Is your Healthcare app HIPAA compliant?
HIPAA – stands for Health Insurance Portability and Accountability Act. HIPAA laws were enacted in 1996 years before the advent of iOS and Android devices. Smartphones have hitherto brought in a flood of apps in the Healthcare industry.
HIPAA aims at protecting the Health Information of patients’ medical records (PHI – Protected Health Information). Mobile apps will fall under HIPAA if the app deals with PHI, stores PHI or shares the PHI with healthcare providers (Doctors, dentists, pharmacies), Insurance companies, Government Programs, Health information processors.
As a company that deals with Healthcare Domain and mobile app development, we have compiled a quick checklist of items to consider before you start the app development.
- First and foremost, determine when should you go for a compliance check
- If your mobile app collects, stores or shares any kind of medical test results, pharmacy prescriptions, any other treatment information, Health insurance information OR Billing details to HIPAA covered agents, then your app need to be HIPAA compliant.
- If your app allows users to connect with doctors and exchange information via texting, video calling, voice calls, group forums, then it needs to be HIPAA Compliant.
- A fitness tracking app which tracks your steps taken, distance covered, hours of sleeping etc. need not be under the scope of HIPAA
- An app need not be compliant, if it gives users access to medical reference information, defines diseases or illnesses, diet tracking etc.
- If the app is not to be used by medical personnel or staff, and contractors of covered entities, then it need not be HIPAA-compliant.
- Ensuring Data Security
- If the app provides offline storage of any kind of PHI, then it has to be made secure using 256-bit encryption.
- The resident data has to be cleared from the system at regular intervals.
- Ensure that the app cannot be accessed by anybody else. For this provide auto log out feature after some time of inactivity
- The app should not record personal details. In case it records, it should not display the details on the screen.
- Security in data transmission
- The app should communicate with the backend services using https.
- Push notifications should not carry PHI
- Text messages/ SMS should not carry PHI
- If you are using any 3rd party components for data transmission then those components should be HIPAA compliant. For example, if you are sending an email that contains PHI, then the email service provider should be HIPAA complaint.
- Information to the users
Users should be informed of what types of health information are collected and how this information is used by the app. Provide this information in the About /Help /FAQ section
- Check for FDA’s medical device classification
Any software/ hardware collecting data and/ or providing input to the decision-making process of a healthcare provider can be classified as a medical device under FDA. If the app falls under this category, then a whole set of other regulations have to be taken care for FDA approval as well, and not just HIPAA.
- As much as possible try to use HIPAA compliant tools to power your application. For example, choose a hosting service that covers all the physical safeguard requirements of HIPAA. Provide a messaging platform that provides secure messaging and HIPAA compliant. Not all secure messaging platforms are HIPAA compliant.
This article provides only a very broad guideline to HIPAA compliance of mobile apps. There are many other use cases that need to be taken care depending on the type of the mobile app you are developing. To consult with us on HIPAA Compliance, email at firstname.lastname@example.org.