HIPAA Compliance: What Every Developer Should Know
Apple Health and Google Fit have spurred a surge of interest in health apps. Here's what developers need to understand about HIPAA compliance.
9 Mobile Apps To Get You Fit
(Click image for larger view and slideshow.)
The recent launches of Apple Health and Google Fit have stirred a lot of interest in health app development. If you're developing a healthcare-focused mobile application or software for wearable devices, it's important that you understand the laws around protected health information (PHI) and HIPAA compliance. While not all healthcare applications fall under HIPAA rules, those that collect, store, or share personally identifiable health information with covered entities (such as doctors and hospitals) must be HIPAA-compliant.
HIPAA was written nearly 20 years ago, before mobile health applications were ever envisioned. Because of this, some areas of the law make it hard to determine which apps must be HIPAA-compliant and which are exempt. Below are some considerations developers must address to determine whether their healthcare apps must be HIPAA-compliant or not.
Mobile devices and data security Considering the numerous ways security breaches can occur with a mobile device, it's no wonder government entities like the US Department of Health and Human Services are leery about how PHI is handled on smartphones and wearables.
If your application is going to send or share health data to a doctor, hospital, or other covered entity, it must be HIPAA-compliant. Adhering to the Privacy and Security Rules of HIPAA is essential, especially considering the dangers that come with handling protected health data on a device:
Phones, tablets, and wearables are all easily stolen and lost, meaning PHI could be compromised.
Social media and email are easily accessible by the device, making it easy for users to post something that breaches HIPAA privacy laws.
Push notifications and other user communications can violate HIPAA laws if they contain PHI.
Users may intentionally or unintentionally share personally identifiable information, even if your app's intended use doesn't account for it.
Not all users take advantage of the password-protected screen-lock feature, making data visible and accessible to anyone who comes in contact with the device.
Devices like the iPhone do not include physical keyboards, so users are more likely to use basic passwords that are not as safe as complex options.
While not all of these factors are under your control as a developer, it's important to take all the steps possible to comply with HIPAA guidelines.
Determining if an app must be HIPAA-compliant Not all health-related apps must be HIPAA-compliant. In fact, most apps in the market today are not. Fortunately, it's easy to determine whether or not your app must be compliant.
The information that does need to be compliant is personal information that directly identifies an individual and that is -- or can be -- transmitted to a covered entity. This protected health information can include everything from medical records and images to scheduled appointment dates.
If your app is used to record and share patient information with a covered entity in any way, it must be HIPAA-compliant.
On the other hand, your app probably does not need to be HIPAA-compliant if it performs tasks such as the following:
Allows users to record their weight and exercise routines
Gives users access to medical reference information
Lets average users look up illness information
Defines various illnesses or diseases
Lets users keep up with their daily diets
If the app is to be used by average people (as opposed to medical personnel or staff and contractors of covered entities), then it likely does not need to be HIPAA-compliant.
But not all apps used by medical personnel need to be compliant. For example, applications that let doctors or other professionals
The architect behind TrueVault's backend-as-a-service offering, it was Jason who spent many sleepless nights worrying about HIPAA compliance and technical safeguards so that developers don't have to. His mission is to free developers from regulatory shackles so that they can ... View Full Bio
Healthcare Data Breaches Cost More Than You ThinkHealthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?