Joe Tuan
Joe Tuan
Founder, Topflight Apps
October 12, 2019

Almost every healthcare application requires users to enter personally identifiable data.  Surveys, activity trackers, biometric scanners, electronic medical records, and face-to-face consults usually require the disclosure of Protected Health Information (PHI). 

Personal healthcare data is central to the functionality of your mobile health app. You need to keep this in mind even before you set out to design your app. There are several important things you need to consider and put in place before you can securely collect, store and manage PHI.

How can your mobile app collect healthcare data without turning patients away?

fitness devices and apps

In this blog, we’ll discuss some of the scenarios you may encounter as you plan to take advantage of personal healthcare data in order to provide valuable services to your users. Although we haven’t exhausted all possible scenarios due to the varying nature of mobile health app ideas, we tackle the most common issues which apply to all of them. 

Please understand that because each app is different, you cannot use our blog as professional legal advice. This is just a guide to get you started. For detailed and specific legal advice for your app, please consult your attorney. You’ll make your and your attorney’s work a lot easier by mastering what is discussed in this blog.

Privacy & Security Concerns

Prior to Edward Snowden’s explosive reveal, there was a less accented emphasis on data security and identity theft. The security consciousness of the pre-2013 digital world was nowhere near the levels of today. People were oblivious to the value of their personally identifiable information, and hacking was considered an exclusive burden of big corporations with money and interests to protect. This couldn’t have been further from reality. 

Fortunately, people are no longer ignorant. Thanks to the many hair raising revelations and even catastrophic losses incurred by corporations and individuals from hacks such as those reported in the HIPAA Journal in 2018, people are now smarter about how they store and share personally identifiable information. 

secured custom health apps

This has prompted governments across the planet to put in place measures to protect their citizens from such attacks. The web knows no border, and a global response has been mounted, though slow, to counter the hackers. GDPR and other data privacy laws are just some of the many safety mechanisms that have been introduced to protect people from being victimized.

Your app has to provide so much value that users will voluntarily submit their healthcare data to you. Apart from being able to prove that you will deliver the promised value, you must earn their trust that you’ll use their data as you say you will and won’t share it with any third parties without explicit consent.

Healthcare apps handle very sensitive information which when placed in the wrong hands can have serious consequences for the owner. Healthcare data is essential to many aspects of an individual’s lifetime economic value. It’s used to determine insurance policy coverage, loan & mortgage approvals, job hiring decisions and so much more. This is serious stuff.

Protecting your users’ healthcare data

The first priority you should have as you plan to collect, store and use Protected Health Information (PHI) is to secure it from unauthorized access and maintain absolute confidentiality. It’s easy to achieve this on a traditional setup. Because healthcare networks are usually intranets, they are siloed and can be locked down to curtail access. Achieving the same thing on mobile devices that operate on several different open networks in multiple locations is a lot more complicated than that.

In our age of interconnectivity, it takes a lot of planning to design and build a ‘hack-proof’ system. It’s difficult but it can be done. The biggest challenge is that although the system can be encrypted from end to end, there are still several threats that can cause the loop to break – the physical device itself and rapid changes in security technology that make protection measures obsolete. So being ‘hack-proof’ is short-lived if there is no plan to consistently monitor and proactively upgrade your app and infrastructure.

healthcare network

healthcare app infrastructure This diagram shows how an app is accessed from multiple endpoints. Each interconnection node is a potential threat for intruders.[/caption]

Related: The Ultimate Guide to Building The Best mHealth Apps in 2019

Threats to your data security

As we mentioned earlier, traditional healthcare systems are siloed with firewalls and network access controls. Whenever a threat is suspected, the whole network can be placed on lockdown to identify and expel any intruders. A mHealth app can, theoretically, provide similar levels of security but there are some dynamic twists to it. Patients and care providers accessing your app are doing so on a network you don’t own or control and with devices that are outside a clinical context. This introduces several threats to your data integrity.

1. Authentication

healthcare app securityYour app must be able to securely authenticate the user and verify that the person entering or accessing the data is the right one. This would require you to examine hardware options to reinforce software-based authentication measures. Today, most devices have fingerprint readers and facial recognition technology. You can leverage these technologies to provide better authentication to your users in addition to 2-Factor Authentication and SSO.

Failure to verify that data collected is truly coming from the correct patient can lead to misdiagnosis and mismanagement, which in turn may lead to injury or death. It can also create puzzling financial problems for both care providers and patients when the wrong treatment and medication bills resulting from erroneous data are contested.

And in the case of remote clinical trial or research study, skewed data could put millions and possibly billions of dollars at risk. The findings used to reach therapeutic deductions would be based on the wrong information. The consequences would be harsh and difficult for all parties – patients, researchers, and the owner of the app.

2. Theft of or damage to the smartphone or tablet

mobile theft

Your mHealth app sits on a smartphone or tablet that is prone to be stolen or corrupted by a virus or other malicious software. This is why push notifications and text messages should never contain Protected Health Information. If ever the device is stolen or hacked, you should have a way to restrict access to the PHI via the app. This ties in closely with the authentication point in number 1.

In the case of physical access to the device, facial recognition, two-factor authentication, and fingerprint readers can help to deny any unauthorized access to the device. Also, one interesting authentication method being researched is bioimpedance. It uses a person’s unique electromagnetic signature to identify that the device is being held by the right person. It’s in rudimentary stage so we are yet to see the mass-scale application of this technology for device authentication.

device authentication A bioimpedance device from

If the device is corrupted by a virus, you must have secure layers built in the code of your app to deny any externally generated requests to access the data. Perhaps even a second layer of authentication can be inserted on top of the initial authentication required to turn on or open the phone or tablet.

This is something that needs to be covered in-depth during your development design process. Healthcare app developers need to fully understand the risks you will be facing in order to ensure your app is impregnable.

3. Data ownership and portability

Data ownership and portabilityWhere does the data get stored? Who has access to it? Those are very important questions. People don’t want their information landing in the wrong hands. Governments have a habit of wanting to have access to every piece of data. You need to make sure that doesn’t happen. 

This may require careful reading of the laws in your state, as well as understanding the federal regulations by the FTC and FDA on how this data can be stored and managed. As health information technology is advancing faster than our laws can adapt to the terrain, a lot of the legal framework for managing electronic health records is based on old laws. Your users just want to know the bottom line, and that is that their data is safe and nobody else is snooping on them, especially the government. 

Let’s assume your app is designed to help patients overcome drug addiction. If logs containing your users’ recreational drug use records somehow land in the hands of law enforcement authorities, someone would land in jail. And they will blame you.

The FDA released final guidance on mHealth apps with full consideration of the limitations of the current legal framework plus the fast-paced advancement of the mobile health technology sector. Although their recommendations are non-binding, that could change anytime. It pays to read and follow them as they will form the basis of any future regulation of the sector.

Be HIPAA compliant and secure all other industry certifications required to gain the trust of your users.

4. Marketers

app development brandingMarketing tools rely on troves of personal data in order to send appropriate promotions to audiences. It is not uncommon for some unscrupulous marketers to make you an irresistible offer to share some parts of your users’ data. Don’t fall for it. Money has the unique ability to alter priorities. Be sure you stick to your ethics. You could be the biggest risk to your users. Fortunately, this is something you can control. Be sure you understand why you are building your mHealth app and that you have your users’ best interests in mind.

Getting Users To Trust Your App

Let’s turn to your app. Your user stories, the graphical interface design and even how your app works can all affect how your users perceive it. These things can influence users to trust your app or push them away from using it. So get this right the first time. Regaining their trust after blowing it the first time is not easy. User loyalty is a prize you should aim to win at all costs. Go for a long-range approach. 

User Experience Design

UX architectureA User Experience design (UX) is a schematic plot of how you want your users to enter your app and interact with it. It has no fancy images and aesthetics commonly associated with designing an app. This is where you will describe the psychology of your app. The logic of your buttons and what actions follow which steps and the like. 

So what is it about a UX design that can scare users from entering the health data in your app? Complicated steps to perform actions. Simplicity is everything. 

Let me give you an example. 

Do you remember when the iPhone was first launched? All other mobile phones had extensive keyboards. In fact, the Blackberry was rocking the business world with its miniature full-size keyboard. To be honest, they looked more like pocket computers than mobile phones. Now, if your fingers are as big as mine,

mobile phonestyping a message on one of those small keyboards is a pain. That would have made you a perfect candidate for the iPhone. You’d have begged for one out of necessity! So, simplicity. Remember that.

Here are two examples of UX designs for the same task. The one on the right is a simplified version of the task on the left. Which one would you find easier to complete?

good and bad UX The positioning of the buttons in the design on the left can easily confuse users. In the design on the right, users are guided to perform one action at a time in a logical sequence.[/caption]

Apart from simplifying and reducing the number of steps required to perform an action, you need to consider who your users are. Different people think differently. People in a certain age bracket have peculiarities that bind them. Those abstract things need to be taken into consideration as you create your UX design.

User Interface Design

Have you ever tried filling up a long survey? Imagine a 15-question survey page with small font size and minimal line spacing. Sickening isn’t it? That would have been designed by an inexperienced User Interface (UI) designer. Colors, visual cues, button sizes and all other visual assets used to make your app must be designed to match the audience and purpose.

Below is a bad example of UI design. 

Below is an example of a good UI design. 

If a user was asked a question that requires a yes or no answer, there are very high chances a lot of people would select the wrong answer just because green is naturally associated with YES and red with NO. We cover more on UI design in this 7-Step Ultimate Guide to App Design.

Another example is an app we designed called Healthy Brains. We created this app to look and feel like a game because if it was a long questionnaire, very few users would be motivated to complete it. 

Great UI design keeps the users in mind. Are you targeting a youthful audience? What is the mental mood you want to set when people use your app? All these and more can be influenced by your UI design. The UI design is closely knit with the UX design and there is a lot of collaboration in these two stages in order to produce the best product.

Below are examples of great UI design:

Technical Considerations

Your app speed, how much network bandwidth it requires to function and even battery power consumption are all indirect determinants of user compliance. If your app uses a lot of processor power and memory and hangs the device every time it opens, you are definitely going to see a drop in daily app usage rates. Your users need your app to simplify their lives, not complicate things. A mobile health app developer who understands these constraints will be able to write code that is optimized for your users’ devices.

Aftermarket Customer Care

app customer care

You need a customer management plan. When users contact you, they need to hear from you within 1 day and not more. Being able to talk to the people behind an app when they have concerns helps users feel at ease. If you are unreachable, it may appear to them that they are sending their data into a black hole that could potentially be a scam for harvesting personal data. You can get sued. 

I remember an e-commerce store owner who got sued by his customers after he didn’t respond to their public Facebook complaints concerning delayed shipping on their orders. It was such a costly yet preventable mistake. The users got together right on his Facebook page and organized a class suit in the comment section of his post. Sure enough, he got the subpoena in the mail. He could have avoided all this if only he had paid attention to his clients’ messages and responded within a reasonable timeframe.

If a user reports a mobile health app for potential fraud, it can trigger a serious investigation and you could be out of business for some time while you try to clear your name. So be reachable at all times.

Whether you use phone or chat support is entirely up to you and will depend on the unique nature of the audience that you are servicing.


It’s not enough to build a good mobile health app. The moral responsibilities that come with it are far-reaching and you must prepare yourself for the challenge. People will always express hesitation when trying out something new, but once you gain their trust, it becomes very easy to introduce them to future products under your brand. 

Are you planning to build a mHealth app? We can help you. The uniqueness of the industry requires a developer who has both experience and in-depth knowledge to help you succeed. We’ve built and launched many mobile health apps. Will yours be next?

Related Articles:

Joe Tuan

Founder, Topflight Apps
Founder of Topflight Apps. We built apps that raised $165M+ till date. On a mission to fast-forward human progress by decentralizing healthcare and fintech.
Learn how to build winning apps.

Privacy Policy: We hate spam and promise to keep your email address safe

Copy link