Ask HN: Anyone familiar with medical software regulations and certifications? - tixocloud
======
davismwfl
Yes. There are a lot of varied areas of it though so you'll have to be more
specific. There are FDA requirements for some software that is quite different
then say HIPAA type certifications.

A very gross overview if you know none of it, FDA regulates anything that
might involve a patients treatment or care, including recommendations based
off of data collected on the patient. HIPAA and other certifications really
deal with patient privacy, data access and security more or less.

Of them, FDA is the hurdle for most organizations because they have very
detailed regulations and requirements and rightfully are conservative on what
gets approved without significant validation.

~~~
tixocloud
Thanks for the overview - that's definitely very helpful.

From my perspective, it looks like I'll have to deal with both as we're
looking to host medical imaging algorithms and even if we aren't the ones
providing the recommendation itself, we will still be helping research labs
process them.

Where can I learn more about FDA requirements and HIPAA certifications? Are
there organizations that eventually conduct an audit and provide confirmation
that software companies indeed comply?

~~~
davismwfl
You can reach out to me privately via email if you'd like, in my profile.

FDA -- if this is required, you must go through certification with them and
depending on which regulatory group you fall under could be a simple 3-6 month
process to a multiyear process to prove the system is not a risk to patient
safety. If you are doing image processing and it is new algorithms, new
techniques, it will need to be clinically validated, which means studies etc,
so you are probably looking at 1 year minimum to get cleared before you can
legally sell in the U.S. If you are using existing cleared safe algorithms in
new ways, then it could be faster. If you are making clinical recommendations
than it could be considerably longer.

HIPAA is overall fairly easy if you are starting new, you can research it
online and reach out to any number of companies that can help you learn the
details. There are free classes given by different some legal firms,
government agencies etc too that can give you the basics. Essentially, it is
about keeping data secure, limiting access, policies and procedures and
reporting. It isn't tough, mainly a lot of business processes and maintaining
security around patient records etc.

