practice and on the practice’s Web site.

Complying with the changes likely will be challenging for doctors due to the limitations of EHR systems. “EHRs were designed so that you could share information easily between healthcare providers and insurance providers,” notes the AAFP’s Cain. “Now we have this law saying that if a patient pays cash, the condition won’t be revealed to insurance providers, which is problematic for the way most EHRs are built.”

The design of EHRs also makes it difficult to share information with individuals who don’t have EHRs, Cain notes. “That’s going to be a problem and something the vendors will have to help us with,” he says.

In the meantime, possible alternatives include joining a private health information exchange network or a one of the regional or statewide networks many states are establishing. Regional extension centers and state and local medical societies are good sources of information about health information exchange networks.

Doctors should ask their EHR vendors about a timetable for implementing a function that allows them to meet the requirement by the September 23 deadline, advises Lisa Gallagher, CISM, vice president of technology solutions for the Healthcare Information and Management Systems Society.  If a vendor won’t be ready to provide such a feature, then the practice will have to still find a way to meet the requirement, maybe through a different way of recording the patient’s data until the function is available, Gallagher says.

“Sometimes regulatory requirements are misaligned,” she adds. “What’s happened here is the requirement for the provider to do something, and the requirement hasn’t made its way down to the vendor. But the important thing for everyone to realize is that HHS has said this requirement is going into effect and you have to meet it.”

Cain says that most AAFP members understand the need to provide patients with greater control over who can see their information and the need to guard confidentiality generally. Nevertheless, “it does add another layer of administrative complexity to managing an office practice,” he says.

 “All the rules are well-intentioned, but they may interact in ways that aren’t understood when they are developed,” Cain adds. “The law of unintended consequences is challenging for office-based physicians.”


What would you like to know about HIPAA? Post your questions to our Facebook page at www.facebook.com/MedicalEconomics or email us at medec@advanstar.com. We’ll present answers in future articles.


HIPAA rule violation categories and penalty amounts

The Health Insurance Portability and Accountability Act omnibus rule establishes four “tiers” of violations, based on what it terms “increasing levels of culpability,” with a rage of fines for each tier.

Violations of the same requirement or prohibition for any of the categories are limited to $1.5 million per calendar year.

The language of the rule states that actual dollar amounts will be based on “the nature and extent of the violation, the nature and extent of the resulting harm, and other factors…includ[ing] both the financial condition and size of the covered entity or business associate.”