- According to recent draft guidance from the Food and Drug Administration (FDA), medical device manufacturers can look to new health data sharing guidelines to help relieve previous patient privacy concerns.
“Although not generally required under the Federal Food, Drug, and Cosmetic Act (FD&C Act), manufacturers may share patient-specific information (recorded, stored, processed, retrieved, and/or derived from a legally marketed medical device, consistent with the intended use of that medical device) with patients at the patient’s request, without obtaining additional premarket review before doing so,” explained the document.
With the emergence of innovative mHealth technologies and other medical devices, more patients are interacting with their PHI and healthcare decisions. However, many individuals are unable to access their healthcare data from medical device manufacturers.
Due to unique healthcare data security regulations, many manufacturers were unsure how to responsibly share patient data with individuals who are treated or diagnosed with their devices. Many companies are uncertain about how HIPAA rules and HITECH regulations would apply to them.
The FDA released the draft guidance to help medical device manufacturers understand how to disseminate patient-specific information that is stored and managed on their medical devices. The agency intends for the guidance to boost patient engagement.
“FDA believes that providing patients with access to accurate, useable information about their healthcare when they request it (including the medical products they use and patient-specific information these products generate) will empower patients to be more engaged with their healthcare providers in making sound medical decisions,” noted the document.
Under the FDA’s guidance, medical device manufacturers can only share patient-specific information, which is defines as “any information unique to an individual patient or unique to that patient’s treatment or diagnosis that, consistent with the intended use of a medical device, may be recorded, stored, processed, retrieved, and/or derived from that medical device.”
The FDA reported two categories that qualify under the draft guidance. The first is data inputted by a healthcare provider to detail the status and treatment of a patient. The other is information stored by the medical device to document usage, alarms, outputs, or case logs.
In general, any patient information that can be useful for furthering continuity of care, developing patient treatment histories, maintaining current treatment profiles, and recording medical device functionality is covered by the draft guidance.
Medical device manufacturers can share healthcare data with patients who have directly requested access to their information or healthcare providers that are treating that specific individual, explained the FDA.
While manufacturers have received reassurance about sharing patient information, the FDA stipulated that healthcare data must be “interpretable and useful to the patient.”
The FDA explained that shared information could be confusing or unclear to patients, which could lead to misinterpretation and patient safety risks. Manufacturers should take proper measures to help individuals decipher and interpret their data.
“When communicating patient-specific information, the manufacturer should take into consideration the characteristics of the intended audience that may affect interpretability,” stated the document. “Depending on the type and scope of information being shared, the manufacturer may choose to provide supplementary instructions, materials or references to aid patient understanding.”
Patient-specific information should also be “comprehensive and contemporary,” reported the FDA. For example, when patients request a history of healthcare measurements, the information should include all current and historical data.
Medical device manufacturers should consider providing relevant contextual information with the patient’s data, such as guidance on how information is measured or recorded by the medical device. For example, the FDA advised that information regarding how a pacemaker works, including the cases under which an electrical impulse is put out, should be provided because it could prevent patients from making baseless conclusions.
Additionally, the FDA suggested that manufacturers present follow-up information with the health data.
“FDA recommends, at a minimum, that such manufacturers advise patients to contact their healthcare providers should they have any questions about their patient-specific information and may also wish to provide contact information for the manufacturer to answer questions from patients about the device at issue,” reported the document.
Healthcare providers and medical device manufacturers should be aware that the document is intended as a guide and it does not establish legally enforceable regulations. The FDA also noted that any labeling as defined under the Federal Food, Drug, and Cosmetic Act is subject to FDA regulations.
The FDA has recently taken steps to handling many healthcare data security and patient privacy concerns associated with medical devices.
Earlier this year, the agency released draft guidance on medical device cybersecurity that encouraged manufacturers to monitor, detect, and address cybersecurity vulnerabilities with their devices. The document also aimed to inform the healthcare industry on post-market cybersecurity threats for marketed medical devices.
As more healthcare providers include medical devices in routine care delivery models, the FDA has worked to manage patient privacy issues with the new technologies. With help from the healthcare industry, the agency aims to develop clear guidelines for using medical devices and maintaining robust healthcare data security.