Industry Update: Increased Compliance in Healthcare - HIPAA, and now, the FDA

By Ben Pepper, Healthcare Practice Consultant, Coalfire

Historically the Food and Drug Administration (FDA) and Health and Human Services (HHS) have operated, for the most part, in separate and distinct regulatory areas.  In the area of medical devices, the FDA predominantly enforced its regulations on device manufacturers and importers, with occasional but rare visits to user facilities (i.e. hospitals and clinics).  In 1996 HHS was chartered with regulating the use of patient information at healthcare providers (Health Insurance Portability and Accountability Act (HIPAA)).  There was little chance that an FDA and HIPAA resource would cross paths in a hospital.  That is no longer true.

Why now?

On February 15, 2011 the FDA rolled out the Medical Device Data Systems regulation (MDDS - 21 CFR Part 880.6310).  This law will enter its enforcement phase in February of this year.  MDDS governs all data systems that transfer, store, convert or display medical device data.

To providers this seems daunting, complicated and costly, but it doesn’t have to be.  Providers should think in terms of risk assessments that are agnostic to specific regulators.   Also, providers should consider frameworks (Common Security Framework, COBIT, NIST, ISO are the usual suspects). 

Coalfire suggests simplification and consistency across your IT control suite.  This is a “Pay me now, or pay me (more) later” proposition.

What does this mean to compliance for healthcare providers?

The FDA now requires compliance with its Quality System Regulation (QSR) by way of a Quality Management System (QMS).  Entities that use or build medical devices will need to learn a new set of regulations.  The FDA has enforced the QSR for decades with manufacturers, and is well versed in this area.

On the other hand, HHS is relatively new to the compliance world of HIPAA, and has a comparatively limited track record.  However, HHS has recently created a plan to write and execute a new inspection process for the provider industry.  Now, HHS will execute routine, pre-emptive audits of provider facilities.  Combine this process from HHS with the FDA’s MDDS regulation and it appears to be a double hit to IT and compliance efforts, as well as corporate budgets.

Coalfire contends that rather than double the effort to attain compliance, entities should consider a more strategic approach.  Let’s review three examples where framework-based compliance can satisfy both regulators by comparing how each regulator looks at controls and compliance.

  1. Where HIPAA appears to require more control:  System controls

    Both HIPAA and the FDA require system-level controls.  However, our first example is in the areas of disaster recovery (DR), and device and media controls.  HIPAA is very specific (164.308 and 164.310).  DR, data backups, media re-use and disposal are given their own paragraphs in the HIPAA regulation. 

    In this area, the FDA is not nearly as specific.  However, it does have strict, time-bounded reporting requirements for adverse events, as an example.  This leads IT departments to the inevitable conclusion that media controls, and a robust, periodically tested DR plan, make sense.  Penalties for late or inaccurate reporting can be costly in the form of fines and interruptions to business operations.  No different than the risks of a data breach in the HIPAA world, so the same basic controls are needed.

  2. Where the FDA appears to require more control:   Forensic reviews and regulatory reporting

    In the event of a breach, HIPAA asks that facilities document the event, publish a Breach Notification, and fix the problem.  The challenge is that there is no HHS prescribed process for IT.  There is a ‘Breach Notification’ checklist, but little else.   As a result facilities are left with the responsibility to plan some form of custom control, review and remediation process. 

    The FDA is more specific in this area.  Its Medical Device Reporting requirements (21 CFR Part 803) govern, in great detail, the entire reporting process.  26 subparts of great detail in fact.  Additionally, the FDA’s Corrective and Preventive Action (CAPA – 21 CFR Part 820.100) specifies at least 14 control points that need to be used in determining the severity of a problem, as well as the use of an ‘Appropriate statistical methodology’ within the CAPA process.

    In the final analysis, good business practices would indicate that a standard ‘command and control’ process for things that break, or can be prevented from breaking, makes sense.

  3. Where the FDA and HIPAA have the same needs:  Data management

    Although voiced in different regulatory language, and regulated for different purposes, both regulators require disciplined data management.  HIPAA cares about breaches of patient data.  It specifies testable IT controls like encryption, user authentication and workstation security.   The FDA does not get that specific. 

    However, the FDA does expect a manufacturer, now including hospitals, to have 100% control over the engineering, manufacture, maintenance and distribution records for all its regulated medical device and medical device data system products.  This is because the FDA is more product centric in this area and cares about data management to support situations like product recalls.

The Compliance Solution

So, what is a healthcare provider to do?  First ensure that the Project Management Office (PMO) and all Steering Committees (SC) have adequate regulatory skills, or access to those skills during the entire System Development Lifecycle (SDLC).  Include budget for risk assessments, training and ongoing reviews.  Most important, the PMO and SC must have adequate authority to manage compliance at the corporate level.

Specific to the three examples above, a PMO can draw a compliant line through both regulators’ requirements with any of the frameworks noted above. The advantage is a single control suite that supports the business and compliance.  Risk goes down along with compliance costs, and compliance goes up.

The new world order of HIPAA, and now the FDA in the healthcare industry does not have to be a process and budget nightmare.  With appropriate governance and support, an entity’s compliance can be an integral part of a company’s culture of high-quality patient care.