HIPAA Compliance: What Every Developer Should Know - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Security & Privacy
09:06 AM
Jason Wang
Jason Wang
Connect Directly

HIPAA Compliance: What Every Developer Should Know

Apple Health and Google Fit have spurred a surge of interest in health apps. Here's what developers need to understand about HIPAA compliance.

9 Mobile Apps To Get You Fit
9 Mobile Apps To Get You Fit
(Click image for larger view and slideshow.)

The recent launches of Apple Health and Google Fit have stirred a lot of interest in health app development. If you're developing a healthcare-focused mobile application or software for wearable devices, it's important that you understand the laws around protected health information (PHI) and HIPAA compliance. While not all healthcare applications fall under HIPAA rules, those that collect, store, or share personally identifiable health information with covered entities (such as doctors and hospitals) must be HIPAA-compliant.

HIPAA was written nearly 20 years ago, before mobile health applications were ever envisioned. Because of this, some areas of the law make it hard to determine which apps must be HIPAA-compliant and which are exempt. Below are some considerations developers must address to determine whether their healthcare apps must be HIPAA-compliant or not.

Mobile devices and data security
Considering the numerous ways security breaches can occur with a mobile device, it's no wonder government entities like the US Department of Health and Human Services are leery about how PHI is handled on smartphones and wearables.

[Privacy violations are on the rise throughout the healthcare industry. Read HIPAA Complaints Vex Healthcare Organizations.]

If your application is going to send or share health data to a doctor, hospital, or other covered entity, it must be HIPAA-compliant. Adhering to the Privacy and Security Rules of HIPAA is essential, especially considering the dangers that come with handling protected health data on a device:

  • Phones, tablets, and wearables are all easily stolen and lost, meaning PHI could be compromised.
  • Social media and email are easily accessible by the device, making it easy for users to post something that breaches HIPAA privacy laws.
  • Push notifications and other user communications can violate HIPAA laws if they contain PHI.
  • Users may intentionally or unintentionally share personally identifiable information, even if your app's intended use doesn't account for it.
  • Not all users take advantage of the password-protected screen-lock feature, making data visible and accessible to anyone who comes in contact with the device.
  • Devices like the iPhone do not include physical keyboards, so users are more likely to use basic passwords that are not as safe as complex options.

While not all of these factors are under your control as a developer, it's important to take all the steps possible to comply with HIPAA guidelines.

Determining if an app must be HIPAA-compliant
Not all health-related apps must be HIPAA-compliant. In fact, most apps in the market today are not. Fortunately, it's easy to determine whether or not your app must be compliant.

The information that does need to be compliant is personal information that directly identifies an individual and that is -- or can be -- transmitted to a covered entity. This protected health information can include everything from medical records and images to scheduled appointment dates.

If your app is used to record and share patient information with a covered entity in any way, it must be HIPAA-compliant.

On the other hand, your app probably does not need to be HIPAA-compliant if it performs tasks such as the following:

  • Allows users to record their weight and exercise routines
  • Gives users access to medical reference information
  • Lets average users look up illness information
  • Defines various illnesses or diseases
  • Lets users keep up with their daily diets

If the app is to be used by average people (as opposed to medical personnel or staff and contractors of covered entities), then it likely does not need to be HIPAA-compliant.

But not all apps used by medical personnel need to be compliant. For example, applications that let doctors or other professionals

Jason Wang is the founder and CEO of TrueVault, a data security company that is transforming how companies handle personal data. Businesses use personal data to shape customer experience, but security risks mount as more sensitive data is collected. TrueVault tackles this ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
7/11/2014 | 2:08:19 PM
Oversight Committee?
As the FDA scrutinizes medical devices to see whether they should fall under its sphere of control, I wonder whether we'll see government expand what is covered under HIPAA now more states (such as Florida) are enacting their own laws around privacy, including personal health information?
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll