HIPAA Compliance: What Every Developer Should Know - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Security & Privacy
09:06 AM
Jason Wang
Jason Wang
Connect Directly

HIPAA Compliance: What Every Developer Should Know

Apple Health and Google Fit have spurred a surge of interest in health apps. Here's what developers need to understand about HIPAA compliance.

look up disease information do not need to be HIPAA-compliant. However, if the app allows the doctor to record disease information about a specific patient, it must be compliant.

What does a mobile app need to be HIPAA-compliant?
If you determine that your app must be compliant, you need to learn the HIPAA requirements for developers. Here are some of the basic things your app will need to include:

  • Secure access to PHI via unique user authentication
  • Encryption of data that will be stored
  • Regular safety updates to protect from any breaches
  • A system to audit the data and ensure that it hasn't been accessed or modified in any unauthorized way
  • A mobile wipe option that allows PHI to be wiped if the device is lost
  • Data backup in case of a device loss, failure, or other disaster

For more information, see the complete list of requirements for HIPAA-compliant mobile applications.

Keeping PHI out of your application is the easiest way to avoid potential breaches of that information while reducing the technical debt required to build and maintain compliant systems.

Developers should never use third-party file storage and hosting platforms unless the providers explicitly state they are HIPAA-compliant and agree to sign a Business Associate Agreement. However, it is very important to research these carefully if you plan to use one for any data stored for a HIPAA-covered app. HIPAA-compliant hosting providers such as Amazon and Firehost take care of the Physical Safeguard requirements of HIPAA, but simply using HIPAA hosting does not make your app compliant. Any service providers that you use for any part of your app must also be HIPAA-compliant themselves and willing to sign a Business Associate Agreement.

No Safe Harbor for protected health information
Many developers don't realize that, unlike the DMCA, there is no Safe Harbor clause for HIPAA. Even if your application is not intended to store or transmit protected health information, it can still be in violation of HIPAA. PHI breaches are major violations that carry hefty fines. Simply refusing to sign a Business Associate Agreement, or ignoring the data flowing through your application, won't absolve you from the requirements of the law.

If you are unsure about whether your app needs to be compliant, consider implementing HIPAA compliance practices to protect your business. Also, check out the US Department of Health and Human Services website, which provides some great resources for developers.

Medical data breaches seem to show up on the 6 o'clock news almost every week. If you think it couldn't happen to you -- or the financial impact would be minor -- think again. Download the Healthcare Data Breaches Cost More Than You Think report today. (Free registration required.)

Jason Wang is the founder and CEO of TrueVault, a data security company that is transforming how companies handle personal data. Businesses use personal data to shape customer experience, but security risks mount as more sensitive data is collected. TrueVault tackles this ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/28/2016 | 3:56:42 AM
Data protection is good
Data protection is good, but on the other hand, if a person has emergency situation. The doctor must have access to his data or medical record. For example medical records on the iPhone. What do you think about these applications https://itechcraft.com/custom-healthcare-solutions/ . Do they need to be protected?
[email protected],
User Rank: Strategist
10/26/2015 | 5:11:41 PM
Helpful Webinar
I'm working with developers on a product that will guarantee screen security for medical facilities, among other places, and make proving HIPPA compliance much easier. I hope you'll check out our webinar that discusses this innovative technology and what we are trying to accomplish: It's at privateeyenterprise.com and then just go the section marked Company and Webinars will be in the dropdown menu. 
User Rank: Apprentice
6/29/2015 | 12:37:00 PM
Compliance Attitude
Jason Wang:  In your "bio" you use the phrase "...regulatory shackles...".   I'd suggest that this demonstrates a lack of awareness of the value to a company of viewing the compliance requirements as very valuable tools to ensure the survival of the company.  A company culture that embraces the value of compliance will face less risk of heavy fines than a company that views compliance as "regulatory shackles" or overhead.  By including "regulatory shackles" in your bio you help perpetuate that attitude, which is a disservice to your readers.  See my Linked-In profile for my qualifications.
User Rank: Apprentice
7/16/2014 | 8:33:12 PM
Re: Oversight Committee?
Hi Alison,

It certainly should make for an interesting next 24 months or so. The FDA is already overwhelmed with all of the new mobile health apps, and can't keep up with the pace of innovation. In fact, the FDA has only evaluated about 100 apps, which is a fraction of the available health and fitness apps in the appstores. Of course, they won't evaluate them all—just ones that could cross into medical device territory. (source: http://www.pbs.org/newshour/rundown/fda-regulation-unable-keep-pace-new-mobile-health-apps/)

The Office of Civil Rights, which manages HIPAA complaints has also seen a huge spike in privacy complaint activity. A large portion of those complaints are referred to the state level, and state Attorney's General offices are handling more complaints at the state level.

The overlapping responsibilities between FDA, HIPAA regulation and state/federal oversight will certainly evolve. The HIPAA Omnibus Final Rule passed last year ammended HIPAA to require all Business Associates be compliant, and I'm sure we'll continue to see more evolution in response to the changing marketplace. 

There is no question however that these entities will continue to lag the market, and so consumers will want to take a close look at the apps they use and trust with their personal health data. 
User Rank: Author
7/11/2014 | 2:08:19 PM
Oversight Committee?
As the FDA scrutinizes medical devices to see whether they should fall under its sphere of control, I wonder whether we'll see government expand what is covered under HIPAA now more states (such as Florida) are enacting their own laws around privacy, including personal health information?
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
White Papers
Register for InformationWeek Newsletters
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Flash Poll