Knowing the full chain of custody of a medical device is an important aspect of the medical device manufacturing process. It is critical to have a mechanism to track and locate devices while they are in use, as well as once they are decommissioned and disposed of. IoMT Solutions can provide you with all regulatory documentation to remain compliance with all state and federal manufacturing, privacy, and disposal laws.
Code of Federal Regulations Title 21
Title 821.25, 3, viii – Medical Device Tracking Requirements states a manufacturer must maintain the following records: “If and when applicable, the date the device was returned to the manufacturer, permanently retired from use, or otherwise permanently disposed of.”
Read the full FDA Code of Federal Regulations
Title 21, Volume 8
PART 821 — MEDICAL DEVICE TRACKING REQUIREMENTS
Subpart C – Additional Requirements and Responsibilities
Sec. 821.30 Tracking obligations of persons other than device manufacturers: distributor requirements.
(a) A distributor, final distributor, or multiple distributor of any tracked device shall, upon purchasing or otherwise acquiring any interest in such a device, promptly provide the manufacturer tracking the device with the following information:
(1) The name and address of the distributor, final distributor or multiple distributor;
(2) The unique device identifier (UDI), lot number, batch number, model number, or serial number of the device or other identifier used by the manufacturer to track the device;
(3) The date the device was received;
(4) The person from whom the device was received;
(5) If and when applicable, the date the device was explanted, the date of the patient’s death, or the date the device was returned to the distributor, permanently retired from use, or otherwise permanently disposed of.
(b) A final distributor, upon sale or other distribution of a tracked device for use in or by the patient, shall promptly provide the manufacturer tracking the device with the following information:
(1) The name and address of the final distributor,
(2) The unique device identifier (UDI), lot number, batch number, model number, or serial number of the device or other identifier used by the manufacturer to track the device;
(3) The name, address, telephone number, and social security number (if available) of the patient receiving the device, unless not released by the patient under § 821.55(a);
(4) The date the device was provided to the patient or for use in the patient;
(5) The name, mailing address, and telephone number of the prescribing physician;
(6) The name, mailing address, and telephone number of the physician regularly following the patient if different than the prescribing physician; and
(7) When applicable, the date the device was explanted and the name, mailing address, and telephone number of the explanting physician, the date of the patient’s death, or the date the device was returned to the manufacturer, permanently retired from use, or otherwise permanently disposed of.
(c)(1) A multiple distributor shall keep written records of the following each time such device is distributed for use by a patient:
(i) The unique device identifier (UDI), lot number, batch number, model number, or serial number of the device or other identifier used by the manufacturer to track the device;
(ii) The name, address, telephone number, and social security number (if available) of the patient using the device;
(iii) The location of the device, unless not released by the patient under § 821.55(a);
(iv) The date the device was provided for use by the patient;
(vi) The name, address, and telephone number of the physician regularly following the patient if different than the prescribing physician; and
(v) The name, address, and telephone number of the prescribing physician;
(vii) When applicable, the date the device was permanently retired from use or otherwise permanently disposed of.
(2) Except as required by order under section 518(e) of the act, any person who is a multiple distributor subject to the recordkeeping requirement of paragraph (c)(1) of this section shall, within 5 working days of a request from the manufacturer or within 10 working days of a request from FDA for the information identified in paragraph (c)(1) of this section, provide such information to the manufacturer or FDA.
(d) A distributor, final distributor, or multiple distributor shall make any records required to be kept under this part available to the manufacturer of the tracked device for audit upon written request by an authorized representative of the manufacturer.
(e) A distributor, final distributor, or multiple distributor may petition for an exemption or variance from one or more requirements of this part according to the procedures in § 821.2.
[58 FR 43447, Aug. 16, 1993, as amended at 67 FR 5951, Feb. 8, 2002; 78 FR 58822, Sept. 24, 2013]
HIPAA Guidelines for the Healthcare Industry
Maintaining HIPAA compliance during normal business operations can be challenging. What happens when organizations dispose of their IT equipment or medical devices can be just as important, as many of those items contain patient data. Finding a disposal vendor that understands the HIPAA guidelines and can help you maintain compliance is crucial.
What are the HIPAA Rules?
The HIPAA Privacy Rule requires that covered entities, such as medical device manufacturers, distributors, and healthcare systems apply appropriate administrative, technical, and physical safeguards to protect the privacy of Protected Health Information (PHI), in any form.
You are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.
Read the full Summary of HIPAA Security Rules
Destruction and Disposal
Covered entities must implement reasonable safeguards to avoid incidental and prohibited disclosures of PHI. This includes the disposal of information, in any form. In addition, the HIPAA Security Rule requires that medical device manufacturers, distributors, and healthcare systems implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use.
Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.
Proper disposal methods of Electronic Medical Devices and computer equipment containing PHI may include:
For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
Vendor Due Diligence
The US Department of Health and Human Services states that to dispose of a computer or other electronic media that stores electronic protected Health Information, certain steps have been taken to remove the Electronic Protected Health Information (ePHI) stored on the computers or other media before its disposal or reuse or the media itself needs to be destroyed before its disposal.
“The HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of ePHI from electronic media before the media are made available for reuse…. If circumstances warrant the destruction of the electronic media prior to disposal, destruction methods may include disintegrating, pulverizing, melting, incinerating, or shredding the media.”
Is your disposal vendor clearing out your data and reselling your devices or are they providing you with a Certificate of Destruction to ensure total destruction has occurred?
A certificate of destruction accomplishes two things:
1. It is your proof that your devices were destroyed in an environmentally compliant manner by a certified electronics recycler.
2. The proof of destruction satisfies regulatory and audit requirements regarding various privacy laws.
Violations
The penalties for violating the HIPAA rules depend on the severity of the violation. If the violations are serious, have been persisting for a long time, or there are multiple areas of violations, financial penalties may be issued.
The penalty structure is:
- Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
- Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
- Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
- Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
Each violation carries a separate HIPAA penalty and a number of factors are taken into account. These factors include the length of time the violation took place, the nature of the data that was exposed, the number of people affected by the violation, the level of harm that was inflicted by the violation, and the willingness of the offender to assist in the investigation.
- Tier 1: Minimum fine of $100 per violation up to $50,000
- Tier 2: Minimum fine of $1,000 per violation up to $50,000
- Tier 3: Minimum fine of $10,000 per violation up to $50,000
- Tier 4: Minimum fine of $50,000 per violation
The above fines for HIPAA violations are those stipulated by the HITECH Act. It should be noted that these are adjusted annually to take inflation into account. The HITECH Act increased the possible penalties for HIPAA violations to strengthen enforcement of HIPAA compliance and to give HIPAA covered entities a greater incentive to press forward with their compliance programs.
Download the NIST Special Publication 800-88 Guidelines for Media Sanitization
