Complete Guide To Building HIPAA Compliant Health Apps

The laws that relate to health information privacy (HIPAA Compliance) must be adhered to when developing healthcare mobile apps.

Violation of the HIPAA guidelines can land you directly on the breach portal of the office of civil rights and the name of your healthcare practice or organization gets permanently inked on their wall of shame. While the tarnishing of reputation and bad press has negative ramifications, the monetary impact of these violations is also huge.

In October 2019, OCR imposed a $2.15 million civil money penalty against Jackson Health system for HIPAA violations

Touchstone Medical Imaging agreed to pay $3 million to the Office for Civil Rights at HHS to settle allegations that the medical imaging provider violated the HIPAA security rules.

These penalty figures are scary but important to note.

Health Insurance Portability and Accountability Act (HIPAA) works as a regulator for this business. The law which was introduced in the year 1996 seeks to limit access to individually identifiable healthcare information to those that ‘need to know’. The health information protected by HIPAA is called ‘protected health information’ (PHI). Always stay updated with this latest guide on healthcare technology trends.

Different apps will require different levels of HIPAA compliance, depending on the kind of data they hold and share. Although, not all apps need to be HIPAA compliant.

These 4 questions will help you know if HIPAA Compliance applies to your app or not.

#1 Who needs HIPAA Compliance?

Many apps collect user’s information but not all apps share that information with an internal and external party. You should know if you are dealing with protected health information (PHI) or consumer health information.

The simple rule to know whether you need HIPAA compliance or not is to differentiate between collecting information and sharing information.

If your app currently shares or will share the user’s personal health data held in the app with any entity such as a doctor, then you are dealing with protected health information and need HIPAA compliant backend.

But if your app collects the user’s personal health information (PHI), and does not share it with anyone at any point in time, then you do not need to be HIPAA compliant.

What comes under PHI?

Protected health information (PHI) is defined as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”

HIPAA lists down eighteen personal identifiers that fall under PHI:

  • Names
  • All geographical data smaller than a state
  • Dates (other than year) directly related to an individual
  • Telephone numbers
  • Fax numbers
  • Email addresses
  • Social Security numbers
  • Medical record numbers
  • Health insurance plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers including license plates
  • Device identifiers and serial numbers
  • Web URLs
  • Internet protocol (IP) addresses
  • Biometric identifiers (i.e. retinal scan, fingerprints, Etc.)
  • Full face photos and comparable images
  • Any unique identifying number, characteristic or code

Take for example the My Breast Cancer Journey app. This app acts as a support system for cancer patients, their family and friends. During this process, the users share their medical history and records which can be shared with patient’s family members and friends.

Since the information is collected and shared, the app had to comply with the HIPAA law.

#2 When do you need HIPAA Compliance?

You need HIPAA compliance when your app is in the development stage. Delaying the process can result in penalties, fines and black listings. Not only that, the additional costs and timelines of redoing the app for compliance can significantly set you back.

Two important rules will help you further understand HIPAA compliance: HIPAA’s Privacy rule and HIPAA’s security rule.

HIPPA’s Privacy rule focuses on the right of an individual to control the use of his or her personal information. If your app asks for any kind of health related information from the user, it should also give the power to let the user decide if that information can be shared or not.

The user is also authorized to control who can access their information and under what circumstances this information may be accessed, used and/or disclosed to third parties in all formats including electronic, paper and oral.

It needs to be at the discretion of the user (patient) whether they want to share the assessment reports with anyone. This feature takes care of the privacy rule of HIPAA Compliance.

The HIPAA Privacy Rule applies to PHI in any form. This includes computer and paper files, x-rays, physician appointment schedules, medical bills, dictated notes, conversations, and information entered into patient portals.

HIPAA’s Security Rule focusses specifically on electronic PHI (ePHI). Security is the ability to control access and protect information from accidental or intentional disclosures to unauthorized persons. Anyone can file a complaint to the Office for Civil Rights if they believe a HIPAA Compliance violation has occurred.

#3 What are the requirements of the HIPAA law?

In order to meet HIPAA compliance software requirements, you need to meet four main requirements of the HIPAA law:

  1. You must put safeguards in place to protect patient’s health information (PHI). These safeguards can be administrative, technical and physical. The safeguards can be policies for staff that come in contact with PHI, encryption and decryption, audit controls, emergency access procedures, and platforms used for security of data.
  2. Reasonably limit use and sharing of protected health information to the minimum necessary to accomplish your intended purpose.
  3. Have agreements in place with service providers that perform covered functions. These agreements, called Business Associate Agreements (BAAs) ensure that service providers (Business Associates) use, safeguard and disclose patient information properly.
  4. Procedures to limit who can access patient health information, and training programs about how to protect patient health information.

#4 How do you become HIPAA compliant?

Becoming a HIPAA compliant app means storing the PHI in a HIPAA approved server. The standard safeguards like app logins and auto-logouts can be built using hosting servers as a part of core infrastructure of the app.

But others which require more technical and physical safeguard can be outsourced to HIPAA compliant cloud storage. Amazon AWS and Microsoft Azure are two popular platforms for this service.

Authorizations procedures need to be in place to prevent unauthorized access to protected patient information. Prior to any use or disclosure of an individual’s protected health information that is not permitted by the HIPAA Privacy Rule, authorization must be obtained from the individual.

Encryption and deidentification of PHI collected, stored and transmitted by the healthcare app is an absolute must-do when building a HIPAA compliant mobile application. The technical, physical and administrative safeguards outlined under the HIPAA security rule need to be adhered to to ensure that your app stays compliant with the HIPAA guidelines.

However, you need not build all app features with the HIPAA compliance hosting servers. In case of My Breast Cancer Journey app, we built only the in-app messaging feature, the feature to share documents, and the feature to share images using HIPAA compliant servers, since all these features carry PHI.

Make sure you discuss compliances while you’re discussing the overall project concept with a healthcare software development company firm like Arkenea.

Disclaimer: To fully understand HIPAA compliance for your app, consult a healthcare attorney.

Rahul Varshneya
 

Rahul Varshneya is the co-founder of Arkenea, a custom software development consulting firm for fast-growing businesses, providing on-demand engineering talent and MVP development services.