October 18, 2017
Did you know that 8 out of 10 mHealth apps are prone to HIPAA violations, data theft and hacking? The last thing any app developing organization would want is to put up an extraordinary app only to find out it is not HIPAA compliant. Thereby, wasting a lot of time and resource.
HIPAA is the acronym for Health Insurance Portability and Accountability Act. The United States Congress, in 1996, enacted this law to protect and keep private the medical records and personal health information of individuals. The law makes it possible to protect all “individually identifiable health information,” also known as Protected Health Information (PHI). The law affects the way in which information is stored and shared.
There is much confusion in understanding PHI. Data is being stored and shared via technology including mobile apps. In this fast-paced world filled with smart technology, there is ambiguity regarding PHI. The problem arises because there is no clear set of instructions on why apps should be HIPAA compliant.
Apps that collect information regarding weight loss or weight gain and calories don’t have to be compliant. Other medical apps that are used by medical personnel are the ones that need to be compliant. Also, HIPAA violations could be very expensive. The penalties can range from USD 100 to USD 50,000 depending on the violation.
1. Planning the Line of Action According to HIPAA
This is one of the common mistakes committed when developing a mHealth app. App developers usually “plan” for a HIPAA compliant app and often ignore/overlook the most crucial aspect – data security. This approach is not only time consuming but results in many complexities as well.
We recommend to first make sure and aim to develop a highly secure mobile app with the best security measures in the industry. This way, many of the HIPAA aspects would already be achieved and compliance would follow naturally.
Developing a HIPAA compliance for your app would become a much simpler task if developers build the app according to the industry standards and frameworks.
2. Misuse of Push Notifications
Sending a “wrong” push notification can result in HIPAA violation.
Mobile devices are partially insecure devices and push notifications are usually used to notify users about any changes or updates in an app.
App developers should note that sending Public Health Information (PHI) in the form of push notifications could result in the violation of regulations of HIPAA.
Additional Reading: What is Cognitive Overload in Mobile User Experience
3. Violations in Messaging
Text messaging is extremely useful in boosting doctor and patient engagement.
If the text has any PHI, then it can be sent only through the HIPAA approved organization’s app. The text CANNOT be sent through a regular email as emails usually aren’t HIPAA compliant and encrypted completely.
It is essential to integrate a HIPAA compliant email service provider into the app if sending PHI messages is necessary.
However, sending PHI related text to users through non-medical communication apps can result in a HIPAA violation.
4. Taking approval from the FDA
Based on the different functions, services and features of the app, there is a high possibility that it might be considered as a “medical device” by the FDA (US Food & Drug Administration). If the app does come under the definition of a medical device, it needs to comply with an additional set of regulations directed by the FDA.
It is highly advisable to refrain from launching the app until there is clarity on if the device can be considered a medical device or not.
5. Phone Security
If the mobile phone of a user is lost/stolen, there is a high chance for PHI leakage. App developers should take essential steps to ensure PHI is protected even in cases where the device is lost or stolen.
And app developers can recommend users to use a password lock feature for the device when not in use. This feature can be suggested as soon as the user installs the app.
While we mentioned some important mistakes and violations, it is always advisable for organizations and app developers to consult an attorney or a company with prior experience in the field of mHealth. Additionally, you could reach out to companies that specialize in the scrutiny of apps. As mentioned earlier, you don’t want to go all out on app development only to realize later that the app is not HIPAA compliant.
Having worked with numerous healthcare clients such as US Health Works, We at TechJini, provide a free consultation for advice regarding HIPAA compliance.