Earlier today there was the CMS' teleconference on HIPAA enforcement
(you know, your name in the papers, fines, lots of quality time with lawyers). It was a great session with
lots of good reference info and guidance. (You can download the
presentation here.) All that talk about enforcement got me to thinking...

HIPAA privacy and security regulations
apply to any system or device in a hospital with electronic patient
identifiable information (ePHI), including many medical devices.
According to a recent HIMSS/Phoenix Health Systems survey,
only 43% of providers (up from 18% in January 2005) have achieved
Security compliance. Surprisingly, the largest hospitals (over 400
beds) had the lowest compliance (34%). Another data point is the
lack of hospital adoption of the Manufacturer's Disclosure Statement for Medical Device Security, which is a tool created to help assess the vulnerability and risks associated with ePHI transmitted or maintained by
medical devices.

There are many reasons for this potential oversight. The most obvious
is the typical organizational separation of hospital device guys
(Biomedical Engineering) and the computer guys (IT). This separation is
compounded by the lack of experience IT has with medical devices (IT is
usually responsible for HIPAA Security and calls the shots). And unlike
HIT vendors who know the HIPAA implications of their products in their
sleep (especially the Security provisions), most medical device vendors
are waaay behind the curve.

What to do? At minimum, there are two key tools that you should utilize: the ECRI HIPAA Compliance Guide and the Manufacturer's Disclosure Statement.
If your hospital has not used these tools, or something equivalent,
then it is likely that if (when?) there is a complaint that includes a
medical device you will gain first hand knowledge of HIPAA enforcement.

For a compendium of information on medical devices and HIPAA, see Important Reference Web Links under the Resources tab at the top of this page.

UPDATE: Matthew Holt of The Health Care Blog
links to this post and relates some amusing anecdotes (as long as it's
not your hospital/product) about medical devices infected with
malicious code (scroll down to "Devices and Security").

UPDATE: HIMSS just sent out a press release noting that,
"a large percentage of covered healthcare organizations have yet to
achieve many HIPAA basics, according to the results of the U.S.
Healthcare Industry HIPAA Survey, sponsored by the Healthcare
Information and Management Systems Society (HIMSS) and Phoenix Health

"...it is dismaying that large industry segments remain non-compliant with this
national initiative to achieve standardized, secure healthcare transactions and
high patient privacy levels that will improve the quality and cost-effectiveness
of our healthcare delivery system. One
must ask -- if security threats, federal penalties, and prospects for
significantly reducing healthcare errors, costs and other inefficiencies are not
sufficient incentives – what are.”

Great question.