Complete Guide To Building HIPAA Compliant Health Apps
The laws that relate to health information privacy (HIPAA Compliance) must be adhered to when developing healthcare mobile apps.
The US Department of Health and Human Services Office (HHS) for Civil Rights received 91,000 complaints of HIPAA violations between April 2003 and January 2013.
In May 2014, New York Presbyterian Hospital and Columbia University paid a combined $4.8 million to Department of Health and Human Services after data breach exposed 6,800 patient records.
In another case in April 2014, a $1.7 million enforcement action was taken against Humana subsidiary, Concentra to resolve potential violations of the HIPAA Compliance rules.
These penalty figures are scary but important to note.
Health Insurance Portability and Accountability Act (HIPAA) works as a regulator for this business. The law which was introduced in the year 1996 seeks to limit access to individually identifiable healthcare information to those that ‘need to know’. The health information protected by HIPAA is called ‘protected health information’ (PHI).
Different apps will require different levels of HIPAA compliance, depending on the kind of data they hold and share. Although, not all apps need to be HIPAA compliant.
These 4 questions will help you know if HIPAA Compliance applies to your app or not.
#1 Who needs HIPAA Compliance?
Many apps collect user’s information but not all apps share that information with an internal and external party. You should know if you are dealing with protected health information (PHI) or consumer health information.
The simple rule to know whether you need HIPAA compliance or not is to differentiate between collecting information and sharing information.
If your app currently shares or will share the user’s personal health data held in the app with any entity such as a doctor, then you are dealing with protected health information and need HIPAA compliant backend.
But if your app collects the user’s personal health information, and does not share it with anyone at any point in time, then you do not need to be HIPAA compliant.
Take for example the My Breast Cancer Journey app. This app acts as a support system for cancer patients, their family and friends. During this process, the users share their medical history and records which can be shared with patient’s family members and friends.
Since the information is collected and shared, the app had to comply with the HIPAA law.
#2 When do you need HIPAA Compliance?
You need HIPAA compliance when your app is in the development stage. Delaying the process can result in penalties, fines and black listings. Not only that, the additional costs and timelines of redoing the app for compliance can significantly set you back.
Two important rules will help you further understand HIPAA compliance: HIPAA’s Privacy rule and HIPAA’s security rule.
HIPPA’s Privacy rule focuses on the right of an individual to control the use of his or her personal information. If your app asks for any kind of health related information from the user, it should also give the power to let the user decide if that information can be shared or not.
The user is also authorized to control who can access their information and under what circumstances this information may be accessed, used and/or disclosed to third parties in all formats including electronic, paper and oral.
In the case of the My Breast Cancer Journey app, it is at the discretion of the user (patient) whether they want to share the assessment reports with anyone. This feature takes care of the privacy rule of HIPAA Compliance.
HIPAA’s Security Rule focusses specifically on electronic PHI (ePHI). Security is the ability to control access and protect information from accidental or intentional disclosures to unauthorized persons. Anyone can file a complaint to the Office for Civil Rights if they believe a HIPAA Compliance violation has occurred.
#3 What are the requirements of the HIPAA law?
According to TrueVault, in order to meet HIPAA compliance software requirements, you need to meet four main requirements of the HIPAA law:
- You must put safeguards in place to protect patient’s health information (PHI). These safeguards can be administrative, technical and physical. The safeguards can be policies for staff that come in contact with PHI, encryption and decryption, audit controls, emergency access procedures, and platforms used for security of data.
- Reasonably limit use and sharing of protected health information to the minimum necessary to accomplish your intended purpose.
- Have agreements in place with service providers that perform covered functions. These agreements, called Business Associate Agreements (BAAs) ensure that service providers (Business Associates) use, safeguard and disclose patient information properly.
- Procedures to limit who can access patient health information, and training programs about how to protect patient health information.
#4 How do you become HIPAA compliant?
Becoming a HIPAA compliant app means storing the PHI in a HIPAA approved server. The standard safeguards like app logins and auto-logouts can be built using hosting servers as a part of core infrastructure of the app.
But others which require more technical and physical safeguard can be outsourced to HIPAA compliant hosting servers. Amazon AWS and Microsoft Azure are two popular platforms for this service.
However, you need not build all app features with the HIPAA compliance hosting servers. In case of My Breast Cancer Journey app, we built only the in-app messaging feature, the feature to share documents, and the feature to share images using HIPAA compliant servers, since all these features carry PHI.
Make sure you discuss compliances while you’re discussing the overall project concept with your developers to avoid any legal hassles at a later stage.
Disclaimer: To fully understand HIPAA compliance for your app, consult a healthcare attorney.