As an ever-increasing number of health-conscious apps hit the market, many tech companies are being forced to re-evaluate how they handle and secure data being transmitted via their app. If you or your business are actively considering, or are already in the process of building a mobile health (mHealth) app, you should acquaint yourself with the term ‘HIPAA compliance’. Not all mHealth apps have to be HIPAA compliant as there is a very specific set of factors that determines if your app will be held to those standards. We’ve put together a general guide that can help you and your business better understand what exactly HIPAA is and if it applies to your mHealth app.
HIPAA stands for Health Insurance Portability and Accountability Act. Enacted by Congress in 1996, HIPAA seeks to protect and keep private the medical records and personal health information (PHI) of all patients. It regulates how doctors, health facilities, and other medical-related businesses record, store, and manage each patient’s PHI. This extends to electronic PHI records as well, which include mobile apps. It covers both physical as well as electronic security standards that protect the individual’s privacy. PHI is defined as any personal health information that can potentially identify an individual, that was created, used, or disclosed in the course of providing healthcare services, whether it was a diagnosis or treatment. Put simply, PHI is the personally identifiable information that appears in your medical records as well as conversations between healthcare staff such as doctors and nurses regarding a patient’s treatment.
Failing to comply with HIPAA guidelines can result in rather severe penalties for you and your business. Fines for noncompliance depend upon the severity of negligence, and can range anywhere from $100 to $50,000 per violation up to a maximum fine of $1.5 million per year. Certain violations also carry criminal charges that can result in potential jail time and additional fines. The most severe offenses can result in a 10 year jail sentence with a $250,000 fine per violation. The gravity of these penalties reflects just how serious and important the issue of protecting health information is.
HIPAA violations can happen in many different ways, but the most common instances can be boiled down to a few categories: unsecured/unencrypted patient records, insufficient employee training, improper disposal of patient PHI, and loss/theft of devices. Electronic medical records and data that have either no encryption or weak encryption can be hacked and stolen by criminals who turn a profit by selling them on the black market. Poor employee training could lead to HIPAA violations through incidents such as discussing patient details in a public setting or posting about patients on social media. When PHI and medical records are no longer needed, they must be disposed of properly so that they do not end up in the wrong hands. For electronic medical records, this means clearing (overwriting), purging (degaussing), or outright destroying the device.
One of the most common causes of HIPAA violations is the loss or theft of a device with PHI on it. A phone, tablet, or computer with sensitive patient data is a prime target for criminals and hackers. Strong encryption and security features may help deter would-be thieves, but the easiest way to avoid potential theft is to not let them get their hands on the device in the first place.
Now that you have a better understanding of what HIPAA is and how important it is to remain within the guidelines, the next step is determining whether or not your app must be HIPAA compliant. The key component is whether or not your app will collect and share data that could be utilized to identify the user. That is trickier and more nuanced than it sounds, as certain pieces of data may seem harmless at face value, but could be incredibly damaging in the hands of a resourceful hacker. A birthday and zip code are meaningless pieces of data for the average person, but all it takes is a quick comb through census data to narrow down the list of potential victims.
One of the most important aspects of determining if your app falls under HIPAA guidelines is whether or not your app will be sharing data with others. Popular apps such as MyFitnessPal, Wahoo Fitness, Fitbit, and Runkeeper do not fall under the scope of HIPAA. Why? Because they only focus on tracking non-identifiable factors such as distance ran, steps taken, calories burned, heart rate, blood sugar levels, food eaten, and weight changes. None of those data points could be stolen and used for nefarious purposes. This kind of information is not considered to be PHI, but is instead referred to as Consumer Health Information.
Moreover, these apps aren’t storing and then sharing the user’s information with a third party (such as doctors and healthcare professionals). Because data is not being transmitted, there isn’t a need for Transport Layer Security (TLS) or cipher suites for high levels of data encryption.
Examples of apps that do fall under the scope of HIPAA include popular mHealth apps such as Aetna Health and HealthTap. Aetna Health helps to diagnose possible illness by asking the user a series of questions designed to pinpoint symptoms. It then uses that information to help match the user up with a qualified and suitable healthcare professional to begin treatment. Aetna Health also stores medication, prescription, and appointment data that can be shared with others.
HealthTap allows users to network and connect with doctors via the app through texting, live video calls, and discussion forums. Essentially functioning as a virtual doctor's visit, HealthTap allows the patient and doctor to have in-depth discussions about health issues, symptoms, and treatment plans from the comfort of their own home.
Because apps like Aetna Health and HealthTap connect patients with actual licensed medical doctors capable of diagnosing health issues, treating symptoms, and prescribing medications, they fall under the HIPAA guidelines.
Is your mobile app going to collect, store, or transmit any PHI such as lab results, pharmaceutical prescriptions, or billing and insurance information? If the answer is yes, you will need to be HIPAA compliant. If the answer is no, there is still one more step before you are in the clear. Will your mobile app have the capacity to collect, store, or share any PHI (even if the features are disabled/unused)? If yes, then your app must be HIPAA compliant. Before starting the development process of your application, we suggest evaluating your specific app’s functionality and data collected to determine if you must be HIPAA compliant.
Contact us to see why the brightest companies trust Lithios.
Get in touch