NEMA responds to regulatory confusion with its own security initiative

Fearing that a maze of healthcare regulations cropping up around the world has the potential to complicate product design, the medical informatics section of the National Electrical Manufacturers Association has launched a privacy and security initiative of its own.

NEMA and its member companies are concerned that the response of healthcare institutions to regulations such the Health Insurance Portability and Accountability Act (HIPAA) in the U.S., and to similar laws in Europe and Japan, will lead to communication problems among institutions and unnecessary complexity in product design. It could also delay the adoption of better privacy and security measures.

NEMA has asked healthcare industry vendors to help define a common approach to new privacy and security regulations.

NEMA is taking a pragmatic approach, addressing specific areas such as remote serviceability of equipment, service access guidelines, and audit trails, said Vicki Schofield, industry manager for NEMA's medical division. Based on market needs, the initiative may be expanded in the future.

Five basic HIPAA regulations are related to information privacy and security:

?transactions and code sets;
?security and electronic signatures;
?privacy;
?employer identifiers; and
?healthcare provider identifiers.

The first regulation was published in the Federal Register in August. Others are being finalized and will go into effect two years after final publication.

The European Community directive (EC 95/46), adopted in 1995, though not specific to the healthcare industry, does attempt to broadly protect personal data by ensuring confidentiality and permitting only legitimate use. Transmission of patient health records, recognized as one of the most sensitive types of personal data, is restricted between complying countries, which includes the U.S.

The U.S. Department of Commerce and the European Commission have adopted principles requiring that organizations provide notice, choice, onward transfer, access, security, data integrity, and enforcement when the disclosure of individual information is involved, Schofield said.

The Japanese regulation (HPB 517), published last year, is healthcare-specific and includes requirements for electronic storage of clinical records, authenticity and accuracy of data storage and transmission, legibility and security of stored information, patient privacy, and access control.

NEMA launched the initiative at the request of its European equivalent, the European Coordination Committee of the Radiological and Electromedical Industry. NEMA, in turn, enlisted its Japanese sister organization, the Japan Industries Association of Radiation Apparatus.