Which begins with what HIPAA is. HIPAA stands for Health Insurance Portability and Accountability Act. The law was enacted in order to collect and protect the health information and medical records of individuals. The ultimate goal of this law is to assure and validate the way individually identifiable health information is stored and shared over communication technology (typically over mobile apps).
So, when you are working on any such project, you should be first ensuring if the mobile app is HIPAA compliant or not. However, when it comes to understanding HIPAA compliance in connection with your mobile app, you need to get help of experts and need to do research on Protected Health Information (PHI) and other related notions.
The challenges that are faced in understanding HIPAA compliance are majorly due to the complexity it and the ambiguity in the sources of PHI.
Before we dig into further details on how it works in conjunction with mobile apps – we need to look into different factors and facets that form and define the compliance mechanism of HIPAA.
Covered Entities (CEs)
Business Associates (BAs)
Protected Health Information (PHI)
Personal Health Records (PHR)
Business Associate Agreement (BAA)
Covered Entities (CEs) and their Business Associates (BAs) are into accessing and protecting Protected Health Information (PHI) for which HIPAA declares and provides privacy and security requirements and they need to adhere to it while dealing with Personal Health Records (PHRs) and other related documents that are a type of PHI. In the process, your hosting benefactor provides Business Associate Agreement (BAA) duly attested for you to get signed proofs of all compliance requirements.
It is not clearly described as to which apps need to be HIPAA compliant. And you need to go with a general rule of thumb, which essentially narrows down to the type of information that is collected. Apps such as Pacer and Apple Health do not need to be HIPAA compliant because of the nature of data they collect is very generic, trivial and basic in nature (like weight loss and step counts). On the other side, the apps with core medical significance are generally up for a deeper scrutiny. Also, if an app is needed by medical personnel or agency, it has high chances of falling into the periphery of the compliance.
To determine whether it belongs to the sphere of PHI or not requires quite a detailed and keen understanding of the domain and everything that it puts up with. However, here is a general definition of PHI that is followed unofficially –according to which PHI is any information about a patient’s health, acquired from past, present, or future, in any type or form, which is able to identify the patient, and is developed or attained by (or through and behalf of) a CE. This even contains the personal data that may not necessarily relate to a patient and look to be different in terms of information (like date of birth or zip code) as these can be used to identify them by matching the information with public census data.
When your app falls in the mandatory HIPAA compliance zone and you miss to get it compliant or meet the regulation standards, you may be severely penalized and charged with stringent civil and criminal fines as per the rules and regulations of the US Dept. of Health and Human Services, as mandated by Congress.
Now as you have enough information on how the idea works, you should get to understand the functional aspect of it that talks about how your mobile app should be addressing the need for HIPAA compliance.
The first thing you need to think about here is the storage part. With which you automatically get relayed to the device on which the app is downloaded. When the information is stored in the device’s memory and is being entered or reviewed by the user, the data on it is not encrypted until it is in use. When at rest, however, the saved information should be stored in the encrypted form or you would be breaching security as a provider and would be considered out of the standards of HIPAA compliance.
While in transit to the server from a device, you should be mandatorily using Transport Layer Security (TLS) and depend on the contemporary cipher suites. You need to even pin the certificate if there is the possibility of devices being used on untrusted or compromised networks.
To build the right app it is important that you understand the core purpose and define the audience to be served properly. Besides, you should be knowing what kind of information it deals with and to what degree and at what range and route will it be passed through or processed to reach its end goal. This should also include mulling over the practices and processes that would be a part of the whole act of generating, fetching, sourcing, using, distributing, and referring to the HIPAA compliant information.
To get into the depth further, you can also look into where will the connections be established, at what level the verification will be done, what will the medical practitioner be acquiring information for and what structure the process would follow.
Well, when you are planning to fix the HIPAA compliances to your mobile app development plan you should always be consulting the provider who has experience dealing with the stuff and has successful past records. Privacy and security of medical information are the most important things to take care of in the domain that deals with such dynamic acquisition, flow, and use of data and events. So, take it to the best of your reach and make the best of HIPAA compliance in reference with your mobile app endeavor.
A marketing graduate, a deemed strategist, a sure geek - Tushar is a fine blender of the art and science of writing. When it comes to tune up content with commerce, he knows the trick. For him, if words don’t make you think and beat, they are not worth your time. A crazy foodie, an unfailing jogger – that’s him off the desk!