As of November 2020, healthcare organizations have already anted up over $13 million in penalties for violating the HIPAA regulations. I bet they would readily invest this money in protecting their patients’ data and enhancing their products.
If you are with me on this, let’s talk about everything you need to know about developing a HIPAA-compliant app. I suggest we err on the side of caution and make sure you follow HIPAA best practices from the get-go to avoid surprises during your medical app launch.
Table of Contents
- What is HIPAA and Why is It Important?
- What Does HIPAA Compliance Mean for Healthcare App Developers?
- Health App Use Scenarios & HIPAA
- HIPAA Checklist for mHealth App Developers
- 5 Steps to Make an App HIPAA-Compliant
- HIPAA & COVID-19
- OCR Tools for HIPAA Compliance
- How Much Does it Cost to Build a HIPAA-Compliant App?
- How Much Does HIPAA Ignorance Cost?
- Our Experience in HIPAA-Compliant App Development
What is HIPAA and Why is It Important?
Let’s recap what HIPAA is, why you need it, when you need it, and what terminology you may need to impress your boss when discussing HIPAA compliance.
HIPAA — Health Insurance Portability and Accountability Act — is a set of rules (a public law, really) introduced in 1996 and last updated in 2013. Can you believe that? Yes, the main law governing your healthcare app’s security requirements hasn’t changed for over 7 years.
The good news is you won’t have to read 100 something pages worth of legislation trying to define technical parameters for privacy and security in healthcare applications.
The HIPAA act consists of:
- Privacy Rule
- Security Rule
- Enforcement Rule
- Omnibus Rule, and
- Breach Notification Rule
I won’t bother you to death with what each rule implies, but together they describe what a health app needs to have to be considered secure. Plus, the rules set forth procedures that covered entities need to adopt for keeping patient data safe.
OCR — Office for Civil Rights in the U.S. Department of Health and Human Services (HHS) — are the people who come knocking on your door if they get a claim about HIPAA issues with your app. They also have plenty of medical information on the HIPAA subject if you feel like it’s wiki-time.
Phraseology to discuss HIPAA with CEOs
As soon as you ask, “Does every health app need to be HIPAA-compliant?” you’ll find yourself juggling these few terms you need to know to discuss HIPAA app development seriously.
PHI — protected health information — comes as part of the answer to your question in that HIPAA is applicable whenever a health app handles individually identifiable health information:
- the patient’s physical or mental health or condition
- the fact of the provision of healthcare to an individual
- the payment details for the provision of healthcare to an individual
Covered entities are clinics, private practices, individual providers, healthcare plans, clearinghouses, and insurers, all of whom need to comply with the HIPAA requirements.
Business Associate is a person or organization that deals with individually identifiable health information on behalf of a covered entity. In our context, it may be a healthcare app developer or a cloud service provider who processes your patients’ data. They need to sign a business associate agreement before working with medical data.
What Does HIPAA Compliance Mean for Healthcare App Developers?
The HIPAA regulations broadly describe three types of data security safeguards:
As a healthcare app developer, our team most often deals with technical data safeguards. However, you, as a covered entity or business associate, also need to take into account physical and administrative data safeguards when developing a HIPAA-compliant app. Let’s quickly scan through each, shall we?
Technical data safeguards
Technical data safeguards include things like encryption, secure connections and protocols, and all other technology-related security best practices applicable to health apps.
Physical data safeguards
What’s usually implied here is limiting physical access to servers and other equipment that may contain PHI or enable patient data sharing. Besides, you need to have an adequate firewall and antivirus software deployed for adequate physical safeguards.
Administrative data safeguards
Finally, administrative data safeguards cover personnel training and management, maintenance of privacy policies and procedures, privacy practices notices, etc.
Qualified app developers will help you with the physical and technical safeguards, and the administrative safeguards will mostly depend on you.
Health App Use Scenarios & HIPAA
You might be still wondering about two aspects of HIPAA:
- Does HIPAA apply to health data that patients add and manage in mhealth apps on their own?
- Is there a case when an app developer doesn’t need to comply with the HIPAA rules?
Here are a few scenarios that will help you answer these questions and adjust your HIPAA mobile app development process.
A user downloads the app from the App Store and populates it with her glucose data from a personal glucometer.
HIPAA compliance: not required as no PHI is created, received, maintained, or transmitted on behalf of a covered entity or business associate.
A patient exports the details of his disease from his clinic’s EHR and imports this data into an m-health app to manage it there.
HIPAA compliance: not required because no covered entity is involved in this mobile development case.
Following her doctor’s advice, a patient downloads an app from the App Store to manage her weight and calorie intake and send reports from the app to her doctor.
HIPAA compliance: not required because no electronic protected health information is transmitted.
A patient gets an app to manage his chronic condition from the App Store. He then sets up the app to share his health data with his clinic’s EHR (the app does not belong to the clinic but has an interoperability arrangement to securely share patient data with it).
HIPAA compliance: not required as the app does not handle PHI data on behalf of a covered entity or business associate.
A patient downloads a clinic’s remote patient monitoring app from the App Store. All health data that the patient enters automatically syncs with the clinic’s EHR system.
HIPAA compliance: required.
A patient gets her health plan’s app from the App Store to manage her claims and health plan records.
HIPAA compliance: required.
As you can see, the key to understanding HIPAA compliance requirements is to double-check whether:
- your app developer creates, receives, maintains, or transmits PHI on your behalf
- your patients works with a random health app or specifically with your application
- your patients have full control over sending their health data outside the app
HIPAA Checklist for mHealth App Developers
What’s interesting about the Health Insurance Portability and Accountability Act is that on its 114 pages, you won’t find a list of best practices or recommendations for using, e.g., specific methods of encrypting patient health data. Still, HIPAA for app developers should obviously bear a lot of implications.
Like I mentioned, the law has been sitting without changes since 2013. How do you think it manages to stay relevant for so long? That’s right, by being as general as possible. Here’s a good example:
That’s all they say about that in HIPAA. Does it make your life easier and explain how to make a HIPAA-compliant app? I bet it raises a lot of questions, like, “What do we regard as an emergency?”, “What emergency access procedures should we set up?”, “Do I need to allow some kind of backdoor to the app for authorized personnel?”, “How is it different from authorized users accessing patient information during non-emergencies?”.
To give you some practical advice, let’s summarize the most action-packed directions from HIPAA that you should apply during the health app development process:
Limit information access in the app
The first security rule of thumb is to check who can access PHI. Make sure that only authorized users (and third-party HIPAA-compliant software) have access control over the app’s data:
- Bio authentication
- 2-factor authentication
- Automatic log-off when the user is inactive
It also helps to have distinct user roles with specific access rights to different app features. For instance, not everybody on the provider’s side might need access to consumer health information all the time.
Encrypt all patient data
Again, HIPAA doesn’t recommend any particular encryption and decryption standards, but we prefer to use open-source, well-recommended AES 256-bit encryption, OpenPGP, and S/MIME.
To remain compliant with HIPAA, all PHI-related data must be encrypted at rest and in sync. Such data encryption guarantees data transmission security during data transfer and prevents hacks.
Implement an audit mechanism
You should be able to track down who exactly is using the app and what actions these users are taking. In essence, such audit controls call for unique user identification.
Ensure data integrity
PHI should be unavailable for unauthorized changes. Blockchain technology is really priceless when it comes to preserving patients’ data integrity. Consider moving EHR (electronic health records) to a blockchain to develop a HIPAA-compliant app that’s incredibly resistant to hacks.
You May Also be Interested: How to Make a Blockchain Application
Transfer PHI using secure connections and protocols
To make patient data resistant to breaches, apart from merely encrypting it, you also need to send it using a secure https connection and SSL/TLS. If anything, just check that your app developers will use these technologies when building a HIPAA-compliant mobile app.
Limit the amount of data to the necessary minimum
Ensure that you are only gathering the information that will impact your app’s performance and make it more useful for your patients. We also recommend that you avoid caching PHI and storing users’ geolocation data (other than state-level).
Remove PHI from notifications and emails
Note that PHI may be easily compromised when transferred via push notifications and emails on mobile devices. The same goes for text messages and virtually any outside-the-app messaging.
Have options for patient data backup and removal
HIPAA is also very particular about storing individually identifiable health information. If you store data in the cloud (e.g., Google Cloud or AWS), you absolutely have to back it up.
At the same time, to create a HIPAA-compliant app adhering to all standards, you should allow patients to wipe their personal information entirely from the system, including remote removal of PHI data (e.g., health plans) from a lost mobile device.
5 Steps to Make an App HIPAA-Compliant
Now it’s time to get down to the nitty-gritty of enabling HIPAA compliance in your healthcare application whether you’re building a chatbot or a doctor’s appointment app. Let’s review all necessary steps, and if you feel like something is missing, never hesitate to reach out and ask. Here’s how to make a custom developed app HIPAA-compliant.
Step 1. Choose and implement HIPAA-as-a-service backend
As you know, these days, apps don’t exist in a vacuum, and there’s always some web app they connect to. Of course, healthcare apps are not an exception, and cloud services they connect to need to be HIPAA-compliant as well.
Fortunately, there’s plenty to choose from: Every major cloud provider offers a backend that includes HIPAA compliance out-of-the-box. Some of the most reliable players that come to mind include:
- Google Compute Engine
Step 2. Separate PHI from other app data
It’s recommended that you keep all patients’ health data in a separate database when building a HIPAA-compliant application. That way, you won’t have to constantly encrypt and decrypt every byte of the app, which may sometimes slow down its performance.
Step 3. Encrypt throughout
We already mentioned that, but you should know that encryption has to become an integral part of your health app. Data should be encrypted while at rest (locally on smartphones and in the cloud) and in transit, as it travels between apps and servers.
That’s also the step where you go through all the items listed in the checklist above.
Step 4. Run audit and penetration tests
It’s a good practice to hire out testing to an external company that can audit your app developers’ work by running all sorts of tests.
Related: How to implement a DevOps plan
Step 5. Implement long-term strategy with logging
Finally, you’ll need to set up procedures for continuous monitoring of HIPAA issues because your app will keep evolving, and so should its security. You’ll need to track PHI access, detect security issues, regularly reevaluate the effectiveness of security measures, and assess potential risks to compromising e-PHI.
Overall, these 5 steps cover how you make an app HIPAA compliant.
HIPAA & COVID-19
The Office for Civil Rights has relaxed the HIPAA requirements during the COVID-19 pandemic for all covered healthcare providers who are provisioning telehealth services to patients. This certainly simplifies HIPAA-compliant mobile app development to an extent.
The organization will not penalize a healthcare provider using non-HIPAA-compliant telemedicine tools for addressing their patients’ needs in good faith. However, health insurance companies are not covered and need to continue complying with all HIPAA regulations while providing insurance coverage.
Quick facts about HIPAA and COVID-19:
- No expiration date until a special statement is issued by OCR
- Covers Medicare, Medicaid, and all other patients
- Includes HIPAA Privacy, Security, and Breach Notification Rules
OCR Tools for HIPAA Compliance
OCR, in partnership with FTC, the HHS Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA), built a couple of online tools to help health app developers verify what laws and regulations may apply to their solutions.
Please check out these tools when in doubt about HIPAA application:
How Much Does it Cost to Build a HIPAA-Compliant App?
It’s really hard to put a price tag on app development costs, but especially so when developing a HIPAA-compliant app as all mhealth apps have different scopes, and therefore HIPAA application development budgets vary accordingly. For example, we’ve worked on HIPAA-compliant apps ranging from $19,000 to $190,000.
The healthcare industry-wide HIPAA compliance costs are close to $8.3 billion a year, with each physician spending around $35,000 per year for keeping health information technology secure.
Related (Other blogs about apps that require HIPAA Compliance):
- Women’s Health Tracking App Development
- How to Make a Hospital Management Software: A Complete Guide
- How to Build a Meditation App Like HeadSpace or Calm
- Remote Patient Monitoring App Development
- Healthcare App Design Guide
- EHR/EMR Development Guide
We’ve discovered that it’s safer to err on the side of caution and implement HIPAA-related technologies even when we’re building an MVP that doesn’t use PHI. Eventually, HIPAA will become a requirement, and so it’s better when it’s built into the app’s architecture from the very beginning.
If you decide to go with an out-of-the-box HIPAA-as-a-Service option, the magic number will be around $2,000 per month. Hold on, there’s still good news! If you’re considering building a telehealth solution, that is. We’ve partnered with Agora.io to offer unprecedented 90% off pricing to cover your HIPAA compliance expenses on the telehealth front. You can learn more about this initiative here.
How Much Does HIPAA Ignorance Cost?
If you decide to build a HIPAA-compliant app ignoring some of the regulatory requirements, that may turn out a major blow to your budget. For exemplary purposes, we can discuss a couple of cases that demonstrate the likely expenses if you decide that it’s not worth it to make a mobile app HIPAA-compliant.
Aetna Life Insurance Company
The company had to settle for a $1,000,000 fine with OCR, following 3 data breaches, only one of which had to do with digital malpractice: they let Google and other search engines index health plan-related documents.
Related: Insurance App Development Guide
Metropolitan Community Health Services
The nonprofit health center serves over 3000 patients a year and has agreed to pay $20,000 for not complying with the HIPAA Security Rule. OCR took into consideration MCHS’s orientation towards the underserved population in rural North Carolina. Hence, the manageable (but still unpleasant) penalty.
The average fine for breaking HIPAA compliance rules and regulations for mobile app development in 2020 so far is around $940,000.
Our Experience in HIPAA-Compliant App Development
It’s probably easier to list the apps that didn’t require us to implement HIPAA because, for the 99% of healthcare applications we build, web and mobile app development and HIPAA compliance go side by side. Therefore, complying with the HIPAA rules is part of our daily routine.
So it’s only when we build fitness solutions like a mobile application Habitap or Walker Tracker that we don’t need to focus on HIPAA — simply because these apps need no health data to operate. Things like calories burned, steps taken, or distance covered do not comprise health data.
Some examples of HIPAA-compliant platforms we built include Medable and Smarter Symptom. Check out our portfolio for more of our work. Reach out whether you have questions about HIPAA-compliant video conferencing SDKs, how long it will take to build your app, or if you’re looking for help with strategy, design, and HIPAA-compliant app development.
Whether you’re a healthcare provider, business associate, or belong to covered entities, we’ll be happy to assist.
[This blog was originally published on 11/4/2020, and has been updated for more recent data]
Frequently Asked Questions
Does a mental health application need to comply with HIPAA?
Yes. In addition, a patient’s written consent is required in case psychotherapy notes need to be shared.
Is HIPAA required only for telemedicine apps?
For all telemedicine and other healthcare software that handle PHI on behalf of covered entities or business associates.
What is the best tactic for speeding up HIPAA-compliant application development without sacrificing its HIPAA compliance?
Use one of the available HIPAA-as-a-Service solutions from well-known vendors like Google, AWS, or Microsoft. That will noticeably boost the HIPAA-compliant application development process.
Can I create a HIPAA-compliant app using only off-the-shelf solutions with minimal custom coding?
Yes. Reach out to ask what tools we can recommend.