What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act. It was developed in 1996 to regulate the protection of patient data, reduce the cost of healthcare, and provide continuous health insurance coverage for those who lose or change jobs. However, the part of the act we’re interested in as developers or owners of a healthcare software product is its requirements for protection against data fraud.
Smartphone apps that in any way process, receive, or send private data should comply with HIPAA
In recent years, smartphones and wearables have become widely used in hospitals and by insurance companies to connect doctors to patients and track their health. Smartphone apps that in any way process, receive, or send private data should comply with HIPAA. This is why mHealth App development with HIPAA requirements is currently a popular type of development.
The first thing you need to find out when developing a medical application for the US market is what kind of information you’ll store and transfer via your application. There are two types of information:
- PHI (protected health information) — includes bills from doctors, emails, MRI scans, blood test results, and any other medical information (note that geolocation information that locates a person within a territory smaller than a state is also PHI);
- CHI (consumer health information) — includes data you can receive from a fitness tracker: for example, the number of calories burned, heart rate readings, and number of steps walked
The rule here is simple: If your application processes, stores, or transfers any PHI data, it has to be HIPAA compliant.
Even if you want to create software for other countries or regions — for example, Europe — you’ll still need to meet requirements, such as those established by the European Union. Almost every country has its own legislation governing the use of private medical data.
In this article, we focus on HIPAA app development requirements and answer the question how to make an app HIPAA compliant. Many of the things mentioned here, however, will also be relevant for apps targeting countries other than the US. Let’s first talk about what HIPAA is and why it’s so important to design your app according to it.
Why is HIPAA important?
First and foremost, HIPAA protects patients and their data. Personal data and private medical information can be used by malefactors against patients. Sometimes this means a mild inconvenience, but usually the consequences are much more serious.
HIPAA protects patients from identity theft, a popular crime linked to personal data fraud
This is especially true in the US, where social security numbers are extremely important and are linked to almost all personal data of an individual.
HIPAA protects patients from identity theft, a popular crime linked to personal data fraud. For a person, identity theft can result in large debts, massive financial losses, and harmful fake claims. According to MIFA, the average victim of data fraud spends over $13,000 to deal with the consequences.
What happens if a company fails to meet HIPAA requirements? In two words, massive fines that can sometimes reach a couple million dollars. Each individual data breach case results in a $100 to $50,000 fine. If a data breach occurs because of a hospital’s non-compliance with HIPAA, each person whose data was exposed is a separate case. The fines against one entity aren’t to exceed $1,500,000 in one year for one category.
Children’s Medical Center of Dallas faced a $3.2 million fine for failing to encrypt all data on portable devices
There are already many examples of hospitals that have faced fines because their devices or software wasn’t secure enough. For example, in 2015, a Massachusetts hospital faced a $218,000 fine for putting data of nearly 500 patients at risk because their file sharing medical application failed to meet the basic HIPAA security requirements.
Another relevant example is the $3.2 million fine for failing to encrypt all data on portable devices that was imposed on Children’s Medical Center of Dallas.
How can you avoid hefty fines and keep your patients’ data safe and secure? There’s a set of rules you need to follow.
How to make your app HIPAA compliant
To make your app project HIPAA compliant, you need to follow four rules:
- Privacy rule
- Security rule
- Enforcement rule
- Breach notification rule
The main rule for any developer who works on medical applications is the security rule, which describes technical and physical safeguards.
Physical safeguards include protecting the backend, data transfer networks, and user devices like iPhones or any other devices on iOS or Android that can be physically compromised, stolen, or lost. You can find a full list of physical safeguards here.
To ensure your app’s security, you should enforce regular authentication or make it impossible to access the application without authentication. To make the authentication process safe without sacrificing the user friendliness of your app, you can allow fingerprint authentication. This will protect your app in case a device is lost or stolen.
Make sure that memory cards in mobile devices don’t store any PHI. Memory cards are rather vulnerable as they don’t have strict access permissions.
To create a secure app that’s fully HIPAA compliant, using reliable providers, a set of technical tools like libraries and third-party services isn’t enough. You need not only to encrypt the data in the software you develop but also make sure that it can’t be accessed if the server or device is physically compromised.
Technical safeguards focus on thoroughly encrypting all data that’s transferred between or stored on devices and servers. Technical safeguards include:
- Unique user identification
- Emergency access procedures
- Automatic logoff
Another rule you need to keep in mind is the minimum necessity rule: Don’t receive and store more data than you need or store data for longer than is required for your work.
Avoid sending any PHI data in push notifications and leaking this type of information into backups and logs.
For more information, check with the OWASP list of the ten most common mobile risks.
Steps to creating a HIPAA compliant medical app
Step 1: Find an expert
Don’t attempt to meet all HIPAA requirements without guidance if you don’t have enough experience. It’s always better to hire a third-party expert to consult and audit your system. You can also outsource the whole HIPAA compliant app development development process to an experienced team. Finding an expert is useful both for startups and for big healthcare companies.
Step 2: Evaluate patient data
Make sure you really need all the data you collect from patients and figure out what data can be categorized as PHI. Once you do that, see what PHI data you can avoid storing or transferring through your mobile app.
Step 3: Find third-party solutions that are already HIPAA compliant
Providing HIPAA compliance for an application is very expensive. If you attempt to create a custom HIPAA app from scratch, be ready to pay at least $50,000. This price will include development of a whole system that meets physical and technical security requirements. You’ll also need to spend money auditing this system, getting all necessary certifications, etc.
The best solution to save time, money, and effort is to use a ready infrastructure and solutions that are already HIPAA compliant instead of developing HIPAA compliant mobile apps from scratch. This is called IaaS – Infrastructure as a service. For example, Amazon Web Services and TrueVault are compliant with HIPAA and are responsible for data security.
To use a third-party service for storing or managing PHI data, you’ll need to sign a business associate agreement with third-party companies and make sure they’re reliable.
If you use high-quality third-party solutions, the only thing you’ll need to worry about is creating something that doesn’t exist yet in the form of a ready solution.
Step 4: Encrypt all stored and transferred data
Use security best practices to encrypt the sensitive data of your patients. Make sure there are no security breaches and use several levels of encryption and obfuscation. Take care about encrypting stored data to protect it from being stolen from a device.
Step 5: Maintain and test your app for security
Testing is extremely important, and you need to do it after every update. Test your application both statically and dynamically and consult with an expert to check that the documentation is up to date.
Maintenance is a constant process you need to perform to keep your application safe. Libraries, tools, and frameworks for building an app and ensuring its security are constantly being updated. After you build a HIPAA-compliant mHealth app, you’ll need to make sure you update them regularly; otherwise, a security breach can occur.
Protecting user data and integrating a mobile app into a HIPAA compliant system is a non-trivial task for any healthcare company or institution. It’s necessary, though, as penalties for violating this law are massive: from $100 up to $1.5 million annually. So ensuring HIPAA compliance for health applications is a must — and it requires time, money, and lots of effort.
To save money and time, be sure to use ready solutions as much as possible and develop a HIPAA compliant medical app from scratch only if there’s no third-party service available. Also, make sure to consult with and get auditing services from experts who have experience creating secure HIPAA compliant medical apps.
Remember to assess how much information you actually need for your app to operate and bring value to your users. HIPAA compliant apps don’t collect any information that isn’t necessary; if yours does, you’ll be spending resources on protecting information you don’t actually need.
Mobindustry can help you with security issues and HIPAA compliance, so if you need a consultation or mobile development services, don’t hesitate to contact us. To find out whether Mobindustry is a right development partner for you, you can read this.
Healthcare development services
Are you planning to create a healthcare application? We can help you make sure its secure and fully HIPAA compliant