Healthcare // Security & Privacy
09:06 AM
Jason Wang
Jason Wang
Connect Directly

HIPAA Compliance: What Every Developer Should Know

Apple Health and Google Fit have spurred a surge of interest in health apps. Here's what developers need to understand about HIPAA compliance.

look up disease information do not need to be HIPAA-compliant. However, if the app allows the doctor to record disease information about a specific patient, it must be compliant.

What does a mobile app need to be HIPAA-compliant?
If you determine that your app must be compliant, you need to learn the HIPAA requirements for developers. Here are some of the basic things your app will need to include:

  • Secure access to PHI via unique user authentication
  • Encryption of data that will be stored
  • Regular safety updates to protect from any breaches
  • A system to audit the data and ensure that it hasn't been accessed or modified in any unauthorized way
  • A mobile wipe option that allows PHI to be wiped if the device is lost
  • Data backup in case of a device loss, failure, or other disaster

For more information, see the complete list of requirements for HIPAA-compliant mobile applications.

Keeping PHI out of your application is the easiest way to avoid potential breaches of that information while reducing the technical debt required to build and maintain compliant systems.

Developers should never use third-party file storage and hosting platforms unless the providers explicitly state they are HIPAA-compliant and agree to sign a Business Associate Agreement. However, it is very important to research these carefully if you plan to use one for any data stored for a HIPAA-covered app. HIPAA-compliant hosting providers such as Amazon and Firehost take care of the Physical Safeguard requirements of HIPAA, but simply using HIPAA hosting does not make your app compliant. Any service providers that you use for any part of your app must also be HIPAA-compliant themselves and willing to sign a Business Associate Agreement.

No Safe Harbor for protected health information
Many developers don't realize that, unlike the DMCA, there is no Safe Harbor clause for HIPAA. Even if your application is not intended to store or transmit protected health information, it can still be in violation of HIPAA. PHI breaches are major violations that carry hefty fines. Simply refusing to sign a Business Associate Agreement, or ignoring the data flowing through your application, won't absolve you from the requirements of the law.

If you are unsure about whether your app needs to be compliant, consider implementing HIPAA compliance practices to protect your business. Also, check out the US Department of Health and Human Services website, which provides some great resources for developers.

Medical data breaches seem to show up on the 6 o'clock news almost every week. If you think it couldn't happen to you -- or the financial impact would be minor -- think again. Download the Healthcare Data Breaches Cost More Than You Think report today. (Free registration required.)

The architect behind TrueVault's backend-as-a-service offering, it was Jason who spent many sleepless nights worrying about HIPAA compliance and technical safeguards so that developers don't have to. His mission is to free developers from regulatory shackles so that they can ... View Full Bio
2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/26/2015 | 5:11:41 PM
Helpful Webinar
I'm working with developers on a product that will guarantee screen security for medical facilities, among other places, and make proving HIPPA compliance much easier. I hope you'll check out our webinar that discusses this innovative technology and what we are trying to accomplish: It's at and then just go the section marked Company and Webinars will be in the dropdown menu. 
User Rank: Apprentice
6/29/2015 | 12:37:00 PM
Compliance Attitude
Jason Wang:  In your "bio" you use the phrase "...regulatory shackles...".   I'd suggest that this demonstrates a lack of awareness of the value to a company of viewing the compliance requirements as very valuable tools to ensure the survival of the company.  A company culture that embraces the value of compliance will face less risk of heavy fines than a company that views compliance as "regulatory shackles" or overhead.  By including "regulatory shackles" in your bio you help perpetuate that attitude, which is a disservice to your readers.  See my Linked-In profile for my qualifications.
User Rank: Apprentice
7/16/2014 | 8:33:12 PM
Re: Oversight Committee?
Hi Alison,

It certainly should make for an interesting next 24 months or so. The FDA is already overwhelmed with all of the new mobile health apps, and can't keep up with the pace of innovation. In fact, the FDA has only evaluated about 100 apps, which is a fraction of the available health and fitness apps in the appstores. Of course, they won't evaluate them all—just ones that could cross into medical device territory. (source:

The Office of Civil Rights, which manages HIPAA complaints has also seen a huge spike in privacy complaint activity. A large portion of those complaints are referred to the state level, and state Attorney's General offices are handling more complaints at the state level.

The overlapping responsibilities between FDA, HIPAA regulation and state/federal oversight will certainly evolve. The HIPAA Omnibus Final Rule passed last year ammended HIPAA to require all Business Associates be compliant, and I'm sure we'll continue to see more evolution in response to the changing marketplace. 

There is no question however that these entities will continue to lag the market, and so consumers will want to take a close look at the apps they use and trust with their personal health data. 
User Rank: Author
7/11/2014 | 2:08:19 PM
Oversight Committee?
As the FDA scrutinizes medical devices to see whether they should fall under its sphere of control, I wonder whether we'll see government expand what is covered under HIPAA now more states (such as Florida) are enacting their own laws around privacy, including personal health information?
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.