How to Develop a HIPAA Compliant mHealth App
HIPAA is the most important legislation for anyone who wants to create healthcare-related software for the US market. While developing mHealth apps is complex, complying with HIPAA and even merely understanding all its requirements is a much bigger challenge.
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act. It was developed in 1996 to regulate the protection of patient data, reduce the cost of healthcare, and provide continuous health insurance coverage for those who lose or change jobs. However, the part of the act we’re interested in as developers or owners of a healthcare software product is its requirements for protection against data fraud.
Smartphone apps that in any way process, receive, or send private data should comply with HIPAA
In recent years, smartphones and wearables have become widely used in hospitals and by insurance companies to connect doctors to patients and track their health. Smartphone apps that in any way process, receive, or send private data should comply with HIPAA. This is why mHealth App development with HIPAA requirements is currently a popular type of development.
The first thing you need to find out when developing a medical application for the US market is what kind of information you’ll store and transfer via your application. There are two types of information:
- PHI (protected health information) — includes bills from doctors, emails, MRI scans, blood test results, and any other medical information (note that geolocation information that locates a person within a territory smaller than a state is also PHI);
- CHI (consumer health information) — includes data you can receive from a fitness tracker: for example, the number of calories burned, heart rate readings, and number of steps walked
The rule here is simple: If your application processes, stores, or transfers any PHI data, it has to be HIPAA compliant.
Even if you want to create software for other countries or regions — for example, Europe — you’ll still need to meet requirements, such as those established by the European Union. Almost every country has its own legislation governing the use of private medical data.
In this article, we focus on HIPAA app development requirements and answer the question how to make an app HIPAA compliant. Many of the things mentioned here, however, will also be relevant for apps targeting countries other than the US. Let’s first talk about what HIPAA is and why it’s so important to design your app according to it.
Why is HIPAA important?
First and foremost, HIPAA protects patients and their data. Personal data and private medical information can be used by malefactors against patients. Sometimes this means a mild inconvenience, but usually the consequences are much more serious.
HIPAA protects patients from identity theft, a popular crime linked to personal data fraud
This is especially true in the US, where social security numbers are extremely important and are linked to almost all personal data of an individual.
HIPAA protects patients from identity theft, a popular crime linked to personal data fraud. For a person, identity theft can result in large debts, massive financial losses, and harmful fake claims. According to MIFA, the average victim of data fraud spends over $13,000 to deal with the consequences.
What happens if a company fails to meet HIPAA requirements? In two words, massive fines that can sometimes reach a couple million dollars. Each individual data breach case results in a $100 to $50,000 fine. If a data breach occurs because of a hospital’s non-compliance with HIPAA, each person whose data was exposed is a separate case. The fines against one entity aren’t to exceed $1,500,000 in one year for one category.
Children’s Medical Center of Dallas faced a $3.2 million fine for failing to encrypt all data on portable devices
There are already many examples of hospitals that have faced fines because their devices or software wasn’t secure enough. For example, in 2015, a Massachusetts hospital faced a $218,000 fine for putting data of nearly 500 patients at risk because their file sharing medical application failed to meet the basic HIPAA security requirements.
Another relevant example is the $3.2 million fine for failing to encrypt all data on portable devices that was imposed on Children’s Medical Center of Dallas.
How can you avoid hefty fines and keep your patients’ data safe and secure? There’s a set of rules you need to follow.
How to make your app HIPAA compliant
To make your app project HIPAA compliant, you need to follow four rules:
- Privacy rule
- Security rule
- Enforcement rule
- Breach notification rule
The main rule for any developer who works on medical applications is the security rule, which describes technical and physical safeguards.
Physical safeguards include protecting the backend, data transfer networks, and user devices like iPhones or any other devices on iOS or Android that can be physically compromised, stolen, or lost. You can find a full list of physical safeguards here.
To ensure your app’s security, you should enforce regular authentication or make it impossible to access the application without authentication. To make the authentication process safe without sacrificing the user friendliness of your app, you can allow fingerprint authentication. This will protect your app in case a device is lost or stolen.
Make sure that memory cards in mobile devices don’t store any PHI. Memory cards are rather vulnerable as they don’t have strict access permissions.
To create a secure app that’s fully HIPAA compliant, using reliable providers, a set of technical tools like libraries and third-party services isn’t enough. You need not only to encrypt the data in the software you develop but also make sure that it can’t be accessed if the server or device is physically compromised.
Technical safeguards focus on thoroughly encrypting all data that’s transferred between or stored on devices and servers. Technical safeguards include:
- Unique user identification
- Emergency access procedures
- Automatic logoff
Another rule you need to keep in mind is the minimum necessity rule: Don’t receive and store more data than you need or store data for longer than is required for your work.
Avoid sending any PHI data in push notifications and leaking this type of information into backups and logs.
For more information, check with the OWASP list of the ten most common mobile risks.
Steps to creating a HIPAA compliant medical app
Step 1: Find an expert
Don’t attempt to meet all HIPAA requirements without guidance if you don’t have enough experience. It’s always better to hire a third-party expert to consult and audit your system. You can also outsource the whole HIPAA compliant app development development process to an experienced team. Finding an expert is useful both for startups and for big healthcare companies.
Step 2: Evaluate patient data
Make sure you really need all the data you collect from patients and figure out what data can be categorized as PHI. Once you do that, see what PHI data you can avoid storing or transferring through your mobile app.
Step 3: Find third-party solutions that are already HIPAA compliant
Providing HIPAA compliance for an application is very expensive. If you attempt to create a custom HIPAA app from scratch, be ready to pay at least $50,000. This price will include development of a whole system that meets physical and technical security requirements. You’ll also need to spend money auditing this system, getting all necessary certifications, etc.
The best solution to save time, money, and effort is to use a ready infrastructure and solutions that are already HIPAA compliant instead of developing HIPAA compliant mobile apps from scratch. This is called IaaS – Infrastructure as a service. For example, Amazon Web Services and TrueVault are compliant with HIPAA and are responsible for data security.
To use a third-party service for storing or managing PHI data, you’ll need to sign a business associate agreement with third-party companies and make sure they’re reliable.
If you use high-quality third-party solutions, the only thing you’ll need to worry about is creating something that doesn’t exist yet in the form of a ready solution.
Step 4: Encrypt all stored and transferred data
Use security best practices to encrypt the sensitive data of your patients. Make sure there are no security breaches and use several levels of encryption and obfuscation. Take care about encrypting stored data to protect it from being stolen from a device.
Step 5: Maintain and test your app for security
Testing is extremely important, and you need to do it after every update. Test your application both statically and dynamically and consult with an expert to check that the documentation is up to date.
Maintenance is a constant process you need to perform to keep your application safe. Libraries, tools, and frameworks for building an app and ensuring its security are constantly being updated. After you build a HIPAA-compliant mHealth app, you’ll need to make sure you update them regularly; otherwise, a security breach can occur.
HIPAA compliance for medical devices
There are no specific requirements for medical devices under HIPAA. Manufacturers must examine the compliance environment and create devices that will help their service organizations achieve compliance. Here are some guidelines:
- Read the HIPAA rules and understand what counts as PHI and how you can protect it. Consider discussing HIPAA Compliance Complaints with covered organizations.
- Enable security features that control access to information in accordance with the rules of the protected organization. For example, enabling password features to access the system, tracking users with personal IDs, and encrypting internal and external transmission.
- Consider providing transfer options that hide patient names but provide relevant information, such as medical history and room numbers, to maintain confidentiality and accessibility.
- Consider including additional privacy measures such as biometric fingerprint authentication for critical data.
- Sign a business partnership agreement with the legal entity with which you have an agreement. This agreement must demonstrate that you understand how to maintain confidentiality and security rules. The documents should also state how you plan to protect, use and disclose the PHI in your hands.
- Create a stable workflow that ensures that all data is properly collected and protected. This ensures data reliability and keeps information safe from source to storage.
- Find out what operating systems and software are in use, and check for updates and compatibility issues that may affect PHI security. Frequent security patches may be required to maintain security.
New HIPAA Privacy Rules for 2021
One of the major changes that took place in 2020 was the increase in fines that can be levied in the event of non-compliance. This increase is in line with the Inflation Adjustment Act.
The amount that can be charged in the form of fines has increased significantly for each violation. There is also a new annual limit for each category of violations.
The maximum penalties for the four tiers are:
- Tier 1- $58,490
- Tier 2- $58,490
- Tier 3- $58,490
- Tier 4- $1,754,698
In addition, at the start of the COVID-19 pandemic, the Office for Civil Rights under the Department of Health and Human Services issued a notice. The notice said it would not apply penalties for non-compliance with HIPAA rules in accordance with telehealth’s “good faith clause”.
This change took effect from April 2020. It allowed healthcare organizations, at their discretion, to use any available remote communications products that were not intended for public use. These apps can provide telemedicine to their patients during a pandemic.
The Office of Civil Rights noted that while some of these audio and video products may not fully comply with HIPAA requirements, they do not impose any penalties on organizations using them.
Protecting user data and integrating a mobile app into a HIPAA compliant system is a non-trivial task for any healthcare company or institution. It’s necessary, though, as penalties for violating this law are massive: from $100 up to $1.5 million annually. So ensuring HIPAA compliance for health applications is a must — and it requires time, money, and lots of effort.
To save money and time, be sure to use ready solutions as much as possible and develop a HIPAA compliant medical app from scratch only if there’s no third-party service available. Also, make sure to consult with and get auditing services from experts who have experience creating secure HIPAA compliant medical apps.
Remember to assess how much information you actually need for your app to operate and bring value to your users. HIPAA compliant apps don’t collect any information that isn’t necessary; if yours does, you’ll be spending resources on protecting information you don’t actually need.
Mobindustry can help you with security issues and HIPAA compliance, so if you need a consultation or mobile development services, don’t hesitate to contact us. To find out whether Mobindustry is a right development partner for you, you can read this.