5 features an HIPAA compliant phone app need to offer

A person using a smartphone.
(Image credit: Unsplash)

To this day, the Health Insurance Portability and Accountability Act (HIPAA) remains a critically important piece of legislation. Passed back in 1996, it regulates and provides safeguards on how healthcare information can be used. Its particular focus is for electronic health information, specifically protected health information (PHI), which is info that can be used to identify an individual, such as their name, date of birth, medical diagnoses, social security number, and home address. 

Save up to 25% off plans

iPlum offers HIPAA compliant secure communications which includes HIPAA compliant calling, HIPAA compliant text messaging, and HIPAA secure voicemail. Save up to 25% off plans

As our digital world has continued to evolve, new issues have arisen that represent new challenges to maintain compliance with HIPAA. For example, back in 1996 the smartphone had yet to be invented let alone gone mainstream, and apps were a smaller course before the main entree - not software applications to download to your phone. Be that as it may, the HIPAA regulations still apply to safeguard the privacy and security of PHI stored electronically.

Healthcare providers are often mobile workers, running between office and hospital locations to round on their patients daily, and taking calls from patients on a 24/7 basis. Mobile apps help to make this possible, so that these providers can gain ready access to information, especially on patients that they are less familiar with, such as a new consult, or cross covering an associate’s patient while on call. Virtually every electronic medical record offers a smartphone app to remain connected, and email via an app gets used commonly as well in healthcare. Furthermore, as texting is not HIPAA compliant, many healthcare organizations have turned to HIPAA compliant instant messaging apps for providers to communicate. 

For app developers in the healthcare space, here are the features that a HIPAA compliant smartphone app needs to offer.

Keep it basic

HIPAA seriously values PHI, and the more of it the compliant app has, then the more issues it generates right away. An important principle is to only grab the data that is needed to run, and not accumulate any more of it. This is unlike too many other more general purpose apps, that tend to grab any and all data with the intention of selling it later for profit. 

Therefore, by way of example, if there would be no reason for the app to store geolocation data, then rather than have to have a process to secure and keep that data private, it is better to simply not have it in the first place. Of note, HIPAA indicates that any geolocation data smaller than a state can be identified to a patient.

Privacy… in writing

Much of HIPAA relates to the so-called ‘Privacy Rule,’ that codifies that the PHI is secured at all times. This is the assurance that the health information remains at a level of security, and is not openly available. In order to be compliant, there needs to be a written privacy policy, that can be audited, and supplied on demand to provide this level of confidence that any and all PHI collected will be protected at all times.

In the policy, there needs to be a statement that PHI will not be sent without a patient’s consent. This is typically a written form that the patient or their surrogate signs as a ‘Release of Information’ allowing it to be shared to someone with a purpose for this info, such as another treating physician. Also in this policy, there should be another statement outlining the process if (hopefully never) a data breach occurs, and that the patients will be notified should a breach of their data occur.

Top Secret

HIPAA does not provide details on how exactly the data needs to be encrypted in terms of the level of encryption such as if 256-bit or lower can be used, or what protocol is preferred. Still, regardless of the protocol chosen, encryption needs to be used so that the privacy and security of the PHI is supported.

A valid reason that SMS is not HIPAA compliant is that it is completely unencrypted, with information out in the open, therefore quite insecure, and inadequate to transmit any PHI. Rather, healthcare organizations have increasingly turned to encrypted communication platforms that are designed as a substitute for texting.

Lock it up

As mobile apps are by definition designed for mobile devices, there are concerns right away that a device can be lost, stolen or simply misplaced. Whatever the cause, the reality is that the device, with its mobile apps can simply fall into the wrong hands, and with such an event occurring there rises the possibility of a data breach.

Devices need to be secured with physical security to provide protection to the device. This includes a complex password, and also biometric security methods, such as a fingerprint sensor or facial recognition. Such authentication needs to be enforced, with a consistent and secure process each time that the app is accessed to verify the user’s identity. There should also be an automatic logoff to prevent an app from being ‘Permanently accessed.’

Consider the cloud

An important realization is that these HIPAA compliant apps do not live locally on the device, and rather need to be connected on the backend through the Cloud. This allows the users to access the data from the remote server, and allows the app to get the job done.

The implication of this is that not only does the app need to have compliance, but the cloud provider on the backend also needs to have this compliance as well. This means that when any data is transferred from the device to the backend, or the other way, it needs to be encrypted with a secure protocol, such as Transport Layer Security 1.2, to satisfy this end-to-end encryption requirement.  Using a major cloud provider, such as Google or Amazon Web Services makes it easy to comply with these requirements.

We've also featured the best Electronic Health Records software.

Jonas P. DeMuro

Jonas P. DeMuro is a freelance reviewer covering wireless networking hardware.