7 important steps to make sure your healthcare apps are HIPAA compliant

HIPAA stands for the Health Insurance Portability and Accountability Act and is well known across every area of the healthcare sector. It was originally put into place in 1996 and was greatly expanded and explained in 2013 by the Final Omnibus Rule Update. While only covered entities, such as doctors and insurers, once needed to be compliant, now anyone or anything that stores, records or passes protected information must comply. 

If you are involved in using apps to disseminate PHI, or Protected Health Information, you must learn what is required for HIPAA compliant apps. To do so, you must follow the four basic HIPAA rules.

  • 1. HIPAA Privacy Rule
    This primary HIPAA rule delineates when PHI can be used or shared.
  • 2. Security Rule
    The security rule determines how electronic health information is protected. This rule is very technical and specifies best practices.
  • 3. Enforcement Rule
    This rule describes how the HIPAA law is enforced and when corrective actions will be taken.
  • 4. Breach Notification Rule
    This rule determines when a covered entity must notify certain individuals and organizations of PHI breaches.

If you do not follow each of these rules and in particular the security rule, which will most affect what you do as you use an app, you will be in danger of being charged with hefty fines. For example, in 2010, Cignet Health was fined $4.3 million for breaking the privacy rule. In more recent times, Memorial Healthcare Systems was fined $5.5 million for not auditing its systems correctly.

Depending on the violation type, such as not knowing of the violation or willful neglect, fines can run from $100 to $50,000 for a single incident.

How to ensure your healthcare app is HIPAA compliant?

To be on the safe side, check out the following seven steps that possibly define a process to check with your healthcare app:

  • 1. Double check if you really need HIPAA compliance

    PHI is defined as any information that could be used to identify a person that was determined during the course of a health care treatment. While this obviously includes names, birth dates and diagnoses, it could also include medical billing information, lab test results, email and phone records and personal health appointment scheduling information.

    You will only need to use a HIPAA compliant app if the app will store, record or disseminate PHI. Additionally, if the PHI is going to be accessed by a business associate, such as a data storage vendor, you and the business associate must be compliant. However, if your app will collect information, such as calories burned or blood glucose readings, but does not share them with another covered entity, such as a clinic or insurer, you will not need to worry about HIPAA compliance.

  • hipaa-security-rule

  • 2. If you do, review the security rule

    The HIPAA security rule may only be several pages long, but it is quite technical, and you may need another company or source to help you thoroughly understand each part of the rule. In general, the security rule comes with the following three safeguards for PHI:

    • Administrative safeguards
      The administrative safeguards ensure that you have the right paperwork, forms and training as you build and maintain your app. This safeguard includes such tasks as creating a privacy officer, undergoing annual risk assessments, completing employee training on HIPAA and setting up agreements with anyone who works with the PHI.
    • Technical safeguards
      The technical safeguards have to do with how your app handles PHI. Some of these items are required and others are optional but wise to have in place.

      The first part of the technical safeguard is access control requirements, which has to do with how users can log on, authenticate themselves and log off.

      The second part works with transmission security, which ensures that PHI remains safe and unaltered when transmitted.

      The third part is auditing, which includes rules as to when and how the system must be examined to determine that it is working as it should.

    • Physical safeguards
      The physical safeguards are usually more of a concern for hosting companies rather than for the app developers themselves. It includes rules for access controls, device and media controls and workstation security. 
  • 3. Figure out the PHI use cases – intended and unintended
    Even if you believe that your app is not going to be needing to be HIPAA compliant, you may quickly find that you are wrong. Consider the differences between the intended use of your app and the unintended use. For example, you may believe that your app is only going to be used to record someone’s daily weight. While this is the intended use of the app, which would not require it to be HIPAA compliant, the unintended use may change the need for compliance.

    This same app may suddenly include PHI if the user records a note next to the weight regarding an appetite suppressant medication prescribed by the user’s doctor along with the prescription number. Basically, if your app records PHI, it will need to be complying for you to avoid hefty noncompliance fees.

  • 4. Check for service provider agreements and hosting compliance

    If you use a service provider, such as a hosting network or data storage vendor, you will need to have a business associate agreement in place. This agreement will ensure that the vendor or subcontractor understands and agrees to the same HIPAA security rule that you are under. They must have the same safeguards in place to monitor, track and dispose of PHI that you are required to have.

    Be sure to check this carefully before signing a contract with a service provider. Many providers avoid PHI entirely in order to avoid possible fees from noncompliance. Several providers are dedicated to HIPAA compliance with digital information and can work with both the physical and technical safeguards required.

    Be aware that you will most likely not want to make an app compliant entirely on your own. You will find yourself running into a myriad of issues and will spend hundreds if not thousands of work hours trying to do something that HIPAA compliant service providers can do quite quickly.

  • 5. Check for infrastructural implementation
    Whether you choose to build out the safeguards into your app yourself or decide on using a third-party service provider, you are the one responsible for seeing that your app’s infrastructure is HIPAA compliant. By rule, you must address the required specifications of each of the three safeguards, but you should also implement the addressable, or optional, specifications as well because this is simply a wise step to take. 

    To be safe, you should also choose a hosting system with a minimum of two web servers and two database servers to protect the PHI in case of hosting failure. Another part of safety is ensuring network security to protect PHI from hackers and from viral breaches. 

  • common-hipaa-violations

  • 6. Verify any potential HIPAA violations

    Consider the most common HIPAA violations that occur on apps and through an online infrastructure and how technology can help preventing these violations. By ensuring that safeguards are built in for each of these, you will eliminate much hassle and many headaches in the future.

    • Communication methods
      Notifications on phones or other devices are a huge place where app developers encounter problems. All communication methods must be able to be encrypted. Therefore, email communication is out. You must also have HIPAA compliant apps if you wish for them to be able to communicate with covered entities, such as doctors and insurers.
    • Push notifications
      If your app uses push notifications, the notifications must not include PHI because these end up on the home screen for all to see.
    • User security
      Because users are simply not as tuned in to security as you most likely are, you will want to build in functions to protect PHI in case the device is lost or stolen. Design automatic home screen locks, pass code requirements and remote wiping for lost devices.
    • Wearable issues
      Wearables should not use any PHI in push notifications or on default displays, and PHI must be encrypted for transmission.
  • 7. Get third party audits
    Regular third-party audits will help you ensure that your app remains HIPAA compliant and that you are not at risk for expensive fines. Third party vendors exist to audit app data systematically to ensure that it remains unadulterated and secure. While the government regularly performs its own audits of all types of entities that are required to be in compliance, you will want to find your own service provider to do this to show any vulnerabilities that your app has and to determine best practice.

    If your intended app will deal with any type of PHI, you will want to be sure that it is in compliance with HIPAA. By putting safeguards in place, your app’s users will feel more comfortable using your app, and you will feel more confident that you will not be breaking the law. Be sure to work with HIPAA compliant service providers who will help you get your app up and running the right and safe way without hours of work on your part.