The healthcare industry is primed to benefit mightily from the ever-expanding influx of medical apps, transforming areas such as personal fitness, information storage, and even complex medical procedures. However, many app developers fail to realize the the role of the Health Insurance Portability And Accountability Act (HIPAA) and the full extent of HIPAA’s applicability to their activities. This article aims to provide app developers with information on how to develop a HIPAA compliant app and related products.
Why Develop a HIPAA Compliant App?
If your app transmits personal information covered by HIPAA, failure to follow HIPAA requirements can be costly. HIPAA violations can result in civil damages up to $50,000 and criminal fines up to $250,000 and imprisonment. For more information on the potential consequences of violating HIPAA, click here.
Does Your App Need to be HIPAA Compliant?
HIPAA compliance for mobile applications hinges on two consideration:
- What type of information does the app collect, store, or share?
- Who is using the app?
Type of Information: PHI or Not?
HIPAA was created to protect individual privacy by regulating the dissemination of personal health information (PHI). PHI includes any individually identifiable information concerning health, health care, and payment for said care. For more information on the history of HIPAA and the legal definition of PHI, see Part 1 of this series.
Not all health-related apps need to be HIPAA compliant.
Only usage involving PHI must abide by HIPAA’s Privacy Rule and other requirements.
If your app allows users to collect information on their physical fitness, follow a medical regimen, or receive depersonalized medical data from a health care provider, you do not need to maintain compliance. On the other hand, if, for example, your app allows physicians to share information on specific medical procedures with one another or to follow up with their patients regarding individual treatment, you’ll need to design for compliance.
For more information on the requirements of HIPAA’s Privacy Rule, see Part 2 of this series.
Who Are the Clients?
HIPAA’s Privacy Rule (insert link) places restrictions on the collection, storage, and sharing of PHI by “covered entities” such as plans and health providers that transmit PHI via electronic transaction, as well as “business associates” that handle PHI on a covered entity’s behalf. Under HIPAA’s Privacy Rule, mobile healthcare applications that collect, store, or share PHI with covered entities must comply with HIPAA provisions. If your app’s client base includes covered entities or business associates, you may need to design for HIPAA compliance. For more information on the definition of covered entities or business associates, see Part 1 of this series.
What Are the Dangers of Mobile Technology and PHI?
The prevalence of smartphones, tablets, and other mobile devices pose unique challenges for mobile applications tasked with protecting PHI. Some of the difficulties associated with wearable and mobile technology include:
- Mobile devices are easily lost or stolen, threatening the security of PHI.
- Users may deviate from an app’s intended use intentionally or otherwise, sharing PHI even though the app was not designed for that purpose.
- The difficulty of manipulating touch keyboards on mobile devices renders it rare for users to choose complex passwords, decreasing the level of information protection.
- Built-in protections that depend on user action, such as password protections and screen locks, may not be used.
- Social media ease of access from mobile devices could result in the accidental sharing of PHI.
- Transmitting data via unsecured Wi-Fi networks or email applications could breach confidentiality, as could user communications such as push notifications.
- Using mobile cameras and cloud storage services to take, store, and share pictures could pose privacy concerns, especially if the cloud service provider has not signed a “business associate” compliance agreement.
How Do You Develop a HIPAA Compliant App?
If you’ve reviewed the above information and determined that you’ll need to build HIPAA compatibility into your app, you can achieve compliance by following these steps.
1. Think through possible user activity and analyze your clients’ business needs so you can identify potential trouble spots. It is always better to err on the side of compliance, even at the price of a lengthy and convoluted design process.
2. Design appropriate administrative, physical, and technical security measures to protect PHI. To accomplish this, incorporate the following best practices into your app design to develop a HIPAA compliant app:
- Provide options for disabling cloud service compatibility.
- Develop concrete policies governing the use of PHI on your app and the legal liability for misuse.
- Create password protection, screen locks, and encryption services that meet HIPAA’s technical standards.
- Enable remote data wiping or app deactivation protocols.
- Provide for safe and permanent removal of information from the app.
- Encourage organizational users to develop mobile risk management strategies.
- Ensure your push notifications do not include PHI.
- Examine FDA regulations to see whether your app qualifies as a medical device.
- Integrate your app with HIPAA-compliant services such as hosting providers, e-mail services, and companies that transmit, store, and secure your client’s information.
4. Perform regular privacy audits to ensure your administrative, physical, and technical security measures are functioning properly.
Contact us for personalized assistance with HIPAA compliance for your startup’s products.
More in this series:
This is the second in a series of three posts that cover the background of the Health Insurance Portability and Accountability Act (HIPAA), HIPAA requirements, and HIPAA compliance strategies for startups and small businesses. The aim of this series is to make the privacy provisions of HIPAA accessible and understandable to startups and small businesses.
DISCLAIMER: The information in this article is provided for informational purposes only and should not be construed or relied upon as legal advice. This article may constitute attorney advertising under applicable state laws.