Security best practices under HIPAA

- Document Everything – look through the rule, pick out each standard and each implementation specification and create a chart that briefly describes how you are addressing each.
- Require and use strong passwords – teach your staff andcoworkers how to create them
- Limit systems access to those who absolutely need it for their jobs
- Create written policies and procedures detailing the requirements
- Provide regular (annual) training
- Audit your own compliance
- Check state law for breach/incident notice requirements
- Be afraid. These rules apply to the smallest medical practices and the largest healthsystems and health plans
- Information Security is a hot topic. New lawsare being passed constantly.
- HIPAA may not provide for a private right of action but novel legal arguments are beingtested
- A major breach in your information securitycan be a public relations disaster.
- The media will be quick to report an inappropriate release of significant amounts of PHI

What is Protected Health Information (PHI)?

Individually identifiable information collected ormaintained by a Covered Entity
- Can be oral or written
- Can be in any medium (electronic, printed, recorded)
- Includes simple demographic data
– just the fact that someone is your patient/plan member is PHI
- It’s still PHI if someone could reasonably figure out who the individual subject is.
- Sometimes a judgment call but best to be conservative

As per HIPAA guidelines following may receive PHI about an individual.
- The individual (must disclose)
- Anyone who has been authorized by the individual
- Anyone who is the individual’s Personal Representative
- Governed by state law but typically guardians, agents underPowers of Attorney, estate executors,
- Parent of an unemancipated minor EXCEPT if the minor has the ability to consent to the treatment (typically relates tomental health, substance abuse treatment and other sensitiveissues such as abortion and birth control.
- State law governs here. Know your state’s laws regardingPowers of Attorney, guardianships and executorships.
- Providers involved in the treatment of theindividual
- State and Federal agencies performing healthoversight activities (CE is permitted, but not required, to disclose unless state law requiresdisclosure).
- Other CEs when the disclosure is necessary tofacilitate Treatment, Payment or Health Care Operations

Invitro device and 510K related information resource

- Medical Device Guidance Documents - [http://www.fda.gov/cdrh/guidance.html ]
- CDRH Databases - [http://www.fda.gov/cdrh/databases.html ]
- Code of Federal Regulations - [http://www.fda.gov/cdrh/devadvice/365.html ]
- International Information - [http://www.fda.gov/cdrh/international/ ]
- Consumer Information - [http://www.fda.gov/cdrh/consumer/index.html ]
- Overview of Regulations - http://www.fda.gov/cdrh/devadvice/overview.html
- Is Your Product Regulated? - http://www.fda.gov/cdrh/devadvice/31.html
- Classify Your Medical Device - http://www.fda.gov/cdrh/devadvice/313.html
- How to Market Your Medical Device - http://www.fda.gov/cdrh/devadvice/3122.html
- Does Your Product Emit Radiation? - http://www.fda.gov/cdrh/devadvice/311.html
- Registering Your Establishment -http://www.fda.gov/cdrh/devadvice/341.html
- Listing Your Medical Device -http://www.fda.gov/cdrh/devadvice/342.html
- PMN = Premarket Notification 510(k) -http://www.fda.gov/cdrh/devadvice/314.html
- Device Exemptions 510(k) but with GMP - http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfpcd/315.cfm
- Investigational Device Exemption (IDE) http://www.fda.gov/cdrh/devadvice/ide/index.shtml - Premarket Approval (PMA) Class III Devices http://www.fda.gov/cdrh/devadvice/pma/
- Quality System (QS) Regulation for Good Manufacturing Practices (GMP) http://www.fda.gov/cdrh/devadvice/32.html
- Device Labeling Requirements http://www.fda.gov/cdrh/devadvice/31.html
- Medical Device Reporting (MDR) http://www.fda.gov/cdrh/devadvice/351.html
- Device Recalls Corrections Removals http://www.fda.gov/cdrh/devadvice/51.html
- Importing Medical Devices into the U.S. http://www.fda.gov/cdrh/devadvice/391.html
- Exporting Medical Devices from the U.S. http://www.fda.gov/cdrh/devadvice/39.html

Four Basic Factors to Microbial Kill

EO Concentration

• Commonly 400 and 700 mg/l
• As EO concentration increases at a given temp and RH,
  –microbial inactivation (kill) rate increases
• Killing concentration required at the site where the microbes (BI’s) are located

Water Vapor (Humidity)

Required for EO to react with the critical cell molecules
• Generally measured as Relative Humidity

Temperature

• Kill rate increases with temperature
  –D-value decreases (time) with temperature
  –Exponential function
• For each 10°C (18°F) rise in temperature, the spore inactivation rate will generally double

Time

• Amount of kill increases with exposure (EO gas dwell) time
• 90 percent of surviving microbes are killed for each D-value time in gas dwell

D Value ?

• Determined to prove predictable logarithmic death kinetics of challenge microorganisms (BIs) or natural bioburden
• “Decimal” Reduction Time - Measure of the biological organism’s resistance to the sterilant
• Time in minutes necessary to reduce (kill) a microbial population by one logarithm or 90%
• A Simple D-Value Calculation
  Time

-----------------------------

Log of Starting Population – Log of Final Population

Best practices in supplier Quality

Best Practice #1: Push Quality Upstream
• Deploy a web-based system and make it available to outsourcedmanufacturers
• They collect quality data and enter real-time into the quality system
• Quality data is instantly available to OEM quality engineers
• Process metrics are calculated by the system and pushed to quality
engineers every few hours
• Benefit: Engineers spend more time on working with
outsourced-manufacturers to improve process quality rather
than data collection and reporting

Examples -
Large Golf Manufacturer
• Sources components and clubs from dozens of suppliers worldwide.
• Also assembles clubs at multiple facilities around the world
• Process capability monitoring critical to keeping cost of poor quality

.low in an outsourced operation
• Benefits of implementing a web-based QMS at outsourced-manufacturer
• Data converted into information in a timely manner.
• Information is made available to all relevant parties while the
information is still fresh, thus enabling timely action.
• Engineers can address issues and take corrective action in time and
even before the lots reach the warehouse
• Cpk improved over 70% in 18 months

Best Practice #2: Streamline Audits

Other Audit Best Practices
• Clearly defined processes and metrics, so audit can discover unambiguous
process quality issues
• Audit process must incorporate the results of previous audits to track progress
against previous nonconformities
• There is a well defined process for root cause analysis and corrective actions
• Corrective and Preventive Actions are reported formally to all stakeholders

Best Practice #3: Live Supplier Scorecard

Key Metrics
• PPM of Components
• # of Corrective Actions Last Quarter
• Average Response and Resolution time for CAR
• # RMAs Processed per month
• MRB Inventory Levels
• Performance against benchmark

Best Practice #4: Closed-loop QMS

Stand Alone modules
• No Closed Loop Feedback
• No integrated process dashboard
Integrated closed-loop QMS
• Information flows easily from one module
to another
• Powerful drill down and drill across of analytics.

Best Practice #5: Calculating Cost of Poor Quality

COPQ 5% to 30% for most manufacturing companies
• Average COPQ is 20% for a manufacturer
• 1% for a six sigma company
• Over 25% for a three sigma company
• F50 company saved $1B/year in going from COPQ of 9+% to under 5%.

-Charge backs for additional cost incurred by the OEM due to
• Non-conforming components and materials
• Late deliveries from suppliers
• Introduce discipline and accountability

Best Practice #6: Build Business Case for QMS

Supplier Quality System is strategic to an OEM that outsources manufacturing
• VPs of Quality want to upgrade their Quality Systems but
can’t convince others about the investment
• Strategically linking quality with company objectives
• Defining before and after process maps
• Quantifying the value of infrastructure upgrade
• Getting buy-in from stakeholders

Framework for Defining Business Value

Savings From
• Cost Recovery
• Reduced Scrap
• Reduced Rework
• Reduced Inspections
• Reduced MRB Inventory
• Reduced Line Shutdowns
• Improved Equipment Utilization
• Reduced Warranty Recalls, Returns