Deciding how to make a mobile app when your business has an obligation to make it HIPAA compliant can make it a tricky process to navigate alone. Not everyone is considered a “covered entity” by HIPAA, but for those that are, ensuring that your patient’s information is secure is your number one priority when making an app. While you may think this limits your options, making a HIPAA-compliant mobile app isn’t as hard as it used to be. In this post, we’ll dive into if your app should be HIPAA-compliant, what HIPAA-compliance means, and some best practices.
Does your mobile app need to be HIPAA-compliant?
HIPAA was established to protect individuals’ medical records and other identifiable health information, but it only applies to covered entities who are typically in the medical field and have privileged information about a patient’s health. Covered entities defined by HIPAA include hospitals, doctor’s offices, clinics, pharmacies, other health care providers who conduct electronic transactions, health insurance issuers, or health and wellness programs related to a health plan offered by an employer.
However, just having an app and being in one of those industries doesn’t make your app necessarily need to be HIPAA compliant. It’s the information your app processes that determines whether or not your app must be HIPAA compliant.
Ask yourself: Does your health app create, receive, maintain, or transmit identifiable medical information? If yes, your app probably needs to be HIPAA compliant.
Besides covered entities, any business associates who receive, maintain, or store protected patient information are also required to be HIPAA-compliant. So if your business asks for personal health information but isn’t a covered entity or business associate, your app doesn’t need to be HIPAA compliant. An example of this would be asking for someone’s gender to sign them up for your app. Even though this is health information, you don’t need to comply with HIPAA to secure that information if you aren’t a covered entity or business associate. However, if you are–even if the gender question is the only protected health information you ask for–your app needs to be HIPAA compliant.
While HIPAA has a set of security requirements, they are not really applicable to people outside of covered entities and their business associates. If you want to secure your app but are not dealing with protected health information, there are other resources you can check out, like this one.
How do you make a HIPAA-compliant mobile app?
Once you’ve determined that the app you’re making is covered by HIPAA, you need to know what you need to do to make a HIPAA-compliant mobile app. There are certain technical requirements for HIPAA compliance, and here’s how we would approach them.
Before you can set up protocols to protect your patients’ health information, you need to know what information you are gathering. Determine what information you need to collect and protect in order to fulfill your core functions in the app.
For instance, while it can be good to have demographic information on your patients, you should consider why it is medically necessary for your app to do so. If you are running an app to help monitor people’s heart health, it may not be necessary for you to collect information on their previous mental health diagnoses, or if your app helps patients track migraines, it may not be necessary to know their weight and gender. Knowing what information is necessary for you to complete the core functions of your app without overstepping and gathering more health information can help with HIPAA compliance.
There is strict guidance from the government on what information is considered protected health information, so here’s a quick, non-exhaustive list of the identifiable health information you need to protect:
- Demographic information
- Relates to past, present, or future physical or mental health conditions
- Involved in past, present, or future medical billing or payment for the provision of health services
- Provides information that can identify the customer, or there is a reasonable basis to believe it could be used to identify the customer
Securing your app-user-protected health information for HIPAA compliance involves both technical, operational, and relationship requirements for the security of that information.
HIPAA security requirements include:
- Encryption: Any app with protected health information should provide both encryptions at rest and encryption in transit. Note: This is different from end-to-end encryption, which is not required for HIPAA compliance.
- Encryption at rest: This ensures health data that is stored either physically on your computer or digitally is protected from unauthorized access by converting the data to code.
- Encryption in transit: This secures health information as it is being transferred from the person inputting the data to you and back again. Data is converted before being transmitted from the app, the endpoint is authenticated, and the data is decrypted and verified on arrival, preventing decryption by any unauthorized parties who may attempt to intercept the data.
- Standard operating procedures: This includes getting consent from people on your app to gain access to their health information, providing transparency on how their information is used and stored, and only gathering necessary health information for your purpose.
- Sharing with third parties: To comply with HIPAA, protected health information must be accessible to the protected individual and authorized third parties in certain circumstances. If an individual wants to gain access to your record of their protected health information, your app is required to give them access to it on request. Additionally, if a third party submits a request in writing–signed by the individual whose health data they are seeking access to–your app must also give them that information with the individual’s consent. This is largely used to distribute health information to the patient’s other healthcare providers.
If you are unsure about making a HIPAA-compliant mobile app, get assistance from the experts! There are many ways to build an app, and many app solutions can be HIPAA compliant. If you find a developer with experience in HIPAA compliance, they typically understand the technical side of securing your app in all of the legally protected ways and can help with that. You can also find no-code app platforms that are already HIPAA compliant where you can build and customize your app.
When you are ready to start making a HIPAA compliant app, figure out your options, keep your patients’ information safe, and get back to doing what you do best: helping people.