Mobile technology has been changing our lives in many different ways, and the sphere of healthcare is also experiencing transformations. Health-related apps are especially appealing today for two reasons:
- Healthcare is one of the most profitable business sectors (especially in the US and Western Europe).
- Modern smartphones and wearables offer great opportunities for medical tracking and data sharing for both patients and doctors.
However, because of red tape, developing mHealth apps isn’t as simple as developing any other type of apps. This is particularly true for the US market, where medical apps fall under the purview of HIPAA regulations pertaining to patient privacy and security of medical data.
Applicable HIPAA regulations must be understood and taken into account prior to the start of healthcare app development. In this article we’ll highlight the criteria that indicate whether or not a particular medical app must comply with HIPAA regulations.
What is HIPAA?
There are two major laws that regulate data security for the medical sector: HIPAA (the Health Insurance Portability Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health). The latter was written in 2009 and serves as an addition to HIPAA. It adds fines and penalties for non-compliance. In general, if an app is compliant with HIPAA, it will also be compliant with HITECH regulations.
HIPAA is often seen as the most significant document and was introduced in 1996. The tech sector and medical professionals have already worked under HIPAA for many years and understand its implications. But what does it mean now for the emerging domain of medical app development?
HIPAA requirements do not apply to all medical apps and therefore it is crucial to understand which criteria dictate whether or not your app falls under HIPAA regulations before the app is developed.
For example, in our previous article we mentioned medical apps that allow you to share your personal information with doctors through large health and fitness platforms, such as HealthKit and Google Fit, must comply with these regulations. Providers of certain fitness apps (e.g. run trackers), however, do not need to comply. In other words, if an app is designed to store information but not share it, HIPAA rules are not applicable. Let’s explore the subject further.
Which medical apps need to comply with HIPAA rules
There are three major criteria that define whether or not an app will be regulated by HIPAA:
- The type of entity that uses the app
- The type of data the app generates/stores/shares
- The type of software (encrypted or not) that powers the app.
Let’s take a closer look at each of these criteria:
I. Entity (Who Uses the App)
If an app is used by a covered entity, such as a physician, hospital, or health plan, it will most likely need to comply with HIPAA regulations.
For example, if you are planning to design an app that will facilitate doctor-patient interactions, the app will need to comply with HIPAA because a doctor represents a “covered entity” (i.e. the hospital they work for). At the same time, any app that helps a user follow a prescribed medication schedule doesn’t fall under HIPAA because there is no covered entity involved (that is, if the patient inputs information by themselves and a doctor does not see it).
According to the US Department of Health and Human Services the full list of covered entities includes:
- Health plans
- Health care clearing houses
- Health care providers who conduct certain financial and administrative transactions electronically, such as electronic billing and fund transfers, and for which standards have been adopted by the Secretary under HIPAA.
The above-listed “covered entities; are bound by the privacy standards even if they contract with others (called “business associates”) to perform some of their essential functions. The law does not give the US Department of Health and Human Services (HHS) the authority to regulate other types of private businesses or public agencies with this regulation. If you need to check whether a particular entity will be regulated by HIPAA, you should look at these US government guidelines.
HIPAA is primarily interested in what is called Protected Health Information (or PHI), which is any information in the medical record that can be used to identify an individual and also data that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.
The PHI may include personal data, facial images, fingerprints, or voiceprints, and can be associated with medical records, biological specimens, biometrics, and data sets. Direct identifiers of the research subjects in clinical trials can also be considered as the PHI.
HIPAA regulations allow researchers to access and use PHI when they need to conduct studies such as in a clinical trial. However, HIPAA only affects research that uses, creates, or discloses the PHI that will be entered into the medical record, or will be used for healthcare services such as treatment, payment, or operations.
Only when personal data is connected with medical data does it become PHI.
According to the US Department of Health and Human Services, there are 18 classes of personal information that (in combination with health data) constitute the PHI. Here is the full list:
- All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes
- Dates directly related to an individual, including birth date, admission date, discharge date, date of death
- Phone numbers
- Fax numbers
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code.
In short: If the information that is stored and shared in the app is individually identifiable (e.g. a patient’s profile that contains first and last name and can be traced back to a particular patient), then an app must comply with HIPAA requirements. The same applies when all sensitive data is stored on a third-party server.
III. Software Security
The last criteria that determines whether or not a medical app falls under HIPAA is directly related to the technology employed and covers a number of standards for protecting Electronic Protected Health Information (EPHI) and controlling access to it.
The standards include audit controls, integrity, and access controls.
The Audit Controls standard means that a medical app developer needs to implement hardware, software, and/or procedural mechanisms that record and examine activities in systems that contain or use EPHI.
The Integrity standard requires a covered entity to implement policies and procedures to protect EPHI from improper alteration or destruction.
In order to discuss the Access Controls standard, let’s look at its implementation specifications in greater detail:
1. Unique User Identification. It’s important to note that the format of the user_id doesn’t matter as much as the fact that no one other than the user needs to remember the user identifier. In this regard, an email isn’t a fitting option.
Proof of identity for authentication can be implemented in the following ways:
- password or PIN
- a smart card, a token, or a key
- biometric data. Examples of biometrics include fingerprints, voice patterns, facial patterns or iris patterns.
2. Emergency Access Procedure. An emergency is a situation in which normal environmental systems, such as electrical power, have been severely damaged or rendered inoperative due to a natural or manmade disaster. In the case of an emergency there has to be a way for the covered entities to gain access to needed EPHI.
3. Automatic Logoff. When an app is left unattended for a long period of time, an automatic logoff can serve as an effective way to prevent unauthorized users from accessing EPHI.
Medical app providers should also make sure that no app notifications that appear on a user’s device contain sensitive health information. Notifications can pop up even if a phone is not active, and this means that they can potentially violate patient privacy.
4. Encryption and Decryption
Important: Encrypt your data at all stages.
Some apps allow for the exchange of information with doctors and medical facilities through email as one of several communication methods, although using emails for sending sensitive data is often not HIPAA compliant.
According to HIPAA regulations, the information in a medical app should be encrypted at all times. But the majority of email systems do not support encryption. There are some exceptions, however.
Virtru, for example, is specifically designed for patients and doctors. It offers the easiest and most secure way for healthcare organizations to send messages and attachments that comply with the EPHI requirements of HIPAA. Virtru integrates into email services that physicians, administrators, and patients are already using, and ensures that communications are secure.
These are some other criteria to consider when determining compliance with HIPAA regulations for mobile healthcare app development for the US market. For more detailed and technical guidelines, see Security Standards: Technical Safeguards published by The Department of Health and Human Services.
Wearables and medical devices
Wearable devices are an essential part of the connected health trend, and a lot of people are concerned about potential privacy breaches that can happen if the data shared by a wearable is not secure. Do HIPAA regulations apply to wearable devices? The answer is yes and no. Imagine a situation when a user goes to a store and purchases a wearable device (a fitness tracker, for example). The company that made this device is not a covered HIPAA entity, therefore the data that this device collects and shares will not be protected under HIPAA.
At the same time, if a user were to get a wearable from his doctor in the hospital (for example, a portable heart rate monitor), the health data this device collects will be covered by HIPAA because it came from the hospital (i.e. an entity that is covered by HIPAA).
Keep in mind that HIPAA is not the only set of regulations that healthcare app developers should be familiar with. When developing medical software for wearable devices in the US market, it is important to make sure that they also comply with applicable FDA regulations, not only with HIPAA.
FDA stands for The Food and Drug Administration, a federal agency of the United States Department of Health and Human Services. The FDA is responsible for protecting public health through the regulation and supervision of food safety, medications, medical devices, and everything else that has something to do with food and drugs.
From the FDA’s perspective, when it comes to medical devices, a mobile app can be defined as one, if:
- It is used as an accessory to a regulated medical device; or
- It is used to transform a mobile platform into a regulated medical device.
In both of these cases, FDA guidelines for medical devices will also apply to mobile apps.
It is evident that mHealth apps will continue increasing in importance for the healthcare industry. Medical apps are beneficial for both healthcare professionals and medical app developers.
Even though HIPAA and other relevant regulations do seem too cumbersome, by complying with them, healthcare app developers can offer innovative medical solutions for a booming market.