HIPAA stands for Health Insurance Portability and Accountability Act. It is a United States Legislation that sets the standard for data privacy and security provisions for safeguarding medical information. This Act encompasses nearly every aspect of the US healthcare sector.
Data security and privacy in general has become a sensitive and challenging issue today. When it comes to mobile healthcare (mHeatlh) apps, those challenges and sensitivity becomes even more substantial. For this reason, it has become imperative for Healthcare companies and the app development companies to gain a better understanding of HIPAA.
Let us look into some important HIPAA guidelines, challenges and the features that goes into building a HIPAA compliant mobile app.
There are several terms, but the below listed three terms are the widely used ones and are often referred to.
Protected Health Information (PHI)
A(ny) data used to identify a patient. This includes both, health information (medical history, records etc.) and personal identifiers (name, birth dates, addresses, SS Numbers, photos, medical records etc.).
Individuals and companies offer healthcare services/operations, or accepting payments for them. This includes healthcare providers (doctors, dentists, hospitals etc), health plans (insurance, HMOs, Medicaid, Medicare etc.) and clearinghouses (companies that act as intermediaries between healthcare providers and insurance companies)
Third parties handling PHI on behalf of Covered Entities.
When do you come under HIPAA
According to HIPAA, one must sign a Business Associate Agreement (BAA) with any other party that has access to your PHI. Electing not to sign a BAA does not mean you are free from (or do not come under) HIPAA requirements.
It declares as this:
“Both Covered Entities and Business Associates need to comply with HIPAA. The law has no ‘safe harbor’ clause meaning that you have to be compliant even if you handle PHI unintentionally.”
Which means that when you deal with Protected Health Information (PHI) you would have to be HIPAA compliant.
For example: You offer a service through a mobile app that allows doctors to diagnose certain skin condition based on a series of anonymous photographs. Since the app does not hold PHI, it can neither identify the users nor it can divulge the details. The moment you add a person’s name address, photos etc., it becomes PHI.
Bottom line – if you are an entity like a hospital, insurance company etc., or any enterprise or a business firm who have developed a healthcare application that holds PHI, you fall under HIPAA.
Challenges related to healthcare mobile apps involving HIPAA
It is said that you don’t become compliant when you collect information, but you naturally fall under HIPAA when you share that information.
App developers should take extra caution while building certain features for healthcare apps. Since healthcare apps usually involve sensitive information such as PHI, it requires developers to carefully map out a good plan of action with regard to the security.
Here are some of the features when used in a ‘wrong’ way could lead to HIPAA violations.
Intentional or not, sending out a ‘wrong’ push notification to users could result in HIPAA violation. Also, bear in mind that sending out PHI by means of push notifications can be considered as a breach of privacy and can lead to HIPAA violations.
Text messaging is a widely used mode of communication between doctors and their patients. However, it could also trigger some risks in the ways of exposing private information to anonymous people. While building mHealth apps developers need to ensure that the data is fully protected by means of encryption, or some other form of data protection practice. Doctors and patients are advised not to use any non-medical app for texting official messages.
Following industry standards
It goes without saying that app developers, irrespective of which country they live in, should carefully consider and ensure the healthcare apps they build complies with the industry standard of that country. When this is in place, the app is much safer and will be in line with the regulations.
Considering the rising security threats and risks within the Internet of Things and mobile devices, it is very important to develop a highly secure mobile application that incorporates the best security measures as a first line of defence against malicious threats. Since data security is one of the prime aspects of HIPAA, building a safe and highly secure mobile application is more HIPAA-friendly.
App features to be considered for HIPAA compliant
Authorized access control
Accessing phones through password is a common practice, but passwords, as we all are well aware of, are not secure and foolproof. They could be cracked. In order to avoid data misuse, HIPAA law suggests that there should be additional protective layers, such as: Biometrics (e.g, Voice ID, Face ID, fingerprint) & Personal Identification Number (PIN).
Also, according to HIPAA Privacy Rule, no patient information should be viewed more than it is the job requires, and the patient has the right to view and impose restrictions on their PHI data.
In case of unauthorized entry into a device, as a second line of defence developers can encrypt the information to prevent data theft and misuse. The app should ensure that all sensitive data is completely encrypted, and preferably stored in the cloud.
Complete PHI disposal
The PHI data, when it is no longer required, should be completely removed. The PHI data can go undetected and can remain hidden in several places like smart devices, biomedical machines, scanners, photocopiers etc. If this data is somehow stolen or misused, the result could be damaging for both the medical company and the app development company leading to a breach. So, relevant methods should be deployed to dispose the data completely when its use is over.
Just like how completely removing the PHI data is important, it is equally important to take proper backup measures to safeguard the PHI to avoid data loss.
The ransomware attack at Marin Medical Practice Concepts in 2016 is a good example. The company paid an undisclosed ransom to the hackers to get back the patient data. However, due to a data backup failure, the company ended up losing about 5,000 patient records.
Make sure necessary backups are taken, and above all ensure these backups themselves adhere to the HIPAA security standards.
Additional security of mobile apps
Mobile devices getting lost or being stolen is a common occurrence, and the risk could become adverse if the device contains mhealth apps with sensitive patient data.
In order to prevent further damage, developers can add extra set of security features such as these:
* Screen lock
* Remote data-erasure
* Full-device encryption
If you are concerned about HIPAA compliance, you might as well be aware of HIPAA fines. The HIPAA has several tiers of fines, depending on the degree of negligence on the concerned party.
Image source: mindk
Note: the above mentioned list of fines may or may not be subjected to change. It is advised to keep a tab on the updated HIPAA fines.
We believe the above introduction and features requirement would have given your a fair idea about HIPAA, however, and since HIPAA compliant is a vast subject, we recommend that you dig a little more on HIPAA so that you leave no stone unturned to make sure your app is fully compliant to the HIPAA act.
Check out this detailed HHS website to gain a better understanding of HIPAA and other health information privacy topics.
At Ideaplunge, we develop international healthcare apps with solid security and privacy features. We are HIPAA compliant and adhere to the most recent and relevant healthcare app development procedures. Being one of the top mobile app development companies in India, we specialize in Android app development, iOS app development, Salesforce development, UI/UX design and other Web Services, with clients in over seven countries.
Do you have any queries on mHealth apps or about HIPAA compliance?
Just drop us a line at firstname.lastname@example.org, we’ll shed light upon it for you.