HIPAA Compliant App Development: Key Principles And Tips
Gil Vidals
CEO HIPAA Vault | Healthcare Cloud Expert | HIPAA Compliant Cloud | Managed Web Hosting
by Stephen Trout
The world has gone mobile, and healthcare will never be the same.
Ever since their first appearance in Apple’s App Store in 2008, healthcare apps have exploded out of the gate and haven’t looked back.
(Apparently, Mr. Jobs was approached about a fledgling healthcare app all the way back in 1977, but wasn’t ready to pull the trigger – but that’s another?story.)
In our day of ubiquitous smartphones, the app stores are brimming with a host of exciting new possibilities:
“Healthy lifestyle” and wellness apps abound; smart apps for diet and exercise – even to help track vital health measures like blood pressure, diabetes, sleep patterns, and water consumption – appear regularly.
Yet even as patients are tapping apps to improve their own health, providers themselves are increasingly leveraging mobile health (mhealth) apps as part of their regular “instruments of care”:???
Clearly, the mhealthcare market has become big business, with all estimates projecting a bright future:
Valued at $50.7 billion globally in 2021, the mobile healthcare market will likely reach?$639.4 billion?by 2028.?
Opportunities and Challenges
All this to say, as a healthcare app developer, you’re ready to seize the moment. You’ll do this with effective patient engagement in mind; highlighting a provider’s services is also key.
In the end, you hope to clarify your brand and maximize usability so the patient and healthcare practice thrive.
“But wait,” you say, “how do HIPAA regulations (first enacted in 1996 to outline the lawful use of protected health information or PHI) apply to?me,?as a developer?”
A great question!
First, understand that HIPAA regulations are chiefly concerned with “3 pillars”: the confidentiality, integrity, and availability of PHI.???
Practically, this means that providers and their patients need health data that is free from corruption, and that remains private and accessible. In this way, critical health treatments will not be hindered.??
So here’s the bottom-line answer to your query:?
Yes, HIPAA regulations apply to you?if your app will handle PHI for a covered entity.?
Note: for actual consumer scenarios involving app usage and to help determine whether you require HIPAA-compliant app development, see this helpful publication from HHS:?Health App Use Scenarios & HIPAA.
“Thanks – what’s a Covered Entity?”
Another excellent question.?
As defined by the?National Institutes of Health, covered entities are?
Lest you think you’re off the hook, however, all third-party healthcare app developers should take note: the NIH also points out that:
“… the Privacy Rule also protects individually identifiable health information?when it is created or maintained by a person or entity conducting certain functions on behalf of a covered entity—a?business associate.”?
So, What Data will your App Handle?
If your app collects, uses, stores, or transmits protected health information in the context of providing services to a covered entity, you are a business associate and HIPAA applies to you.
We pause to note that not?all?apps that handle health information are necessarily subject to HIPAA. As?stated?by the HIPAA Journal,?
“A good example would be health trackers – either physical devices worn on the body or apps on mobile phones. These devices can record health information such as heart rate or blood pressure, which would be considered PHI under HIPAA Rules if the information was recorded by a healthcare provider or was used by a health plan.”
Since the apps for many of these trackers are designed for?personal use?– not to share collected or recorded data with a health provider or plan – such apps would not, therefore, be HIPAA regulated.??
A Quick Refresher: What is PHI?
While we’re at it, you also need to know what constitutes?protected health information, or PHI.?The?HIPAA Journal?again provides us with a nice summary:
“PHI is any health information that can be tied to an individual,?which under HIPAA means protected health information includes one or more of the following 18 identifiers. If these identifiers are removed the information is considered de-identified protected health information, which is not subject to the restrictions of the HIPAA Privacy Rule”:
Names
Dates, except the year
Telephone numbers
Geographic data
FAX numbers
Social Security numbers
Email addresses
Medical record numbers
Account numbers
Health plan beneficiary numbers
Certificate/license numbers
Vehicle identifiers and serial numbers including license plates
Web URLs
Device identifiers and serial numbers
Internet protocol addresses
Full-face photos and comparable images
Biometric identifiers (i.e. retinal scan, fingerprints)
Any unique identifying number or code”
As we’ll see, all HIPAA-covered entities and their business associates – including those involved in HIPAA-compliant app development – need to ensure that PHI is protected with the appropriate technical, physical, and administrative safeguards. These safeguards are the heart of the HIPAA Security Rule.?
Preparing your Company for HIPAA
Before we review the Security Rule, as a healthcare developer, it’s important to know what’s at stake.
When a HIPAA auditor comes knocking at your door, know that they’ll be looking at more than just your new app. They’ll examine your company as a whole, concerned to find any existing or potential liabilities or “holes” in your procedures, practices, and overall security.?
In essence, they’ll want to see how your organization is maintaining?HIPAA-compliant practices?on a daily basis. (For some help getting started on this, download our Free Compliance Checklist?here.)??
So if you haven’t done it, now’s the time to formulate and execute a thorough?risk assessment of PHI?in your organization – examining how sensitive data will flow and be stored, and all potential vulnerabilities that may potentially compromise it.
领英推荐
The risks of?not?doing so can be staggering:
An annual?study?by the Ponemon Institute saw the average total cost for healthcare breaches increase to $10.1 million in 2022.
You simply can’t afford the cost of a HIPAA fine, a lawsuit from angry patients, or the negative reputation that goes with a breach of patient data.??
Becoming Compliant
Here’s another foundational issue that dovetails closely with the Security Rule:
Your organization’s?compliance?won’t be achieved by running out and purchasing a certification, or even completing a course. Plenty of helpful courses exist, but none actually “make” you compliant.?
HIPAA compliance is more like a ‘snapshot in time’ of your actual practices; meaning, you might have compliant procedures being closely followed in one moment and sacrificed by a lapse in practice the next.
No mistakes may be made?today,?but tomorrow a document may be left in an insecure place, or an employee will fall prey to a social engineering “phishing” scheme, allowing hackers to discover their password and enter your network.?
Before you know it, you’ve been breached, unable to access your data.
Your goal, therefore – consistent with regular risk assessments – should be to try to anticipate breaches?before?they happen. Being cognizant of your information life cycle helps you to ensure that all steps in the process are fundamentally sound from a security perspective.
Consider teaching your employees about HIPAA at a fundamental level, and imparting a sense of what true security is – both in the digital and physical senses of the word.
Keys to Securing your App
As a healthcare developer, you need a secure, frictionless app that performs well and protects sensitive data if needed. To that end, you’ll want to keep in mind these FTC Best Practices, which you can find?here.?
As always, when HIPAA compliance is involved, following the?Security Rule?will be key.?
The 3 facets of cybersecurity – people, processes, and technology – are addressed in the?3 HIPAA Safeguards: Technical, Administrative, and Physical.
I.?Technical safeguards will help to protect your app and environment.?
Four basic implementations of technical safeguards must be implemented:
1. Access Controls
Access controls are about granting rights and privileges to your system;?they clarify who will be authorized to access applications, programs, and files that contain PHI.?
Bearing the least privilege principle in mind (granting only those access privileges needed to those who are authorized to complete a given task), access controls consist of:
Users will have their own login credentials, and must not share them with other users. Strong passwords and Multifactor Authentication should be employed.??
2. Audit Controls
HIPAA requires that a technical solution be implemented to monitor and log any changes to your system, and provide real-time feedback. This includes:
3. Integrity Controls
Patient health and safety depend upon the integrity of data. These protections help prevent the accidental or intentional alteration or deletion of protected health information.
4. Transmission Security
These controls are meant to protect data against unauthorized access as it is?transmitted through your communications network, including your WordPress site.?
As mentioned, the?industry standard for this is encryption.?
II.?Administrative Safeguards will help ensure regulations are followed.
III.?Physical safeguards will provide tangible protections to you and your facility?and patient data.
These include:
Once the 3 safeguards have been implemented, your app will need a compliant, scalable infrastructure; in addition, you may want to containerize the app. However, building this yourself can be complex.?
Medical data needs a?secure infrastructure?– one built to preserve data integrity, availability, and privacy for HIPAA in both transit and storage. Providing this compliant infrastructure minimizes risks and liability to data.
If you have the expertise, you’ll derive excellent security benefits from packaging your app and its dependencies in a container.
Containers are an amazing technology, allowing you to increase the speed at which you can deploy applications, with greater flexibility, agility, and reduced cost. That’s because each container possesses all the self-contained code and system tools needed to run, requiring fewer resources.
As opposed to old bare metal or even VMs, a container orchestration tool like Kubernetes, for example, offers far greater resource efficiency, not to mention integrated security benefits.
This is by virtue of how container clusters are destroyed and new nodes and clusters created whenever a new version of an application is deployed, reducing security patching and updates.
Be sure to also encrypt all data moving in and out of your app (and containers).
PHI that passes through a container system and that will be stored on the app must be encrypted. End-to-end encryption with at least TLS (transport layer security) 1.2 is essential.?
AES-256 (at rest in storage) and RSA 2048 (in transit) encryption will provide superior protections for your healthcare data.
Why not inherit a proven infrastructure instead?
Configuring containerized apps for protected health information can be complex. For example, applying automated scanning of containers at all stages of deployment is just one aspect of keeping images and registries safe from vulnerabilities.
Many developers have taken up the challenge, however, only to discover that meeting all the complexities of HIPAA-compliant hosting can be daunting. Thousands of hours later, mounting development costs, ongoing server security concerns, and looming audit requirements take their toll – and they’ve only just begun.
Here’s where inheriting a proven,?fully-managed infrastructure?with fully-managed security can save the day.
You’ll increase your profitability without the expensive server equipment and maintenance costs, and leave the day-to-day security, patching, and updates in the hands of proven security specialists who know HIPAA.
Additionally, the ability to offer a proven, fully comprehensive, end-to-end supported infrastructure solution that customers can trust will help you get up and running with your app fast.
Test Well
Finally, you’ll want to be sure your HIPAA checklist for testing your app includes:
These are just the basics of HIPAA-compliant app development. With all we’ve mentioned above, it’s clear that building a healthcare app can be daunting.
Don’t cut corners, but know that you can build wisely and economically with HIPAA Vault on your side.?
Our comprehensive, end-to-end supported infrastructure solution can provide a solid foundation, and help you on the way to launching your successful new healthcare app.
HIPAA Vault is the leading provider of HIPAA-compliant solutions, enabling healthcare providers and business organizations to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to providing secure infrastructure and compliance for health companies, HIPAA Vault provides a full array of HIPAA solutions, including secure hosting, email, HIPAA WordPress, file sharing, and more.??