Answers
Not GxP but a little higher, as in U.S. OIG - under both HIPPA and now Heatlh Reform, to have control of PHI is to be responsible for every aspect of security and reporting of any breach, even for business associates.
See your local hospital's Risk Manager/Compliance Officer and offer to buy them a Starbucks for a quick get-up-to-speed session.
You should speak to a regulatory expert or legal counsel for advice for your specific product and situation. But I might be able to add clarity to your question. In general, for now, storing PHI does not automatically mean you are subject to 21 CFR Part 820 (i.e., that you are a medical device and need to demonstrate GMP).
That said, this might change soon. The FDA is considering calling for legislation that would give it authority over healthcare IT systems, and potentially applications that connect to Health Information System. Insofar as the FDA has received complaints of deaths or serious injury caused by an EMR malfunction, this legislation might be seen as advocating for patients and could receive a favorable hearing. The FDA already has oversight of PACS systems which contain PHI.
The HITECH and ARRA acts, which are helping to fund EHR implementations now, do charge the ONC with defining a certification pathway for EHRs implemented with the intent of receiving funds from ARRA or in order to be compliant with HITECH. The certification process is temporary at the moment, and I've provided a link below, although it appears only to apply to EHRs, and not (for now) to third-party programs that might contain PHI.
No comments:
Post a Comment