Healthcare // Security & Privacy
Commentary
7/11/2014
09:06 AM
Jason Wang
Jason Wang
Commentary
Connect Directly
Twitter
RSS
E-Mail
100%
0%

HIPAA Compliance: What Every Developer Should Know

Apple Health and Google Fit have spurred a surge of interest in health apps. Here's what developers need to understand about HIPAA compliance.

9 Mobile Apps To Get You Fit
9 Mobile Apps To Get You Fit
(Click image for larger view and slideshow.)

The recent launches of Apple Health and Google Fit have stirred a lot of interest in health app development. If you're developing a healthcare-focused mobile application or software for wearable devices, it's important that you understand the laws around protected health information (PHI) and HIPAA compliance. While not all healthcare applications fall under HIPAA rules, those that collect, store, or share personally identifiable health information with covered entities (such as doctors and hospitals) must be HIPAA-compliant.

HIPAA was written nearly 20 years ago, before mobile health applications were ever envisioned. Because of this, some areas of the law make it hard to determine which apps must be HIPAA-compliant and which are exempt. Below are some considerations developers must address to determine whether their healthcare apps must be HIPAA-compliant or not.

Mobile devices and data security
Considering the numerous ways security breaches can occur with a mobile device, it's no wonder government entities like the US Department of Health and Human Services are leery about how PHI is handled on smartphones and wearables.

[Privacy violations are on the rise throughout the healthcare industry. Read HIPAA Complaints Vex Healthcare Organizations.]

If your application is going to send or share health data to a doctor, hospital, or other covered entity, it must be HIPAA-compliant. Adhering to the Privacy and Security Rules of HIPAA is essential, especially considering the dangers that come with handling protected health data on a device:

  • Phones, tablets, and wearables are all easily stolen and lost, meaning PHI could be compromised.
  • Social media and email are easily accessible by the device, making it easy for users to post something that breaches HIPAA privacy laws.
  • Push notifications and other user communications can violate HIPAA laws if they contain PHI.
  • Users may intentionally or unintentionally share personally identifiable information, even if your app's intended use doesn't account for it.
  • Not all users take advantage of the password-protected screen-lock feature, making data visible and accessible to anyone who comes in contact with the device.
  • Devices like the iPhone do not include physical keyboards, so users are more likely to use basic passwords that are not as safe as complex options.

While not all of these factors are under your control as a developer, it's important to take all the steps possible to comply with HIPAA guidelines.

Determining if an app must be HIPAA-compliant
Not all health-related apps must be HIPAA-compliant. In fact, most apps in the market today are not. Fortunately, it's easy to determine whether or not your app must be compliant.

The information that does need to be compliant is personal information that directly identifies an individual and that is -- or can be -- transmitted to a covered entity. This protected health information can include everything from medical records and images to scheduled appointment dates.

If your app is used to record and share patient information with a covered entity in any way, it must be HIPAA-compliant.

On the other hand, your app probably does not need to be HIPAA-compliant if it performs tasks such as the following:

  • Allows users to record their weight and exercise routines
  • Gives users access to medical reference information
  • Lets average users look up illness information
  • Defines various illnesses or diseases
  • Lets users keep up with their daily diets

If the app is to be used by average people (as opposed to medical personnel or staff and contractors of covered entities), then it likely does not need to be HIPAA-compliant.

But not all apps used by medical personnel need to be compliant. For example, applications that let doctors or other professionals

The architect behind TrueVault's backend-as-a-service offering, it was Jason who spent many sleepless nights worrying about HIPAA compliance and technical safeguards so that developers don't have to. His mission is to free developers from regulatory shackles so that they can ... View Full Bio
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
morganb01
50%
50%
morganb01,
User Rank: Apprentice
7/16/2014 | 8:33:12 PM
Re: Oversight Committee?
Hi Alison,

It certainly should make for an interesting next 24 months or so. The FDA is already overwhelmed with all of the new mobile health apps, and can't keep up with the pace of innovation. In fact, the FDA has only evaluated about 100 apps, which is a fraction of the available health and fitness apps in the appstores. Of course, they won't evaluate them all—just ones that could cross into medical device territory. (source: http://www.pbs.org/newshour/rundown/fda-regulation-unable-keep-pace-new-mobile-health-apps/)

The Office of Civil Rights, which manages HIPAA complaints has also seen a huge spike in privacy complaint activity. A large portion of those complaints are referred to the state level, and state Attorney's General offices are handling more complaints at the state level.

The overlapping responsibilities between FDA, HIPAA regulation and state/federal oversight will certainly evolve. The HIPAA Omnibus Final Rule passed last year ammended HIPAA to require all Business Associates be compliant, and I'm sure we'll continue to see more evolution in response to the changing marketplace. 

There is no question however that these entities will continue to lag the market, and so consumers will want to take a close look at the apps they use and trust with their personal health data. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
7/11/2014 | 2:08:19 PM
Oversight Committee?
As the FDA scrutinizes medical devices to see whether they should fall under its sphere of control, I wonder whether we'll see government expand what is covered under HIPAA now more states (such as Florida) are enacting their own laws around privacy, including personal health information?
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A UBM Tech Radio episode on the changing economics of Flash storage used in data tiering -- sponsored by Dell.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.