4 Steps to Make Your App HIPAA Compliant

Make your app HIPAA compliant
While there are lots of resources and guides on how to make the app HIPAA compliant, the issue of organizing the whole development process in such a way that from the very beginning it follows all rules and regulations is still a challenging issue. This is why we’ve accumulated all our experience in this short article to help you deal with it.

The answer is quite simple. Mobile technology has changed the lives of a lot of people all around the world. The healthcare industry is also undergoing serious transformation due to technological developments.

There are several factors making health-related apps very appealing both for care providers and patients:

  • People relying more on social media and online services in many aspects of their lives.
  • Healthcare in the US and Western Europe is a highly profitable business sector: according to CSI Market, in Q2 2017 Healthcare Sector’s Gross Margin grew to 62.51%.
  • Smartphones and wearables are extensively used for telehealth, or mHealth services such as tracking patient vitals and data sharing between patients, doctors, and care providers.

The developers of healthcare mobile apps or software for wearable devices must understand the laws that regulate patient privacy and security of medical data, as data breaches in the healthcare sector pose serious problems with significant financial consequences. In the past two years, nearly 90% of healthcare organizations in the US suffered from data breaches with estimated losses of $6.2 billion.

Let us find out what the core laws governing healthcare information protection are.

The core law governing the management, storage, and transmission of protected health information (PHI) is the Health Insurance Profitability and Accountability Act (HIPAA). It was signed into legislation in 1996. Soon thereafter the HIPAA Privacy Rule and the HIPAA Security Rule were published by the U.S. Department of Health and Human Services (HHS).

The Privacy Rule establishes national standards to protect medical records and other personal health information transferred in electronic form. The Security Rule establishes national standards to protect electronic personal health information that is created, received, used, or maintained by a covered entity.

In September 2013, the most recent amendment to the HIPAA, the Final Omnibus Rule Update, was passed. This amendment expands the definition of the entities that must be HIPAA compliant. Before the amendment had been passed, only covered entities, i.e. doctors, hospitals, and insurers, were required to comply with the HIPAA rules.

Now the Update requires all entities dealing with storage, management, recording, and passing Protected Health Information (PHI) to be HIPAA compliant. This means if you are developing medical apps, you are developing HIPAA compliant mobile app. Under HIPAA there is no safe harbor for developer businesses – keeping protected health information secure is a must if your services handle PHI.

There are two categories of HIPAA Privacy Rule compliant entities:

  • Covered Entities include:
    • health plans (such as health insurance companies, HMOs, company health plans, government programs paying for health care and the military and veterans health care programs),
    • health care clearinghouses (entities that process nonstandard health information received from other entities),
    • healthcare providers (doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies) who transmit any electronic information about a transaction for which the Department of Health and Human Services HHS has adopted a standard.
  • Business Associate is any person or entity that performs certain functions or activities involving the use or disclosure of protected health information on behalf of or providing services to, a covered entity.

The HIPAA Security Rule requires entities covered by the HIPAA law to have appropriate administrative, physical, and technical safeguards in place to ensure confidentiality, integrity, and security of electronically transmitted PHI. Administrative safeguards refer to access control and training, physical safeguards refer to actual medical device and media control, and technical safeguards relate to the health data itself.

Any company being a covered entity of a business associate must do the following:

  1. Put the 3 abovementioned categories of safeguards in place to protect patient health information.
  2. Reasonably limit the use and sharing of PHI to the minimum required to accomplish the intended task.
  3. Have agreements with Business Associates (BA) that perform covered functions.
  4. Implement procedures to limit the number of entities and individuals who can access patient information, and training programs to teach the staff how to protect personal health information.

Not all health-related apps in the market are HIPAA compliant. When you deal with mHealth app development with HIPAA software requirements you can collect, store, and transmit PHI.

The criteria to check if your application should be HIPAA compliant are:

  • the app user (entity) type
  • the app information type (the information that is generated, stored, or shared)
  • the app software type (encryption type)

If your app is intended for use by a Covered Entity, more than likely you’ll have to comply with HIPAA. Mobile app HIPAA compliance covers the transactions of PHI, i.e. the information that is included in a patient’s medical record, or that is used for healthcare services such as treatment, payment, or operations.

The US Department of Health and Human Services defines 18 classes of personal information that constitute the PHI in combination with health data:

    1. Names of patients
    2. All geographical subdivisions smaller than a state
    3. Dates directly related to an individual, including birth date, admission date, discharge date, date of death
    4. Phone numbers
    5. Fax numbers
    6. Emails
    7. Social Security numbers
    8. Medical record numbers
  1. Health plan beneficiary numbers
  2. Account numbers
  3. Certificate/license numbers
  4. Vehicle identifiers and serial numbers, including license plate numbers
  5. Device identifiers and serial numbers
  6. Web URLs
  7. IP addresses
  8. Biometric identifiers, including finger and voiceprints
  9. Full face photographic images and any comparable images
  10. Any other unique identifying number, characteristic, or code

So if you collect, store, or transmit any of this data, you must develop a HIPAA compliant medical app.

The last criterion is the technology used to protect electronic PHI and control the access to it under certain standards such as audit controls, integrity, and access controls. The Audit Controls standard requires a medical app developer to have the hardware, software, and/or procedural mechanisms in place that track, record, and examine activities in systems that contain or use electronic PHI.

The Integrity standard requires policies and procedures to protect electronic PHI from improper alteration or destruction to be used by a covered entity. The Access Controls standard requires:

  • unique user identification system (using password or PIN, a smart card or a key, or biometric data),
  • emergency access procedures (for example, in care of power failure),
  • automatic logoff,
  • and data encryption and decryption at all stages.

So, if your prospective app will exchange PHI with doctors and medical facilities in electronic form, most likely, you require building HIPAA compliant software.

Having delivered a number of HIPAA compliant mobile apps, we have compiled some useful tips on how to deal with them.

  • Your role and responsibility must be clear and comprehensive.
  • A qualified specialist (HIPAA or security expert) must define the security requirements for your healthcare app and review the app architecture.
  • Risk and exposure must be minimized.
  • Once again, reasonably limit the use and sharing of PHI to the minimum required to accomplish the intended task – don’t access, display, or store data that is not necessary.
  • Use a clear and efficient privacy policy.
  • Don’t’ store or cache PHI whenever possible.
  • When using cloud storage, provide secure PHI data transmission and storage, i.e. the cloud storage also should be HIPAA compliant.
  • Under HIPAA a Business Associate Agreement must be signed with any third-party providers.
  • Secure data storage and transmission is another must.
  • Data encryption at all stages helps to stay HIPAA compliant. According to NowSecure CTO David Weinstein, 80% of the 200 most popular, free iOS apps do not support App Transport Security (ATS) feature. This feature forces mobile apps to connect to back-end servers using HTTPS, instead of HTTP, to encrypt data in transit. It is absolutely necessary to use available tools and protocols to encrypt and verify data when stored and when transmitted. Remember that SMS and
  • MMS are not encrypted, so avoid transmitting PHI using them.
  • Make your app secure and constantly validate its security. Your app should include an authentication feature after a certain period of inactivity.
  • Never use push notifications containing PHI. Don’t store PHI in backups and log files which are very vulnerable when using SD cards on Android devices.
  • Follow secure mobile development best practices, for example, OWASP Mobile Top 10.
  • Get Cprime professional team of NetOps and project managers to audit HIPAA-compliant app infrastructure and code.

Contact our team at learn@cprime.com for more information on HIPAA compliance application development.