Hi. Thank you for watching this 12th video in our video series. I’m Jody Chaffin, and today we are talking about how to develop HIPAA compliant mobile apps.
As I’ve mentioned in past videos, The App Pros has a lot of experience developing software for the healthcare industry. We also have worked with entrepreneurs and internal innovators to design and develop mobile apps for the healthcare industry. Anytime you are considering a healthcare related mobile app, it is crucial to ensure that your app will be HIPAA compliant.
HIPAA stands for Health Insurance Portability and Accountability Act which has been in effect since 1996. This act provided the first regulations for the use and disclosure of an individual’s health information. A person’s Protected Health Information is also referred to as PHI. PHI is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history.
The nature of mobile devices creates some unique concerns, so let’s discuss some critical things you have to consider when developing a mobile app for the healthcare industry:
- First, does your app need to be HIPAA compliant – If it is strictly for information lookup, like medical remedies, then, no it does not. However, if it contains any PHI that is transmitted to a doctor for example, then it must. Remember, there is no safe harbor clause for HIPAA and the fines can be very steep. Therefore, if you have any doubts, check with an attorney or HIPAA compliance officer.
- PHI can be compromised if the user’s phone is lost or stolen – therefore, you have to always plan for what happens if a device goes missing.
- With email and social media, users can expose data and violate HIPAA – this could be the result of an erroneous cut and paste or an intentional violation.
- Push notifications can violate HIPAA if they contain PHI – therefore never include PHI in the text of the push notification
- Users may not password protect their device – If your app doesn’t secure the data appropriately, an unlocked phone or tablet could expose data
- Even if they do password protect their device, Users are more likely to use basic passwords on mobile devices.
- Therefore, Always secure access to PHI via unique user authentication
- In addition, all PHI data must be encrypted both on the device and during transmission of the data to or form the device
Here are some other best practices to consider:
- Regular updates – Anytime a potential issue or exposure is noted with the app, an update needs to be developed and published for users to update their app.
- Audit Logging is very important. All new entries and updates need to record the modification date and user. Reports need to exist to audit the data. Some information requires an audit log showing what the old entry was and what it was changed to (and by whom).
- Have a way to remotely wipe the data from a device – Third party applications like SOTI MobiControl are good options to lock down mobile devices, deploy apps to them, and wipe data from them. If something like that isn’t available, then there will need to be an administrative option to remotely wipe data from a device.
- Finally, Data backup – Data needs to be synced with the backend system on a regular basis. Store and go can be a good option when no Internet connection is available, but once the device detects connectivity, the app should sync the data. Storing the data in the cloud or hosted server allows the user to restore lost data or transfer it onto a new device.
HIPAA compliance is a very serious matter and is an area where The App Pros has a lot of experience. If you have questions or would like to provide feedback on this video, we would love to hear from you. Make sure to subscribe and follow us on social media. Thanks for watching and I’ll see you next time.