Returning Glucose meters
Does anyone have a BAA with your vendor for returning broken glucose meters? Specifically, if the screen is cracked, broken or not working and you can not verify that all PHI has been deleted?
Our Privacy Department has been working with our vendor (Nova) to get a chain of custody procedure in place that would meet requirements for protecting patient information stored in the meters. Needless to say this has been a timely and intensive process and they are wanting to know what "the industry standard" is and if other facilities have had similar issues. If you have dealt with this or have a process in place would you mind sharing? I currently have 5 meters that need to return but can't until this situation is resolved.
Thanks in advance for help, advice, etc.
| Topic | Replies | Likes | Views | Participants | Last Reply |
|---|---|---|---|---|---|
| Hemochron Sig Elite use outside of manufacturer temperature range | 0 | 0 | 42 | ||
| EPOC scanner issue post software update | 6 | 0 | 293 | ||
| PFA-100 | 0 | 0 | 121 |
We use RALS middleware. The patient information can be deleted before you return the meter as long as it is able to receive that message when docked.
We also have Nova and must have a BAA in place with every contract. Are you sure that someone doesn't have one on file somewhere?
Privacy has gotten a renewed BAA. The issue is they want proof that all devices being returned have had all ePHI erased from the meters. For the ones that are being returned because the screen is cracked or not working I can't verify that on my end. Therefore, they are saying that we need a chain of custody with a signature from someone at Nova who receives the meter back signing saying they have destroyed the meter....but they are usually being refurbished. And if they aren't destroying them then we need to be able to destroy the meter.....which doesn't work with our contract to return a meter in order to get a replacement. Confusing isn't it??? What is your process of verifying that all patient information has been erased from any instrument that is returned to a company? Thanks.
Great! One more thing to think about! I've never deleted off information from any meter I've returned for replacement. Pardon my ignorance but what does BAA stand for?
I didn't know either until all this came up...
"Under the U.S. Health Insurance Portability and Accountability Act of 1996, a HIPAA business associate agreement (BAA) is a contract between a HIPAA-covered entity and a HIPAA business associate (BA). The contract protects personal health information (PHI) in accordance with HIPAA guidelines." (copied from google)
Thanks for the information.
I would hope that the BAA covers wiping the data and resetting equipment back to factory settings for anything being refurbished. I have a meter security policy approved by our FISO; it states:
1.All POCT meters will be programmed to log out users after a set period of time if possible.
2.All POCT meters will discard patient information as soon as possible. If the meters can be programmed to erase data, it will be set for 24 hours after a successful download into the data manager. If the meter requires manual intervention, the data will be erased upon a successful download into the data manager or in a timely manner by the POCC or designee.
3.When not in use POCT meters will be kept in docking stations or plugged into chargers in plain sight of the staff responsible for its use or in a secure area. When taken into patient rooms, OR suites or interventional areas, the meters will be returned to the designated charging area upon completion of testing.
4.All patient data will be removed from the POCT meters, if possible, before being sent out for repair or replacement. HIPPA Business Associate Agreements are on file for all vendors or repair companies.
5.In the event of any missing, stolen or lost Point of Care Testing Meter, staff will notify the POCC or IS representative immediately. An analysis will be performed to determine if disclosure of patient health information may be at risk.