The advent and the explosive proliferation of Mobile devices, particularly Smartphones has been one of the most profound happenings in the history of Information Technology. An estimated 4.93 billion mobile phones are in use in 2018 and estimated to touch 5 billion mark by 2019 (Statista.com). The advent of Smartphones brought with it the thousands of mobile Apps. Many of them are simple ones that are built for individuals or small groups but some of them are meant for a wide range of user groups (social media) or across large companies (enterprise mobility solutions).
One such area of application is Mobile Apps for healthcare professionals. These mHealth apps connect a wide range of user groups such as patients, medical staff, relatives, insurance company staff, and pharmacies to quote a few of them. Much useful audio, video, image, and text information is exchanged between the user groups in due course of healthcare activities.
However one major concern in the use of these apps is the potential non-compliance with HIPAA regulations; this is due to the many risks associated with Smartphones like data hacking, data theft, device theft and data loss. While the loss of data and device could be a concern for the hospital, the concerned staff and the third parties such as healthcare insurance companies, the data, and information falling in the wrong hands would mean a violation of HIPAA privacy rules.
Since medical software in general and mHealth apps in particular exchange information especially concerning patient health, general, insurance and financial details, complying with the provisions in HIPAA regulations is a necessity. The violation default can range from a few hundreds of dollars to few million dollars besides civil and criminal penalties, depending on the level of negligence and nature of violations. So how to ensure mHealth apps are HIPAA compliant?
All About HIPAA Law
What is HIPAA?
HIPAA stands expanded as Health Insurance Portability and Accountability Act introduced in the year 1996. Although HIPAA is a regulation especially for the USA, their equivalent regulations have been promulgated across many countries.
HIPAA legislation has provisions for insurance applicable to patients in order to regulate and increase the efficiency of the healthcare system. HIPAA additionally has provisions for the privacy of patient information and data security. The second part has been especially necessitated with the proliferation of electronic information of patients in various media across various healthcare stakeholders including patients.
Who needs HIPAA compliance?
All medical practitioners including paramedical staff and third parties (such as insurance and forwarding organizations and others who may be in the medical chain) who create or modify or use patient information and all those providers/makers of information systems are covered under the HIPAA regulations to comply with the provisions including privacy.
What is Data security and PHI?
Patients in due course of treatment, before and after could share very personal information with the medical and related professionals/staff from the healthcare point of view. This data/information must be used for the medical profession and related business such as pharmacy, pathology, insurance, etc only. The information may contain sensitive information from the patients and must be protected as private. It is a right as well as a privilege in many countries.
PHI or Protected Health Information is the term applied to all patient data that is provided from the patient’s side and could be shared with medical professionals via electronic media such as mobile apps. HIPAA compliance requires the patient information to be viewed as PHI if the information is shared across. If the information is not shared, then it is not considered as PHI.
How HIPAA helps patients?
HIPAA regulations help patients not only maintain the confidentiality of their information by upholding information privacy but also provides violation related penalties to be attributed in favor of patients whose data could have been leaked. HIPAA regulations are primarily formed to enable more efficient and effective insurance coverage for the patients across the country. Since data security and privacy could be compromised in this process, HIPAA has strict provisions for compliance with extensive penalty clauses.
Looking to build your own mHealth App?
When planning to build a Healthcare app, the mobile phone security features must be considered. Any Healthcare app can be considered authentic if it helps HIPAA compliance and is compliant. The best way to do this is ensuring the information security and privacy rules are thought of from the outset. For every data exchange using the app HIPAA rule of privacy and security must be applied to ensure that the apps stay compliant.
It must be understood that, while entering data into a mobile device may not need HIPAA compliance, any attempt to transmit the data could (or possibly will) make it PHI. So the test of privacy must be applied towards this. Additionally, HIPAA strives to improve effectiveness and efficiency of Healthcare to all patients, this could also be tested.
So the planning stage should consider the provision for all outgoing data, in terms of HIPAA regulations. This should include planning for design, development, testing, pre-deployment and deployment stages. Planning stage should also foresee and make any inclusion related FDA regulations to be considered in the subsequent stages.
The design stage of the mHealth app must make the explicit inclusion of features to include HIPAA compliance measures. Mobile app developers must ensure that UI, data transactions (especially over the network), process flow and all other design features are taking care of HIPAA standards. Especially all of the push scenarios (as well as the prioritized necessity for any push) must be documented, which can be taken care of during development and testing stages.
The mHealth apps must be developed keeping in view the following two points:
- Avoid unnecessary data push: Mobile phones have a lot of data push built into various apps that are communicated over the mobile network. In fact, data push happens to be a strength in mobile apps. Data or information can be pushed from the device or from a central application into mobile devices. In general, any push that may possibly happen on the mHealth app must be developed by inhibiting the seemingly unnecessary pushes.
- Ensure data privacy and security: Preferably mHealth apps could be provided with a separate login-password access with a timeout feature that will enable keep the data and information isolated and not available to anyone else without authentication. All data must be encrypted by default and left in an encrypted mode with a strong recommendation to the user to retain encryption always. The facility to unlock password must be genuine and strong that will enable PHI protection in all of the scenarios.
While testing the developed mHealth app, special notes must be provided in the test cases to ensure testing towards ensuring that HIPAA regulations are met. Particularly important are the access to the health information, the ability to open the application inadvertently and the ability to accidentally or otherwise decrypt the data. Testing could also include any checks towards unnecessary data push by applying medical criteria for applicability of the push.
While the mHealth app may be HIPAA compliant, it may still be possible that the mobile device may be considered as a medical device and hence may require FDA clearance; FDA regulations are primarily concerned about food, drugs and related products that affect the quality of anything ingestible by human beings. If the device has any feature that covers the FDA regulations then it must pass through FDA clearance. It must also be noted that HIPAA allows passing or transmittal of data particularly PHI to a person or group subject to the jurisdiction of FDA, which must be clearly identified.
Any updates or upgrades that are pushed into a mobile device for the mHealth apps must ensure continued compliance to HIPAA and FDA regulations (whichever are applicable). So these must be developed and tested keeping in view the regulations.
There could be some settings which may be beyond the control of apps to change. Generally under the control of the user such as passcode or screen-lock, these can be better notified to the user through some effective means such as emails and relevant notification contexts.
Mobile phones, particularly Smartphones have a number of exciting features that may interfere with the running of mHealth applications. Since HIPAA and in some cases FDA compliance is mandatory by statutory regulations these apps must have some definitive steps in place to ensure the compliance. This document discusses some salient such steps that will help meet the compliance requirements.
Planning to launch an effective and compliant mHealth app? Consider Classic Informatics. Our super-skilled mobile app developers have experience creating intuitive, secure & beautiful looking mHealth apps. Check them out here!