Table of contents
One of the most commonly asked questions we hear is “What is HIPAA compliance?”
HIPAA is defined as the Health Insurance Portability and Accountability Act of 1996, which is a list of regulatory standards that describe the lawful use and disclosure of protected health information (PHI). HIPAA compliance is governed by the Department of Health and Human Services (HHS), it is enforced by the Office for Civil Rights (OCR). The OCR’s role in maintaining medical HIPAA compliance appears in the form of routine supervision and guidance on new issues concerning health care and in investigating common HIPAA violations and infringements.
Protected Health Information (PHI)
Any demographic information that can be utilized to recognize a patient or client of a HIPAA-beholden entity is known as Protected Health Information (PHI). HIPAA makes it mandatory that PHI in healthcare need to be secure and safeguarded. As such healthcare organizations must be aware of what is considered PHI.
HIPAA regulation is made up of several distinct HIPAA Rules. The HIPAA Rules were all passed during the 20+ years that have come and gone since HIPAA was first established in 1996.
The HIPAA Rules that you should be aware of include:
a) HIPAA Privacy Rule: This HIPAA Privacy Rule places national standards for patients’ rights to PHI. The HIPAA Privacy Rule simply applies to covered entities, not business associates. These regulatory standards need to be documented in the organization’s HIPAA Policies and Procedures. All employees need to be trained on these Procedures and Policies yearly, along with the documented attestation.
b) HIPAA Security Rule: This HIPAA Security Rule introduces national standards and measures for the safe and secure maintenance, transmission, and handling of ePHI. These HIPAA Security Rules apply to both business associates and covered entities because of the possible sharing of ePHI.
c) HIPAA Enforcement Rule: The HIPAA Enforcement Rule simplifies the investigation provisions and financial penalties in conditions of a data breach. However, the penalty cost differs with the number of medical records displayed and the frequency of data breaches in an organization.
d) HIPAA Breach Notification Rule: The HIPAA Breach Notification Rule is a group of laws that business associates and covered entities must follow in case of any data breach containing ePHI or PHI. This Rule distinguishes between two types of breaches depending on the size and scope, named Meaningful Breaches and Minor Breaches.
e) HIPAA Omnibus Rule: The HIPAA Omnibus Rule is an add-on to HIPAA regulation that was established to implement HIPAA to business associates, in extension to covered entities. This HIPAA Omnibus Rule makes it mandatory that business associates need to be HIPAA compliant, and additionally sketches the rules surrounding Business Associate Agreements (BAAs). Business Associate Agreements are contracts that must be executed between a business associate and covered entity–or between two business associates–before ANY ePHI or PHI can be shared or transferred.
What Does HIPAA Compliance Mean for App Developers?
To check whether your mobile app requires to be HIPAA compliant, analyze three things:
a) Who is the app user (entity)?
b) What type of information will be there on the application
c) What is the type of software (encryption)
If the entity is from one of the Covered Entities and also the information appears under PHI, HIPAA applies. To develop HIPAA compliant apps, you need to keep in mind the following requirements:
d) Mobile app development as per the HIPAA compliance guidelines is a complex process. Before starting such a project, the developers need to be sure about the complete process. This involves defining the scope of their application usage.
This implies that the developers need to understand how to develop an app for Healthcare and what data and information come under the purview of PHI. It makes the product HIPAA compliant. Some of the information comprises names, email IDs, and phone numbers.
Additionally, SSN, Medical records also come under PHI. The US Department of Health and Human Services has described 18 types of information under PHI.
Hence if the application works with any such information, follow the HIPAA compliant app development processes.
a) Set up adequate physical safeguards. To this end check the backend support systems and the data transfer networks. Furthermore, analyze the device integrations in this process, as these applications have data transmission. An application must have all the safeguards for data protection. It’s a significant point to consider before developing an app.
HIPAA compliant mobile app development requires looking at the Administrative safeguards. These safeguards are essentially focused on the protection of ePHI. Share only the necessary PHI over different platforms. Moreover, pay attention to Information Access Management.
Regarding information access, only the concerned person must have access to it. Take note of the clearance levels before starting to create a platform. Choose measures like Fingerprint authentication. However, it is very crucial to preserve the user-friendliness of the HIPAA compliant app.
b) Data encryption involves setting up unique user identification. Additionally, take note of the emergency application access procedures, and log-out sequences. Also, assure that there are no PHI data notifications on mobile devices.
c) Limit the accrual of data due to the least. Do not let users store or receive more data than what is required. This is also necessary for data security.
According to guidance from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Below, is a list of 18 types of information that qualify as HIPAA-protected health information (PHI) identifiers. Examples of PHI involve:
- Address (including subdivisions smaller than states such as a street address, city, county, or zip code)
- Any dates (excluding years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the accurate age of individuals older than 89
- Fax number
- Telephone number
- Email address
- Medical record number
- Social Security number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, or license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voice prints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes
Case Study to Check Whether Your Application Needs to Be HIPAA Compliant or Not
When You Need to Build a HIPAA Compliant Application
Suppose a healthcare provider has reached you for mobile app development. With this, they intend to keep a record of the patients. This application enables the healthcare provider to save personal information about the patient. Should it be HIPAA compliant?
Besides this, it also helps to track the diet and exercise habits of the patients. The patient and the parent organization can exchange information with each other. This can be through messages or auto-generated notifications.
When You Don’t Need to Build a HIPAA Compliant Application
Suppose another case. Assume an organization approaches you to create a health-based fitness app.
This application would serve the user to enter data like name, weight, height, and age, and so on. Plus, these readings are from a home-based medical device.
If you want to develop an app with such a set of data, you don’t require to remain compliant with HIPAA. This is because no covered entity is getting access to such information. These readings are simply for the reference of the user.
Also, Read: How to grow your business with mobile apps
The penalties and punishments for bypassing the HIPAA compliance laws are huge. It can reach from $1000 to $1.5 million per year depending on the size of the breach.
From executing the accurate BAAs to conducting proactive application development and third-party audits. HIPAA compliant app development is easier stated than done.
Several factors are at play in this process. As a developer or even as a vendor, you need to follow all these processes and procedures for mobile app development. With HIPAA compliance, getting and saving information is a crucial aspect.
That is why you must retrieve only the needed sets of information and data that are required and can be secured. You can develop HIPAA compliant apps, only after gaining the complete information.