Ale Brown, Kirke Management

Creating an Effective and HIPAA-Compliant Data Management Strategy

By Ale Brown
Ale Brown, Kirke Management

The data that medical devices use is one of the most sensitive types of information.

The speed at which medical devices and new ideas for health applications are evolving is staggering. As of November 2017, there were approximately 325,000 mobile health apps in the market with an average of 78,000 new mobile health apps added every year.1 As such, medical devices have become one of the largest collectors and users of health information.

Interconnectivity and constant monitoring are increasing the rate we consume data in order to identify patterns, make decisions, analyze results and improve functionality, among other important activities. Yet the data that medical devices utilize is one of the most sensitive types of information. Health information is unique and permanent; it cannot be reset and if compromised, can bring considerable impacts and risks to the individuals whose health information have been exposed.

The exponential growth around the digital transfer of health information brings with it associated risks in the management of health information. Compromised health data can materialize from multiple fronts: From the device itself or when pairing it to another device such as a smartphone, by any third-party application that has access to the medical device. Or it can also be compromised once it is available to the manufacturer and used as clinical data for research or any other purpose. Therefore, it is critical for regulations like HIPAA to ensure healthcare organizations are compliant in the management and safeguarding of health information.

The Risks of a Poor Data Management Strategy

A clear data management strategy is critical to ensure information medical devices manufacturers and application developers have access to is not only actionable but can be used for the benefit of the patients to whom it belongs.

Collecting data generated by these devices without a clear purpose or vision is an exercise in futility because it does not allow physicians and researchers to see the forest for the trees. These researchers may become consumed with details that may not be relevant for the issue at hand and the data overload may serve as a distractor rather than an enabler. In this case, more is not necessarily better.

Another issue that is quite prevalent in this context is the retention of data for a long period of time—which, in some current cases, is forever. The nature of medical research is to have availability to a myriad of data points across a long-time span in order to identify trends, patterns and internal or external factors that may affect outcomes. But how long is too long? And when does having access to old data sets exhaust the value that that data provides, and companies start facing the law of diminishing returns?

Keeping these facts and questions in mind, healthcare organizations and medical device manufacturers must determine how to maximize the benefits of health information insights. While at the same time ensuring the risks on the collection, use and disclosure of such information are properly mitigated or avoided altogether.

Data management strategies are often talked about but not sufficiently put into practice. The privacy and security requirements embedded in HIPAA indicate the importance of data management, but neither this regulation nor other privacy regulations around the world put specific emphasis on data management. Besides, organizations should not embark on developing these strategies in a prescriptive way because a regulation requires it, but because it is good from a business management perspective.

The following are key components to a data management strategy for medical device companies to start with when it comes to optimizing the health information they are privy to in an effective, efficient and compliant manner.

Set Your Strategy and Determine Objectives

First of all, identify the vision and strategy of your business and how they will be enabled by collecting and using health information. How will health information support your business to thrive? What information is considered critical to your success? How will health data help differentiate your business from competitors?

Once the vision and strategy are clear, determine your objectives. What information will be used for clinical research? Which will be used for improving the product or the services around the device? What information is required legally and what information is required for marketing purposes? What information is critical to decision-making?

Identify a People, Process and Technology Structure

Once your strategic vision is established, move down to tactics. Tactics will guide how data management processes enforce the appropriate use of health information.

A clear structure is vital in determining a successful strategy. Consider questions such as: Who will have access to which datasets? Who will own the data? Who will implement controls around the management of the data? Who will consume the data and under what circumstances? Will the data sets be shared internally or externally? How far back are these data sets meaningful and appropriate for the goals established? Who will ensure that internal rules and external regulations around the collection, use and disclosure of health information are followed? What role will technology play in safeguarding health information and ensuring that it is accurate, available and confidential at all times?

Execute, Control, Review and Improve

With policies, processes and procedures in place, it is time to ensure that these rules are followed across the board to guarantee compliance and most importantly, to preserve the accuracy, confidentiality and integrity of the health information you use.

Controls must be put into place to reinforce and supervise follow-through on established policies, processes and procedures. The real purpose of regulations is to understand your data better and how you are protecting it to ensure it doesn’t fall into the wrong hands. This is especially important when it comes to HIPAA compliance. Personal data protection and privacy management is not static and must be a part of how you conduct business.

Always Put the Patient First

Answering all these questions and establishing a clear structure around the management of health information as a starting-point will help medical device organizations ensure that their devices and the information and knowledge gained from them is put to use for a greater purpose: The health and well-being of humankind.


  1. mHealth App Economics 2017 — Current Status and Future Trends in Mobile Health. (November 2017). Research2Guidance (R2G). Retrieved from

About The Author

Ale Brown, Kirke Management