Building HIPAA compliant mobile apps can be tricky- don’t go alone

It has been a long, hard road, but your team finally put the finishing touches on your innovative healthcare application and is ready to change the healthcare experience for patients. The launch date is finalized and your marketing department is set to start flooding review sites with information about your product. Behind the scenes, you have providers lined up to participate in a cohesive network to support users’ health needs. Everything is in place, right? Probably not.

Have you built a HIPAA compliant mobile app?

Building the right mobile apps for hospitals

The 1996 Health Insurance Portability and Accountability Act poses unique challenges to innovators of technology, given that the act was written 4 years before mobile phones gained web browsing capability. In 2013, the Final Omnibus Rules Update to HIPAA made major revisions to the act; rather than requiring compliance of only healthcare providers and hospitals, all entities storing, managing, recording, or transmitting Patient Health Information (PHI) were required to be HIPAA compliant according to the HIPAA Security Rule standards.

Make sure to build HIPAA compliant software – There’s no safe harbor

If the application is designed to manage, collect, or transmit PHI in any form, then it must be made HIPAA compliant.

Developers building HIPAA compliant software must address how target users will use the application. HIPAA compliant mobile apps must be designed to securely manage, collect, or transmit PHI in any form. This includes mobile apps for hospitals used for billing information, dates of service, and any information related to treatment. It is important to note that regardless of design or intended use, if the application allows the user to store or transmit data that could be considered PHI, then it must include HIPAA compliant software security measures to secure the data. This is the most vital area of compliance, as HIPAA has no safe harbor clause – unintended use cannot be used as a defense in the event of a compliance violation.

Consider all use cases to ensure mobile apps remain HIPAA compliant

Developers must further address the methods by which the application communicates with users and business associates (third-parties with access to PHI stored within the application). HIPAA compliant software must be built in such a way that it protects user data at all levels of communication. It does no good to build a secured HIPAA compliant mobile app, only to allow the application to generate emails sent via non-encrypted methods that includes PHI. Compliance in this sense requires use of a HIPAA-compliant email service provider. Similarly, if the application utilizes texts, push notifications, or automated calling to communicate with users, such communications must not include any PHI, as a user’s mobile device may be unsecured and the information visible to anyone with access to the device.

The same holds true on the back-end of the application. If designed to pull data from secure sources via API and database calls, the application must be secured, otherwise it won’t legally be able to access the data necessary to function in the manner intended.

Be mindful of mobile device security measures when developing HIPAA compliant mobile apps

A third issue developers of HIPAA compliant software must be mindful of is the physical security of mobile devices. While it’s not possible to control how careful users might be with the device itself, precautions can be taken at a programming and feature level.

In a welcome message sent to new account holders, it would be wise to remind users to enable the lock-screen password functionality of their mobile device, minimizing exposure of their data if the device leaves their possession even temporarily. Similarly, users can be reminded in the welcome message that if their device is lost, that they should consider taking advantage of the remote wipe feature many mobile devices include in order to keep their information secure.

HIPAA compliant mobile apps

Device security further necessitates designing the interface of mobile apps for hospitals and healthcare industry in such a way as to include basic access control requirements such as unique user identification, authentication verification, and emergency access. Developers should also integrate automatic logoff and encryption/decryption of PHI in any HIPAA compliant mobile app.

Partner with an experienced provider to ensure you are building HIPAA compliant software


The above are just the basic tenants of HIPAA compliance required of developers with qualifying products – the full requirements are numerous and complicated to navigate for those unfamiliar with the laws. While you might opt to not allow PHI to be stored within the application, remember that HIPAA has no safe harbor protection – if PHI ends up stored in your application or transmitted through your application, you must be compliant.
Kays Harbor Technologies can offer our clients the peace of mind, not to forget HIPAA compliant app solutions. Reach out to our consultation team today for an assessment of your project’s needs.