As of November 2020, healthcare organizations have already anted up over $13 million in penalties for violating the HIPAA regulations. I bet they would readily invest this money in protecting their patients’ data and enhancing their products.
If you are with me on this, let’s talk about everything you need to know about developing a HIPAA-compliant app in 2020. I suggest we err on the side of caution and make sure you follow HIPAA best practices from the get-go to avoid surprises during your app launch.
Table of Contents
- What is HIPAA and Why is It Important?
- What Does HIPAA Compliance Mean for Healthcare App Developers?
- Health App Use Scenarios & HIPAA
- HIPAA Checklist for mHealth App Developers
- 5 Steps to Make an App HIPAA-Compliant
- HIPAA & COVID-19
- OCR Tools for HIPAA Compliance
- How Much Does it Cost to Build a HIPAA-Compliant App?
- How Much Does HIPAA Ignorance Cost?
- Our Experience in HIPAA-Compliant App Development
What is HIPAA and Why is It Important?
Let’s recap what HIPAA is, why you need it, when you need it, and what terminology you may need to impress your boss when discussing HIPAA compliance.
HIPAA — Health Insurance Portability and Accountability Act — is a set of rules (a public law, really) introduced in 1996 and last updated in 2013. Can you believe that? Yes, the main law governing your healthcare app’s security hasn’t changed for over 7 years.
The good news is you won’t have to read 100 something pages worth of legislation trying to define technical parameters for security in healthcare applications.
The HIPAA act consists of:
- Privacy Rule
- Security Rule
- Enforcement Rule
- Omnibus Rule, and
- Breach Notification Rule
I won’t bother you to death with what each rule implies, but together they describe what a health app needs to have to be considered secure. Plus, the rules set forth procedures that covered entities need to adopt for keeping patient data safe.
OCR — Office for Civil Rights in the U.S. Department of Health and Human Services (HHS) — are the people who come knocking on your door if they get a claim about HIPAA issues with your app. They also have plenty of info on the HIPAA subject if you feel like it’s wiki-time.
Phraseology to discuss HIPAA with CEOs
As soon as you ask, “Does every health app need to be HIPAA-compliant?” you’ll find yourself juggling these few terms you need to know to discuss HIPAA seriously.
PHI — protected health information — comes as part of the answer to your question in that HIPAA is applicable whenever a health app handles individually identifiable health information:
- the patient’s physical or mental health or condition
- the fact of the provision of healthcare to an individual
- the payment details for the provision of healthcare to an individual
Covered entities are clinics, private practices, individual providers, healthcare plans, clearinghouses, and insurers, all of whom need to comply with the HIPAA requirements.
Business Associate is a person or organization that deals with individually identifiable health information on behalf of a covered entity. In our context, it may be a healthcare app developer or a cloud service provider who processes your patients’ data.
What Does HIPAA Compliance Mean for Healthcare App Developers?
The HIPAA regulations broadly describe three types of data safeguards:
Being a healthcare app developer, we most often deal with technical data safeguards, but you, as a covered entity or business associate, need to take into account physical and administrative data safeguards too. Let’s quickly scan through each, shall we?
Technical data safeguards
Technical data safeguards include things like encryption, secure connections and protocols, and all other technology-related security best practices applicable to health apps.
Physical data safeguards
What’s usually implied here is limiting physical access to servers and other equipment that may contain patient data. Besides, you need to have an adequate firewall and antivirus software deployed.
Administrative data safeguards
Finally, administrative data safeguards cover personnel training and management, maintenance of privacy policies and procedures, privacy practices notices, etc.
Health App Use Scenarios & HIPAA
You might be still wondering about two aspects of HIPAA:
- Does HIPAA apply to health data that patients add and manage in mhealth apps on their own?
- Is there a case when an app developer doesn’t need to comply with the HIPAA rules?
Here are a few scenarios that will help you answer these questions.
A user downloads the app from the App Store and populates it with her glucose data from a personal glucometer.
HIPAA compliance: not required as no PHI is created, received, maintained, or transmitted on behalf of a covered entity or business associate.
A patient exports the details of his disease from his clinic’s EHR and imports this data into an mhealth app to manage it there.
HIPAA compliance: not required because no covered entity is involved.
Following her doctor’s advice, a patient downloads an app from the App Store to manage her weight and calorie intake and send reports from the app to her doctor.
HIPAA compliance: not required because no PHI is transmitted.
A patient gets an app to manage his chronic condition from the App Store. He then sets up the app to share his health data with his clinic’s EHR (the app does not belong to the clinic but has an interoperability arrangement to securely share patient data with it).
HIPAA compliance: not required as the app does not handle PHI on behalf of a covered entity or business associate.
A patient downloads a clinic’s remote patient monitoring app from the App Store. All health data that the patient enters automatically syncs with the clinic’s EHR system.
HIPAA compliance: required.
A patient gets her health plan’s app from the App Store to manage her claims and health plan records.
HIPAA compliance: required.
As you can see, the key to understanding HIPAA compliance requirements is to double-check whether:
- your app developer creates, receives, maintains, or transmits PHI on your behalf
- your patients works with a random health app or specifically with your application
- your patients have full control over sending their health data outside the app
HIPAA Checklist for mHealth App Developers
What’s interesting about HIPAA is that on its 114 pages, you won’t find a list of best practices or recommendations for using, e.g., specific methods of encrypting patient health data. Still, HIPAA for app developers should obviously bear a lot of implications.
Like I mentioned, the law has been sitting without changes since 2013. How do you think it manages to stay relevant for so long? That’s right, by being as general as possible. Here’s a good example:
That’s all they say about that in HIPAA. Does it make your life easier? I bet it raises a lot of questions, like, “What do we regard as an emergency?”, “Do I need to allow some kind of backdoor to the app for authorized personnel?”, “How is it different from authorized users accessing patient data during non-emergencies?”.
To give you some practical advice, let’s summarize the most action-packed directions from HIPAA that you should apply in your health app:
Limit access to the app
Make sure that only authorized users (and third-party software) can access the app’s data:
- Bio authentication
- 2-factor authentication
- Automatic log-off when the user is inactive
It also helps to have distinct user roles with specific access rights to different app features. For instance, not everybody on the provider’s side might need access to PHI all the time.
Encrypt all patient data
Again, HIPAA doesn’t recommend any particular encryption standards, but we prefer to use open-source, well-recommended AES 256-bit encryption, OpenPGP, and S/MIME.
Implement an audit mechanism
You should be able to track down who exactly is using the app and what actions these users are taking.
Ensure data integrity
PHI should be unavailable for unauthorized changes. Blockchain technology is really priceless when it comes to preserving patients’ data integrity.
Transfer PHI using secure connections and protocols
To make patient data resistant to breaches, apart from merely encrypting it, you also need to send it using a secure https connection and SSL/TLS. If anything, just check that your app developers will use these technologies when building a HIPAA-compliant mobile app.
Limit the amount of data to the necessary minimum
Ensure that you are only gathering the information that will impact your app’s performance and make it more useful for your patients. We also recommend that you avoid caching PHI and storing users’ geolocation data (other than state-level).
Remove PHI from notifications and emails
Note that PHI may be easily compromised when transferred via push notifications and emails. The same goes for text messages and virtually any outside-the-app messaging.
Have options for patient data backup and removal
HIPAA is also very particular about storing individually identifiable health information. Every data that you absolutely have to keep needs to be backed up too. But there should also be an option allowing patients to wipe their data entirely from the system, including remote removal of PHI from a lost mobile device.
5 Steps to Make an App HIPAA-Compliant
Now it’s time to get down to the nitty-gritty of enabling HIPAA compliance in your healthcare application. Let’s review all necessary steps, and if you feel like something is missing, never hesitate to reach out and ask. Here’s how to make a custom developed app HIPAA-compliant.
Step 1. Choose and implement HIPAA-as-a-service backend
As you know, these days, apps don’t exist in a vacuum, and there’s always some web app they connect to. Of course, healthcare apps are not an exception, and cloud services they connect to need to be HIPAA-compliant as well.
Fortunately, there’s plenty to choose from: Every major cloud provider offers a backend that includes HIPAA compliance out-of-the-box. Some of the most reliable players that come to mind include:
- Google Compute Engine
Step 2. Separate PHI from other app data
It’s recommended that you keep all patients’ health data in a separate database. That way, you won’t have to constantly encrypt and decrypt every byte of the app, which may sometimes slow down its performance.
Step 3. Encrypt throughout
We already mentioned that, but you should know that encryption has to become an integral part of your health app. Data should be encrypted while at rest (locally on smartphones and in the cloud) and in transit, as it travels between apps and servers.
That’s also the step where you go through all the items listed in the checklist above.
Step 4. Run audit and penetration tests
It’s a good practice to hire out testing to an external company that can audit your app developers’ work by running all sorts of tests.
Step 5. Implement long-term strategy with logging
Finally, you’ll need to set up procedures for continuous monitoring of HIPAA issues because your app will keep evolving, and so should its security. You’ll need to track PHI access, detect security issues, regularly reevaluate the effectiveness of security measures, and assess potential risks to compromising e-PHI.
HIPAA & COVID-19
The Office for Civil Rights has relaxed the HIPAA requirements during the COVID-19 pandemic for all covered healthcare providers who are provisioning telehealth services to patients.
The organization will not penalize a healthcare provider using non-HIPAA-compliant telemedicine tools for addressing their patients’ needs in good faith. However, health insurance companies are not covered and need to continue complying with all HIPAA regulations.
Quick facts about HIPAA and COVID-19:
- No expiration date until a special statement is issued by OCR
- Covers Medicare, Medicaid, and all other patients
- Includes HIPAA Privacy, Security, and Breach Notification Rules
OCR Tools for HIPAA Compliance
OCR, in partnership with FTC, the HHS Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA), built a couple of online tools to help health app developers verify what laws and regulations may apply to their solutions.
Please check out these tools when in doubt about HIPAA application:
How Much Does it Cost to Build a HIPAA-Compliant App?
It’s really hard to put a price tag on app development costs, but especially so when developing a HIPAA-compliant app as all mhealth apps have different scopes, and therefore HIPAA application development budgets vary accordingly. For example, we’ve worked on HIPAA-compliant apps ranging from $19,000 to $190,000.
The industry-wide HIPAA compliance costs are close to $8.3 billion a year, with each physician spending around $35,000 per year for keeping health information technology secure.
We’ve discovered that it’s safer to err on the side of caution and implement HIPAA-related technologies even when we’re building an MVP that doesn’t use PHI. Eventually, HIPAA will become a requirement, and so it’s better when it’s built into the app’s architecture from the very beginning.
If you decide to go with an out-of-the-box HIPAA-as-a-Service option, the magic number will be around $2,000 per month. Hold on, there’s still good news! If you’re considering building a telehealth solution, that is. We’ve partnered with Agora.io to offer unprecedented 90% off pricing to cover your HIPAA compliance expenses on the telehealth front. You can learn more about this initiative here.
How Much Does HIPAA Ignorance Cost?
As an alternative, we can offer a couple of cases that demonstrate the likely expenses if you decide that it’s not worth it to make a mobile app HIPAA-compliant.
Aetna Life Insurance Company
The company had to settle for a $1,000,000 fine with OCR, following 3 data breaches, only one of which had to do with digital malpractice: they let Google and other search engines index health plan-related documents.
Metropolitan Community Health Services
The nonprofit health center serves over 3000 patients a year and has agreed to pay $20,000 for not complying with the HIPAA Security Rule. OCR took into consideration MCHS’s orientation towards the underserved population in rural North Carolina. Hence, the manageable (but still unpleasant) penalty.
The average fine for breaking HIPAA compliance rules and regulations for mobile app development in 2020 so far is around $940,000.
Our Experience in HIPAA-Compliant App Development
It’s probably easier to list the apps that didn’t require us to implement HIPAA because 99% of the healthcare applications we build must comply with the HIPAA rules. So it’s only when we build fitness solutions like Habitap or Walker Tracker that we don’t need to focus on HIPAA — simply because these apps need no health data to operate. Things like calories burned, steps taken, or distance covered do not comprise health data.
Some example of HIPAA compliant platforms we built include Medable and Smarter Symptom. Check out our portfolio for more of our work. Reach out whether you have questions about HIPAA-compliant video conferencing SDKs, how long it will take to build your app, or if you’re looking for strategy, design and development support.
Frequently Asked Questions
Does a mental health application need to comply with HIPAA?
Yes. In addition, a patient’s written consent is required in case psychotherapy notes need to be shared.
Is HIPAA required only for telemedicine apps?
For all telemedicine and other healthcare software that handle PHI on behalf of covered entities or business associates.
What is the best tactic for speeding up HIPAA-compliant application development without sacrificing its HIPAA compliance?
Use one of the available HIPAA-as-a-Service solutions from well-known vendors like Google, AWS, or Microsoft.
Can I create a HIPAA-compliant app using only off-the-shelf solutions with minimal custom coding?
Yes. Reach out to ask what tools we can recommend.
Looking for help with your app?
in record time with a product that’s set to win.