HIPAA Compliance: What Every Developer Should Know - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Security & Privacy
09:06 AM
Jason Wang
Jason Wang
Connect Directly

HIPAA Compliance: What Every Developer Should Know

Apple Health and Google Fit have spurred a surge of interest in health apps. Here's what developers need to understand about HIPAA compliance.

9 Mobile Apps To Get You Fit
9 Mobile Apps To Get You Fit
(Click image for larger view and slideshow.)

The recent launches of Apple Health and Google Fit have stirred a lot of interest in health app development. If you're developing a healthcare-focused mobile application or software for wearable devices, it's important that you understand the laws around protected health information (PHI) and HIPAA compliance. While not all healthcare applications fall under HIPAA rules, those that collect, store, or share personally identifiable health information with covered entities (such as doctors and hospitals) must be HIPAA-compliant.

HIPAA was written nearly 20 years ago, before mobile health applications were ever envisioned. Because of this, some areas of the law make it hard to determine which apps must be HIPAA-compliant and which are exempt. Below are some considerations developers must address to determine whether their healthcare apps must be HIPAA-compliant or not.

Mobile devices and data security
Considering the numerous ways security breaches can occur with a mobile device, it's no wonder government entities like the US Department of Health and Human Services are leery about how PHI is handled on smartphones and wearables.

[Privacy violations are on the rise throughout the healthcare industry. Read HIPAA Complaints Vex Healthcare Organizations.]

If your application is going to send or share health data to a doctor, hospital, or other covered entity, it must be HIPAA-compliant. Adhering to the Privacy and Security Rules of HIPAA is essential, especially considering the dangers that come with handling protected health data on a device:

  • Phones, tablets, and wearables are all easily stolen and lost, meaning PHI could be compromised.
  • Social media and email are easily accessible by the device, making it easy for users to post something that breaches HIPAA privacy laws.
  • Push notifications and other user communications can violate HIPAA laws if they contain PHI.
  • Users may intentionally or unintentionally share personally identifiable information, even if your app's intended use doesn't account for it.
  • Not all users take advantage of the password-protected screen-lock feature, making data visible and accessible to anyone who comes in contact with the device.
  • Devices like the iPhone do not include physical keyboards, so users are more likely to use basic passwords that are not as safe as complex options.

While not all of these factors are under your control as a developer, it's important to take all the steps possible to comply with HIPAA guidelines.

Determining if an app must be HIPAA-compliant
Not all health-related apps must be HIPAA-compliant. In fact, most apps in the market today are not. Fortunately, it's easy to determine whether or not your app must be compliant.

The information that does need to be compliant is personal information that directly identifies an individual and that is -- or can be -- transmitted to a covered entity. This protected health information can include everything from medical records and images to scheduled appointment dates.

If your app is used to record and share patient information with a covered entity in any way, it must be HIPAA-compliant.

On the other hand, your app probably does not need to be HIPAA-compliant if it performs tasks such as the following:

  • Allows users to record their weight and exercise routines
  • Gives users access to medical reference information
  • Lets average users look up illness information
  • Defines various illnesses or diseases
  • Lets users keep up with their daily diets

If the app is to be used by average people (as opposed to medical personnel or staff and contractors of covered entities), then it likely does not need to be HIPAA-compliant.

But not all apps used by medical personnel need to be compliant. For example, applications that let doctors or other professionals

Jason Wang is the founder and CEO of TrueVault, a data security company that is transforming how companies handle personal data. Businesses use personal data to shape customer experience, but security risks mount as more sensitive data is collected. TrueVault tackles this ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/28/2016 | 3:56:42 AM
Data protection is good
Data protection is good, but on the other hand, if a person has emergency situation. The doctor must have access to his data or medical record. For example medical records on the iPhone. What do you think about these applications https://itechcraft.com/custom-healthcare-solutions/ . Do they need to be protected?
[email protected],
User Rank: Strategist
10/26/2015 | 5:11:41 PM
Helpful Webinar
I'm working with developers on a product that will guarantee screen security for medical facilities, among other places, and make proving HIPPA compliance much easier. I hope you'll check out our webinar that discusses this innovative technology and what we are trying to accomplish: It's at privateeyenterprise.com and then just go the section marked Company and Webinars will be in the dropdown menu. 
User Rank: Apprentice
6/29/2015 | 12:37:00 PM
Compliance Attitude
Jason Wang:  In your "bio" you use the phrase "...regulatory shackles...".   I'd suggest that this demonstrates a lack of awareness of the value to a company of viewing the compliance requirements as very valuable tools to ensure the survival of the company.  A company culture that embraces the value of compliance will face less risk of heavy fines than a company that views compliance as "regulatory shackles" or overhead.  By including "regulatory shackles" in your bio you help perpetuate that attitude, which is a disservice to your readers.  See my Linked-In profile for my qualifications.
User Rank: Apprentice
7/16/2014 | 8:33:12 PM
Re: Oversight Committee?
Hi Alison,

It certainly should make for an interesting next 24 months or so. The FDA is already overwhelmed with all of the new mobile health apps, and can't keep up with the pace of innovation. In fact, the FDA has only evaluated about 100 apps, which is a fraction of the available health and fitness apps in the appstores. Of course, they won't evaluate them all—just ones that could cross into medical device territory. (source: http://www.pbs.org/newshour/rundown/fda-regulation-unable-keep-pace-new-mobile-health-apps/)

The Office of Civil Rights, which manages HIPAA complaints has also seen a huge spike in privacy complaint activity. A large portion of those complaints are referred to the state level, and state Attorney's General offices are handling more complaints at the state level.

The overlapping responsibilities between FDA, HIPAA regulation and state/federal oversight will certainly evolve. The HIPAA Omnibus Final Rule passed last year ammended HIPAA to require all Business Associates be compliant, and I'm sure we'll continue to see more evolution in response to the changing marketplace. 

There is no question however that these entities will continue to lag the market, and so consumers will want to take a close look at the apps they use and trust with their personal health data. 
User Rank: Author
7/11/2014 | 2:08:19 PM
Oversight Committee?
As the FDA scrutinizes medical devices to see whether they should fall under its sphere of control, I wonder whether we'll see government expand what is covered under HIPAA now more states (such as Florida) are enacting their own laws around privacy, including personal health information?
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
Graph-Based AI Enters the Enterprise Mainstream
James Kobielus, Tech Analyst, Consultant and Author,  2/16/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll