News Stay informed about the latest enterprise technology news and product updates.

New IT risk management standard helps enable MDDS compliance

HIPAA compliance and Medical Data Device Systems compliance start with health IT risk management. The IEC 80001 risk management standard offers some guidance.

The recently updated Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule calls for health IT risk management and assessment. The National Institute of Standards and Technology (NIST) offers a great deal of guidance on the subject.

Compliance with the even newer Medical Data and Devices Systems (MDDS) regulation, however, requires an even more sophisticated IT risk management game plan. The regulation is forcing a lot of hospital IT leaders to overhaul their compliance strategies, said an expert speaking at's recent virtual conference on electronic health record (EHR) adoption and security (registration is required to view this content).

Luckily, hospital wireless managers and security officers don't have to start from scratch, but with the International Organization for Standardization's new IEC 80001 health IT risk management standard instead., Although it's a voluntary standard, some of its components can help build MDDS compliance, said Rick Hampton, wireless communications manager for Boston-based Partners Healthcare System Inc.

"It's specifically aimed at helping health care facilities of all sizes manage their risks," said Hampton, who also sits on the technical committee that drafted the standard and continues to develop supporting guidance documentation. "If you go back and look at the [MDDS rule], there are requirements in there for risk management and quality systems that 80001 will go a great way [toward] helping hospitals with."

What the new medical device regulations cover

In its announcement of the final MDDS rule -- which goes into effect April 18 -- the Food and Drug Administration (FDA) said it covers "off-the-shelf or custom hardware or software products used alone or in combination that display unaltered medical device data; or transfer, store or convert medical device data for future use, in accordance with a preset specification."

If you go back and look at the [MDDS rule], there are requirements in there for risk management and quality systems that 80001 will go a great way [toward] helping hospitals with.

Rick Hampton, wireless communications manager, Partners Healthcare System

At first glance it looked as if the FDA was simply loosening rules for the health IT vendors that are developing, marketing, or installing software. In effect, the FDA was "down-classifying" hardware and software from the more stringently regulated Class III -- high-risk devices that require premarket notification and testing -- to Class I, which requires simply listing devices with the FDA, as well as tracking adverse event reports.

The medical device regulations also apply to hospitals that develop or customize their own software, however. For the first time, these hospitals will be regulated in the same way as Class I device manufacturers are. In the Federal Register posting of the rule, the FDA said in response to commenters that EHR systems would not be covered:

"…[A]lthough we recognize that certain functions of an MDDS might be present in an electronic health record product, we expect electronic health record software generally falls outside the MDDS classification. Moreover, a device or system, such as a [computerized physician order entry] system, that, for instance, can order tests, medications or procedures, would not meet the MDDS definition because its intended uses fall outside that definition's scope."

The final MDDS rule also would not apply to other systems, such as those that route device alarms through Voice-over-Internet-Protocol phones, Hampton said. He encouraged hospital IT leaders to read the rule to get a handle on which technologies it would apply to in their facility.

IEC 80001 as IT risk assessment guidance -- to a point

IEC 80001 doesn't necessarily give hospitals an IT risk-management "punch list" for addressing medical device regulations, Hampton said. Instead, it offers a method for creating a plan customized to their needs. "What works for the hospital down the street may not work for you."

The committee members who drafted the international standard understand the FDA rules, Hampton said, and the method IEC 80001 prescribes was written as guidance to achieve compliance with medical device regulations.

"By following the 80001 voluntary standards, you'll have some idea how to implement the more vague regulatory requirements from the FDA," Hampton said. "For example, the FDA regulations require a quality system to be put into place. The 80001 describes the various functions that the different people inside the hospital would have to perform in order for a quality system to be in place. So, the 80001 is essentially a guidance document for hospitals on how to achieve a lot of that compliance."

Hampton concluded by pointing out that, because IEC 80001 is an international standard, it should not be considered the be-all and end-all for MDDS compliance. Customizing it to reflect only the FDA's rules would exclude regulatory agencies from other countries. "But it's still a good, sound footing for hospitals to employ," he said.

Let us know what you think about the story; email Don Fluckinger, Features Writer.

Dig Deeper on Electronic health records privacy compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.