New Privacy Legislation and new Medical Device Legislation<br>affects Hospitals and Doctors

27th August 2014

The recent amendments to the Australian Privacy Act offer advanced protection for patients and harsher consequences for breaches of privacy. CarePlus™ is able to improve the protection of patient privacy.

Enhancements have been made to privacy laws within Australia and were introduced in March 2014, with thirteen Australian Privacy Principles (APPs) introduced. These APPs regulate the handling of personal information by organisations; health service providers must comply with these principles. These new APPs also introduce civil penalties for institutions and individuals should breaches of privacy occur.

The new APPs require organisations to take reasonable steps to protect the personal information it holds and take active measures to ensure the security of this information. Patient information and photographs stored on unsecured devices can constitute a breach of patient privacy. Under the new APPs, civil penalties have been introduced which may lead to institutions being fined up to $1,700,000 and individual doctors fines up to $340,000 for patient privacy breaches.

Smartphone and mobile technology use within healthcare for communication, medical diagnosis and information exchange continues to grow. This presents new challenges for healthcare organisations when attempting to protect patient privacy. Recent studies have been conducted to evaluate smartphone use with clinical staff, one particular study found that 100% of training doctors used their smartphones for clinical photos, with 85% of these doctors storing over 100 of these pictures on their smartphones.

With the enhanced legislation and harsher penalties, health service providers should be searching for solutions to prevent privacy breaches occurring. CarePlus™ is able to offer this solution through their integration with Mobile Connect. CarePlus™ Mobile Connect is available on Apple®, Android®, Blackberry® and selected Cisco® devices. The application is also able to meet the Health Insurance Portability and Accountability Act (HIPAA) requirements, which protects patient privacy in the United States.

In addition to this new privacy legislation Hospitals have to come to terms with the new International Medical Device regulation now being applied to Nurse Call Systems. The Therapeutic Good Administration (TGA) now regulates Nurse Call Systems as medical devices, following an international trend started by the International Medical Device Regulators Forum (IMDRF) to harmonise the definition of a medical device to include Nurse Call Systems. The IMDRF also recently harmonised the definition and requirements for software “to be considered a Medical Device”. IMDRF Members countries and authorities include; Australia-TGA, US-FDA, European Commission Directorate General Health and Consumers, Canada-Canada Health and Japan-Pharmaceuticals and Medical Devices Agency – to name a few).

Various countries have already implemented international legislation regulating Nurse Call Systems. The US Food and Drug Administration (FDA) in 2011 regulated Nurse Call Systems as part of their Medical Device Data Systems (MDDS) legislation, initially as a Class I device and more recently as a Class II device. In the EU, suppliers of Nurse Call Systems are required to meet the Medical Device Directive (MDD) for patient safety requirement EN 60601-1. Further the IMDRF agreements have seen national regulation legislating that software within medical devices must conform to a medical device grade superset of ISO 9000 quality control procedures referred to as QSR820. These standards are onerous for non-medical grade systems (such as electronic light and buzzer systems) but wholly known and practiced within the medical devices industry.

The United States through the FDA[1], is several years ahead of the regulation and audit process with it’s MDDS legislation implemented in 2011. The FDA has implemented a robust audit process for manufacturers of nurse call systems and has already issued many warning letters to manufactures of ‘adulterated’ nurse call systems. This includes letters instructing manufacture’s to stop manufacturing until audited issues have been resolved. These audit adverse findings and warning letters are published on the FDA web site and are publically available.

Regulation and audit within other IMDRF member countries including; Australian[2], UK[3] and EU[4] in the National Health Systems, Private healthcare and manufactures facilities has been historically largely unaudited and to a lesser extent unregulated. As a consequence of the lagging audit processes and procedures many acute care facilities in these counties still consider the purchase and implementation of a nurse call system to be a “non-clinical acquisition”. In fact and even more concerning for patient safety, and a flagrant disregard for legislation and regulation, nurse call systems are purchased as part of a building industry contract as an ‘electrical switch’ under the same contract as bricks and mortar, not even purchased as an Information Communication Technology (ICT) system.

With the convergence of technology ICT (Information, Communication and Technology) systems, smartphones and Nurse Call systems its critical to realise these two new pieces of legislation affect every acute care hospital through to all aged care facilities in Australia. In the second decade of the 21 century these systems must not be part of a construction project and should be delivered outside the building contract. The hospital-project-purchasing group is divided into two areas, clinical acquisitions (medical devices) and non-clinical acquisitions (bricks and mortar). A non-clinical acquisition of a nurse call system with an associated clinical app deployment on a smartphone will impact adversely on health care business objectives, future well-being of patients and thus corporate clinical governance standards leading to breaches of legislation. The regulation is clear; nurse call systems need to be moved to the clinical acquisition group.

Perhaps the days of purchasing; complex medical devices and integration to smartphones which have a significant affect on patient safety and patient privacy, through the building contract, sub-contracted to an electrician should come to an end?

[1] The FDA regulatory requirements can be found at

[2] In Australia the Act (legislation) is available on the TGA website

[3] In the UK the Medicines and Medical Devices Regulatory Agency

[4] In Europe details of medical device regulation can be found at