4 Steps To Make Your App HIPAA Compliant

Why is HIPAA compliant app development becoming so important? The answer is quite simple. Mobile technology has changed the lives of a lot of people all around the world. The healthcare industry is also undergoing serious transformation due to technology developments. There are several factors making health-related apps very appealing both for care providers and patients:

·         People relying more on social media and online services in many aspects of their lives.

·         Healthcare in the US and Western Europe is a highly profitable business sector. According to CSI Market, in Q2 2017 Healthcare Sector's Gross Margin grew to 62.51 %.

·         Smartphones and wearables are extensively used for telehealth, or mhealth services such as tracking patient vitals and data sharing between patients, doctors, and care providers.


The developers of healthcare mobile apps or software for wearable devices must understand the laws that regulate patient privacy and security of medical data, as data breaches in healthcare sector pose serious problems with significant financial consequences. In the past two years, nearly 90 per cent of healthcare organizations in the US suffered from data breaches with estimated losses of $6.2 billion. More information about healthcare data breaches in 2017 can be found here.

Let us find out what are the core laws governing the healthcare information protection.


Data protection laws in the US

The core law governing the management, storage and transmission of protected health information (PHI) is the Health Insurance Profitability and Accountability Act (HIPAA). It was signed into legislation in 1996. Soon thereafter the HIPAA Privacy Rule and the HIPAA Security Rule were published by the U.S. Department of Health and Human Services (HHS). The Privacy Rule establishes national standards to protect medical records and other personal health information transferred in electronic form. The Security Rule establishes national standards to protect electronic personal health information that is created, received, used, or maintained by a covered entity.


In September 2013, the most recent amendment to the HIPAA, the Final Omnibus Rule Update, was passed. This amendment expands the definition of the entities who must be HIPAA compliant. Before the amendment had been passed, only covered entities, i.e. doctors, hospitals, and insurers, were required to comply with the HIPAA rules. Now the Update requires all entities dealing with storage, management, recording and passing Protected Health Information (PHI) to be HIPAA compliant.


This means if you are developing medical apps, you are developing HIPAA compliant mobile apps. Under HIPAA there is no safe harbor for developer businesses – keeping protected health information secure is a must if your services handle PHI.


There are two categories of HIPAA Privacy Rule compliant entities:

·          Covered Entities include health plans (such as health insurance companies, HMOs, company health plans, government programs paying for health care and the military and veterans health care programs), health care clearinghouses (entities that process nonstandard health information received from other entities), and healthcare providers (doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies) who transmit any information in an electronic form in connection with a transaction for which the Department of Health and Human Services HHS has adopted a standard.

·         Business Associate – any person or entity who performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or providing services to, a covered entity.


The HIPAA Security Rule requires entities covered by the HIPAA law to have appropriate administrative, physical and technical safeguards in place to ensure confidentiality, integrity, and security of electronically transmitted PHI. Administrative safeguards refer to access control and training, physical safeguards refer to actual medical device and media control, and technical safeguards relate to the health data itself.


What Exactly do HIPAA Rules Require?

Any company being a covered entity of a business associate must do the following:

1.    Put the 3 abovementioned categories of safeguards in place to protect patient health information.

2.    Reasonably limit use and sharing PHI to the minimum required to accomplish the intended task.

3.    Have agreements with Business Associates (BA) that perform covered functions.

4.    Implement procedures to limit the number of entities and individuals who can access patient information, and training programs to teach the staff how to protect personal health information.


HIPAA Compliance for Health Applications – What Does It Mean for Developers?

Not all health-related apps in the market are HIPAA compliant. When you deal with mhealth app development with HIPAA requirements you can collect, store, and transmit PHI. How can you check if your apps are HIPAA compliant apps? The criteria to check are:

(1) the app user (entity) type

(2) the app information type (the information that is generated, stored or shared)

(3) the app software type (encryption type)


If your app is intended for use by a Covered Entity, more than likely you’ll have to comply with HIPAA.


HIPAA covers the transactions of PHI, i.e. the information that is included in a patient’s medical record, or that is used for healthcare services such as treatment, payment, or operations. The US Department of Health and Human Services defines 18 classes of personal information that constitute the PHI in combination with health data. The full list is as follows:

1.       Names of patients

2.       All geographical subdivisions smaller than a state

3.       Dates directly related to an individual, including birth date, admission date, discharge date, date of death

4.       Phone numbers

5.       Fax numbers

6.       Emails

7.       Social Security numbers

8.       Medical record numbers

9.       Health plan beneficiary numbers

10.   Account numbers

11.   Certificate/license numbers

12.   Vehicle identifiers and serial numbers, including license plate numbers

13.   Device identifiers and serial numbers

14.   Web URLs

15.   IP addresses

16.   Biometric identifiers, including finger and voice prints

17.   Full face photographic images and any comparable images

18.   Any other unique identifying number, characteristic, or code.

So if you collect, store or transmit any of this data, you must develop a HIPAA compliant medical app.


The last criterion is the technology used to protect electronic PHI and control the access to it under certain standards such as audit controls, integrity, and access controls. The Audit Controls standard requires a medical app developer to have hardware, software, and/or procedural mechanisms in place that track, record and examine activities in systems that contain or use electronic PHI. The Integrity standard requires policies and procedures to protect electronic PHI from improper alteration or destruction to be used by a covered entity.


The Access Controls standard requires unique user identification system (using password or PIN, a smart card or a key, or biometric data), emergency access procedures (for example, in care of power failure), automatic logoff, and data encryption and decryption at all stages.


So, if your prospective app will exchange PHI with doctors and medical facilities in electronic form, most likely you have to develop HIPAA compliant apps.


How to make an app HIPAA compliant?


HIPAA governs all mhealth apps. That is the reality. The rules are the same both for startups and well-established companies. Security has top priority both for mobile apps (Android and iOS) and web apps.


Our team has experience in making online communications platforms HIPAA-secure. Archer Software’s HIPAA Expert certification is updated every year. And here are some useful tips on how to develop HIPAA-compliant mobile apps.


Your role and responsibility must be clear and comprehensive


A qualified specialist (HIPAA or security expert) must define the security requirements for your healthcare app and review the app architecture.


Risk and exposure must be minimized


Once again, reasonably limit use and sharing of PHI to the minimum required to accomplish the intended task – don’t access, display or store data that is not necessary. Use a clear and efficient privacy policy. Don’t’ store or cache PHI whenever possible. When using cloud storage, provide secure PHI data transmission and storage, i.e. the cloud storage also should be HIPAA compliant. Under HIPAA a Business Associate Agreement must be signed with any third party providers.


Secure data storage and transmission is another must


Data encryption at all stages helps to stay HIPAA compliant. According to NowSecure CTO David Weinstein, 80 percent of the 200 most popular, free iOS apps do not support App Transport Security (ATS) feature. This feature forces mobile apps to connect to back-end servers using HTTPS, instead of HTTP, to encrypt data in transit. It is absolutely necessary to use available tools and protocols to encrypt and verify data when stored and when transmitted. Remember that SMS and MMS are not encrypted, so avoid transmitting PHI using them.


Make your app secure and constantly validate its security


Your app should include an authentication feature after a certain period of inactivity. Never use push notifications containing PHI. Don’t store PHI in backups and log files which are very vulnerable when using SD cards in Android devices. Follow secure mobile development best practices, for example OWASP Mobile Top 10.

Contact Archer Software’s professional team of NetOps and project managers and get insights on your HIPAA-compliant app infrastructure and code. Please contact us via info@archer-soft.com to get more information.