Scenario 1: Manufacturer makes an implantable device that collects data from the patient in order to function as intended. This data is uploaded automatically to servers of the manufacturer. As part of the device's design, a platform processes the raw data and sends the processed data to the physician. No analysis or clinical conclusions are conducted on the raw data--it is organized into a readable format for the physician to review and use for treatment decisions. QUESTION: Is the data that the device generates and transfers to the manufacturer PHI? QUESTION: Is the manufacturer a Business Associate because the device collects and processes data that becomes PHI? If by design the device processes the data (using an algorithm) would such functionality require a manufacturer to be a Business Associate even if they do not provide data analysis services outside of the device's capabilities? QUESTION: Does there need to be a Patient Authorization executed in order for the manufacturer to use the same data that it provides to the physician? (assume here that the data that the device collects and the data that is transmitted to the physician is the same and manufacturer would use the data it already has for various purposes)? QUESTION: Could the manufacturer contract directly with the patient to allow for the use of the data generated by their device for various purposes? Scenario 2: The same manufacturer also wants to provide a patient survey that collects information about the patient and their treatment. This information may be shared with the physician but goes directly to the manufacturer to begin with. QUESTION: Would the collection of this information require the execution of a Patient Authorization as it may become part of the patient's EHR? Scenario 3: The same manufacturer de-identifies any PHI it receives as part of the device design for various uses. Question: Does the manufacturer have to obtain a Patient Authorization in order to de-identify PHI that it already has possession of?
Question No. 154