HIPAA stands for Health Insurance Portability and Accountability Act. Some terms associated with HIPAA compliance you should be aware of are PHI (Protected Health Information), PHR (Personal Health Records), CE (Covered Entities), BA (Business Associates) and BAA (Business Associate Agreement).
A mobile app which is collecting user’s information that has medical significance have to comply with HIPAA compliance as he is subject to scrutiny at any point in time and there are hefty fines levied in case the mobile application owner is found non-compliant.
Some of the cases of such hefty fines are – in 2010, Cignet Health was levied with a fine of $4.3 million for breaching privacy rule, then in recent cases, Memorial Healthcare Systems was levied with a hefty fine of $5.5 million for failing the audit of their systems.
To make your mobile app HIPAA compliant your app must follow these rules –
- Privacy Rule – This informs the owner and developer of the cases on how and when the PHI information could be shared through your healthcare app.
- Security Rule – This informs the owner and developed on how to protect the information stored and accessed through the electronic device. This deals with technical aspects of security and tells you about best practices which you could follow.
- Enforcement Rule – This rule informs about the enforcement of HIPAA rules and what corrective actions one need to take to ensure the compliance henceforth.
- Breach Notification Rule – This informs about an entity through push notification about how and one could be violating HIPAA rules by sharing the PHI information in case not to do that without knowing the consequences.
Here are certain steps that you could take to make sure that your mobile application is HIPAA compliant —
- Data security is one of the most important aspects of developing a HIPAA compliant mobile healthcare application. Often the app developers tend to create a HIPAA compliant application but fail to introduce the data security aspect in the app. He must plan well in advance to ensure there is no data security breach on your mobile health app. This will automatically help you becoming compliant of HIPAA standards as most of the HIPAA’s aspects deal with data security and data breach while sharing the information collected on an app to related entities or while floating it on the internet network.
- While sending push notification for your mobile health app you may be violating HIPAA standards. Yes, push notifications are often sent to update user about the changes and/or updates in the app however by error you may be sending PHI in your push notification message which is a kind of violation as per HIPAA regulations.
- Often healthcare apps tend to send messages with PHI information to increase the engagement between the doctors and patients. However, in case you are using an application or any email service that is not HIPAA compliant then you are violating the HIPAA standards. You need to ensure that all communication is done through a HIPAA compliant app or an email client which is HIPAA compliant is integrated with the app for such communication.
- You must ensure that whether your application comes under medical device definition as directed by FDA. In such cases, one needs to get FDA approval before floating the app for general public’s usage. FDA is US Food and Drug Administration body which have another set of rules and regulations which one need to follow while developing a healthcare app.
- The mobile app must also be ready to adapt to the cases where there is a possibility of PHI leakage on a loss of the phone. If your phone gets stolen, then you should ensure that mobile app is protected with enough security features that no one can access the patient’s information. This could be done by simple lock being enabled on one’s phone before he could access the app and related information.
- HIPAA rules and standards are a bit complex to be understood by a person in general hence a healthcare app owner must take help of a person from a legal firm to understand the loopholes and details of this standard in case of any doubt. Understanding the regulations completely will help you ensure that your app is HIPAA compliant and will enable you to avoid any kind of breach in future.
- The list of information that you need to ensure not to be shared without being HIPAA compliant is the name of the patient, the geographical location which is smaller than the state, dates like birth date, admission date, discharge date, date of one’s death, phone and fax numbers, email ids, the social security number of the person, his or her medical records or related reference numbers, their health plan beneficiary details or numbers, their account numbers, any kind of certificate or license numbers, any web URLs or IP addresses, any kind of device identifiers or vehicle identifiers, any kind of biometric details that could relate to identity of the person, his full face photograph. In case you are sharing any of them, then you need to make your healthcare app HIPAA compliant for the related communication by taking proper steps and measures of security.
Initially, these rules were set only for doctors and insurers however no anyone who is working on a medical project needs to ensure that he follows the HIPAA rules for developing the related app.
Even if you have taken all measures or still found to be violating the HIPAA compliance then too you could be levied with a fine ranging from $100 to $50,000 for one single incidence.
Hence it is always better to make HIPAA compliance as part of your mobile app development plan. This will help you avoid fines and rework charges.
It is a mix of technical and non-technical aspects of mobile app development that need to be taken into consideration. The best way is to see the various intended and non-intended use cases of HIPAA violation to understand this law.