Coding Tips

5 Ways to Create a Safe and HIPAA Compliant Mobile Health App

Technological advances have revolutionized the healthcare industry. Driven by giants like Apple and Samsung, healthcare smartphone accessory sales are expected to exceed $3 billion by 2019. From seasoned veterans to startups, everyone seems to have jumped on the bandwagon to provide mobile healthcare solutions. Some have been found to comply with security and safety standards while others haven’t.

All apps need to be designed to be both safe and secure and when it comes to healthcare, it becomes even more important to comply with government rules like the HIPAA (Health Insurance Portability and Accountability Act). The act was passed by congress in 1996 and HIPAA was developed to help transfer and continue health insurance coverage when individuals change or lose their jobs. Further, it is designed to reduce fraud and to create an industry wide standard for electronic health functions. Further, the regulation mandates privacy for all users.

So if you’re interested in developing eHealth applications there are certain aspects of the development process that need to be thorough to reduce the risk of deficiencies when it comes to compliance. To make sure that security and data regulatory standards are met, pay attention to the following:

1. What’s the Purpose of the App?

When designing an app, it’s important to be very clear about the purpose of the health related app. How the app will function and who is using it will dictate how it will be governed. Regardless of how it was designed, it’s imperative to anticipate how it’s going to be used. Once you’re clear about the app's purpose, then you will need to better understand the target audience.

Working with expert developers of healthcare apps will help make this process easier. As HIPAA compliance can be violated easily, experience can be crucial to keep things legal. For example, you may have developed an app to collect and use anonymous data. Now this would not violate any HIPAA regulations, however if the user starts to save and transmit Patient Health Information (PHI), then the regulation comes into play. So it’s crucial to fully understand how the app will be used to ensure compliance. Violating these government regulations can result for any business in lawsuits and fines.

2. What are the Legal Parameters?

It’s also a good idea to investigate all the legislative drivers governing healthcare to better understand what’s required when it comes to compliance before even building the app. A good place to start is the HIPAA check list, but it’s best to take it a step further and get a lawyer involved. Diverse apps will require diverse levels of HIPAA compliance, so an experienced app developer and a legal professional can help ensure safety and compliance.

HIPPA compliance is essential for mobile apps that use personally identifiable data and apps that share personally identifiable data with healthcare providers. Understanding your app’s footprint and legal parameters will enable the creation of an app that maintains privacy and security. For example, if you intend to store data on the app itself, then regulation will come into play. If the information is stored on a secure sever that is accessed by the app (zero footprint), it becomes a lot easier to stay compliant.

If you intend to build an app that will store personally identifiable data on the app, it is important to consider the following:

  • If the smart phone or wearable device gets stolen and the PHI is unencrypted, you will be looking at a fine
  • The device can accidentally post sensitive data on social media
  • The purposeful sharing of personal data between app users can violate federal law
  • Some push notifications can violate regulation
  • Mobile devices are not very secure as a result of weak passwords selected by users

3. Use Industry Best Practices as a Guide

There are some organizations that are leading authorities on the best practices to ensure compliance. The Workgroup for Electronic Data Interchange (WEDI) is a recognized authority in health IT and they have developed a best practices guideline to ensure compliance.

Check out a related article:

Another organization that does something similar is the Integrating the Healthcare Enterprise (IHE) which has a philosophy of developing a coordinated established standard. The aim here is to enable health technology systems to have seamless secure communication. These organizations provide a great guideline to keep in mind when embarking on developing the app.

It might also be useful to review the Mobile Medical Applications Guidance from the Food and Drug Administration.

4. Embrace Standards-based Coding Practices

In order for apps and devices to efficiently communicate with each other, a standard coding practice is essential. By employing standards-based coding and terms, it is more likely to communicate with others securely and efficiently.

To preserve security and enhanced communication, standards-based coding such as ICD-10, HL7, SNOMED and DICOM will be ideal to make secure communication a reality. In the same vein, to maintain privacy, encryption will be necessary. Again the best practices guidelines from WEDI and IHE will help to ascertain what data should be encrypted.

5. Keep the eHealth App User-Centric

Once you figured out all the federal laws and developed a mobile health app, incorporating a user-centric design will help increase adoption. Further, it will also help to maintain compliance across the board. What will dictate the success of the app would be the value of the information that is communicated. Further, keeping the app user-friendly will also influence the success of the app.

With experience, it becomes easier to develop user-friendly and user-centric apps. Expert consultation and repeated testing can be crucial to maintain HIPAA compliance.

There is a good chance that there will be aspects of the user experience that you might have missed. So it’s essential to repeatedly conduct tests in a controlled environment to ensure that privacy and security is not compromised at any stage.

Experts also believe that independent verification is essential as the developers and project managers can get very myopic when it comes to the app. So the argument for fresh set eyes to test the app is a good one. As violating federal law is as serious as it gets, it’s important to get all the help one can get.

Are you developing an eHealth app? What’s your understanding of HIPAA compliance? Please share your experience in the comment section below.

IT Storyteller and Copywriter
Andrew's current undertaking is big data analytics and AI as well as digital design and branding. He is a contributor to various publications with the focus on emerging technology and digital marketing.