2.1. FEDERAL LAWS, REGULATIONS, AND CODES 7
information has been identiﬁed, one can request from the respective manufacturer how the patient
information is stored, transmitted, and protected.This information is commonly provided using the
Manufacturer Disclosure Statement for Medical Device Security (MDS2) form that was developed
in collaboration with a number of professional associations [HIMSS, 2012]. Using the MDS2 in-
formation, appropriate safeguards can be developed to protect PHI within medical equipment using
a combination of passwords, isolation from networks, network protection, vir us protection, ﬁre walls,
HIPPA Privacy Rule
The Privacy Rule complements the Security Rule by requiring appropriate safeguards to protect the
privacy of PHI, and sets limits and conditions on the uses and disclosures that may be made of such
information without patient authoriz ation.
The CE Department is responsible for controlling PHI stored in medical equipment to
prevent unauthorized use while the equipment is being serviced
. This includes controlling the
access of medical equipment to service vendors, deleting or encrypting PHI stored in equipment
sent out for service, and removing all PHI before disposing retired equipment. In addition, the CE
Department needs to be trained to comply with the hospital’s HIPAA policies and procedures.
In case CE is outsourced, the hospital may opt to require the outsourcing company to sign
a business associate (BA) contract, thus transferring the compliance of Privacy Rules to the latter.
According to the Ofﬁce for Civil Rights’ interpretation of the HIPAA Privacy Rule (45 CFR
164.502(a)(1)), the BA agreement is not mandatory, as any disclosure of PHI that occurs in the
performance of their duties (such as what may occur while repairing a piece of medical equipment)
is limited in nature, occurs as a by-product of the maintenance duties, and cannot be reasonably
prevented [OCR,2012]. Regardless of the existence of the BA agreement,it is strongly recommended
that all third-party employees working in the hospital be required to receive the same training as
hospital employees, even when the disclosure of PHI is incidental.
2.1.3 REGULATIONS ENFORCED BY FDA
While most of the medical device regulations are applicable to device manufacturers, some of them
apply also to hospitals and, therefore, to CE departments.
Human Blood and Blood Products
While blood and blood products are not obviously medical equipment, the FDA regulations for
blood banks and transfusion services have several speciﬁc requirements applic able to equipment
used in these services. Therefore, if a hospital offers these services on site, it is subject to FDA
inspections, and the CE Department must comply with equipment maintenance and management
The protection of PHI during clinical use is the responsibility of clinical departments with assistance from IT.