What a HIPAA Compliant App Should Include
Mobile health apps make healthcare services more accessible, yet raise multiple privacy and security concerns. Learn what a HIPAA compliant health app should include.
The global mHealth Apps market size was estimated at almost $65 billion in 2023 and it is forecasted to reach $340.5 billion by 2030. The main factor driving the health app market is the increasing awareness of users concerned about improving their health and the vast availability of mobile devices worldwide.
Mobile health apps make healthcare services more accessible with such solutions as quick appointments, instant access to medical records, and convenient billing options. This is, indisputably, highly beneficial for consumers. On the other hand, health applications raise multiple privacy and security concerns for app developers and the acquirers of these apps. The main part of these concerns is related to the Health Insurance Portability and Accountability Act (HIPAA) Regulations.
The issue is that mobile health apps deal with individually identifiable health information, including electronic Personal Health Information (ePHI). Collecting, storing, processing, or otherwise handling ePHI is heavily regulated by the HIPAA Security Rule.
This article is written to help app developers as well as healthcare companies that use third-party mobile health apps support their healthcare programs and business operations. Some common questions these entities ask themselves when it comes to health apps are:
- I am a mobile health app developer. How do I develop a HIPAA-compliant app?
- I am a HIPAA-covered entity/business associate. How to make sure the mobile app I use is HIPAA compliant?
Let’s answer these questions and figure out what a HIPAA compliant app should include.
Which Healthcare Apps Must Comply with HIPAA Rules
HIPAA compliance obligations have only those health apps that collect, store, and transmit ePHI on behalf of a covered entity or another business associate on the basis of a Business Associate Agreement (BAA). This includes healthcare apps “hired” by the covered entities and performing the following functions:
- Telemedicine Apps like Teladoc or MDLivel allow healthcare providers to conduct remote consultations with patients. This makes healthcare more accessible and convenient. Key requirements for HIPAA compliance in telemedicine apps include authorized access, secure communication, and monitoring systems, as outlined in the HIPAA Rules for telehealth technology.
- Electronic Health Records (EHR) Apps such as Epic MyChart, Athenahealth, etc. allow patients to access their medical records, view lab results, and manage their health information. HIPAA compliance for EHR apps guarantees privacy, integration, and authorized access to ePHI.
- Patient Portals - FollowMyHealth, MyChart, and Healow - allow patients to communicate with their healthcare providers, schedule appointments, and request prescription refills. Authorization, secure communication, and monitoring systems are a must for HIPAA compliance.
- Medical Device Apps including Dexcom G6, Medtronic CareLink, and Omron Connect, are designed to work with medical devices to track health data and monitor health conditions.
What the HIPAA Compliant App Should Include
Whether you are an app developer or a HIPAA covered entity, you should clearly understand what a HIPAA compliant app should include. See the main attributes of a HIPAA compliant app that are true for mobile app developers, covered entities, or both:
Specific for both
Privacy policies and terms of service
A HIPAA-compliant health app must have a clear privacy policy. The privacy policy must outline how the app will handle ePHI (how the data will be stored, collected, and shared) and third parties involved. Communicate to users their rights under HIPAA.
Risk Assessment
App developers are required to conduct a thorough risk assessment to identify potential vulnerabilities and risks to ePHI when developing and distributing the app. Similarly, covered entities and business associates must conduct a risk assessment of the application and their use of it.
More on how to conduct the risk assessment read in our blog Risk Assessment under HIPAA Security Rule.
Encryption
HIPAA requires encrypting ePHI both at rest and in transit. In practice, encryption means converting data into an unreadable format that can only be unlocked with a decryption key. Implementing robust encryption protocols safeguards sensitive health data during storage, transmission, and processing.
Regular Backups
HIPAA-compliant health apps should have regular backups. Timely and regulair backups to ensure the restoration of ePHI in case patient information is lost, destroyed, or otherwise compromised. The backup schedule should be based on the Recovery Point Objectives (RPO) established by the company.
Access Controls
A HIPAA-compliant app must have stringent access control measures to determine who can access specific resources within the application, and prevent unauthorized access to ePHI held by the app, thereby reducing the risk of data breaches. Health apps should have a Role-Based Access Control (RBAC) or an Attribute-Based Access Control (ABAC). The former assigns access rights based on the roles individuals perform within the organization. The last uses a set of policies that take into account attributes of users, resources, and environmental factors.
Logging and Log Reports
A HIPPA compliant app should have logging and reporting features. If an incident or breach occurs, it’ll be important to establish user logins and logouts; what data was viewed, modified, and deleted and by whom. It would also keep a record of session timeouts, failed authentication attempts, etc.
Regular Updates and Patches
HIPAA compliant health apps must be regularly updated and patched. Ensuring the timely application of security updates and patches addresses vulnerabilities and enhances defenses against emerging threats, and aligns with the HIPAA requirement for continuous risk management. These updates often include security enhancements, bug fixes, and improvements, helping to safeguard sensitive health information.
Strong authentication and authorization mechanisms
When developing (or acquiring) an app, ensure stringent user authentication and authorization mechanisms are in place. Developers can consider creating unique accounts for each user, enforcing robust passwords, and adopting multi-factor authentication (MFA). Strong passwords include at least eight characters (including letters, numbers, and special symbols) and exclude frequently used combinations. MFA would provide an additional layer of security by allowing users to access the system only after entering additional verification methods ( biometrics, face ID, one-time generated passwords sent to their devices, or email).
Session management (time out)
Apps that adhere to HIPAA regulations need to incorporate session management measures to regulate user access throughout their session. This involves actions such as logging out inactive users, restricting session duration, and regenerating session tokens.
Specific for Covered Entities
Business Associate Agreement (BAA)
If you are a HIPAA covered entity and want to utilize a third-party telemedicine app, electronic health record app, a patient portal, or any other app that uses PHI, you must sign a Business Associate Agreement (BAA) with the app developer. The BAA should specify how ePHI data is used by the developer and what are the parties’ responsibilities in ePHI protection.
Specific for App Developers
Secure app design
A secure app design is paramount for safeguarding ePHI, privacy, and overall digital experiences. Adhering to secure design principles helps prevent unauthorized access to patient data, mitigates the risk of data breaches, and builds a foundation for regulatory compliance. A secure app design not only supports HIPAA requirements. It also instills trust among healthcare professionals and patients, crucial for the successful adoption and utilization of healthcare applications.
SAST and DAST code review
Your app code should be checked for security vulnerabilities. Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) are valuable tools for achieving HIPAA when developing a mobile health app.
SAST analyzes the application's source code or binary code at rest and identifies vulnerabilities, insecure coding practices, and potential security flaws early in the development process. For HIPAA compliance, SAST helps ensure that the code adheres to security standards, mitigating risks related to the confidentiality, integrity, and availability of ePHI.
DAST assesses the security of a running application by simulating an outside attacker's perspective. It identifies vulnerabilities that may arise during runtime, providing insights into how an attacker might exploit weaknesses. DAST is crucial for validating the security of the application in its operational environment, and addressing HIPAA requirements for ongoing risk management.
Penetration testing
Penetration testing identifies vulnerabilities by simulating real-world attacks. By systematically evaluating the app's defenses, penetration testing helps developers address potential risks to ePHI, validate security measures, and comply with HIPAA regulations. Regular testing throughout the development lifecycle ensures a resilient security posture, safeguarding patient data against unauthorized access and potential breaches.
Final Thoughts
Along with the rapid market growth, the future of mobile health apps is poised for continuous innovation and challenges. Wearable device compatibility and continuous monitoring for real-time data will become more prevalent, promoting proactive healthcare. Thus, more people would use digital apps and the companies developing these apps will have to focus on compliance adherence. So, when you developing a mobile health app (or hiring dedicated developers), make sure you understand the nuances of HIPAA compliance well and implement them in the app.
Feel free to contact the Planet 9 team for help with your HIPAA compliance challenges. We’ll be happy to assist!
