This post provides general information about HIPAA compliance for software and hardware development. Although Eureka Software has experience in this field, please consult your legal/compliance team for specific information on how to meet HIPAA compliance requirements.
Google Fit, Apple Health Kit, and even the Affordable Care Act have companies scrambling to build healthcare-focused mobile apps and/or upgrade existing medical devices. However, the process of bringing a new product to market in the healthcare industry brings about a whole other set of challenges. Not only do you have to worry about a product’s design and functionality, but now there’s the issue of HIPAA compliance and whether your product meets the criteria for FDA regulation. If you’re interested in building a healthcare-focused mobile app or medical device, don’t let these things deter you from doing so. Instead, let’s go over a few things you’ll need to be aware of before you jump in with both feet.
What is HIPAA?
The Health Insurance Portability and Privacy Act, also known as HIPAA, was first signed into law in 1996. HIPAA was written with the intent to protect individuals from having their healthcare data used or disclosed to people or agencies that have no reason to see it. It has two basic goals:
1.) Standardize the electronic exchange of data between health care organizations, providers, and clearinghouses.
2.) Protect the security and confidentiality of protective health information.
There are four rules of HIPPA, but today we’ll focus on the HIPAA Security Rule.
What is PHI?
Protected Health Information (PHI) includes medical records, billing information, phone records, email communication with medical professionals, and anything else related to the diagnosis and treatment of an individual. Examples of non-PHI include steps on your pedometer, calories burned, or medical data without personally identifiable user information (PII).
When building a healthcare app or medical device with the intent to collect, store, and share PHI with doctors and hospitals, it is absolutely mandatory make sure you’re HIPAA-compliant (or else you’ll face some hefty fines). Additionally, if you’re planning on storing data in the cloud, you must take appropriate measures to ensure you’re properly securing the data and working with a HIPAA-compliant cloud storage service, too.
Here are some steps you’ll need to take:
Determine if your mobile app or medical device must be HIPAA-compliant.
Are you collecting, sharing, or storing personally identifiable health data with anyone who provides treatment, payment and operations in healthcare (aka a covered entity)? If yes, then you must be HIPAA-compliant.
Determine if your mobile app or medical device must FDA-regulated.
The U.S. Food and Drug Administration (FDA) regulates medical devices to ensure their safety and effectiveness. If you plan to market your product as a medical device, then it may be subject to the provisions of the Federal Food Drug & Cosmetic (FD&C) Act. Find out if your product meets the definition of a medical device as defined by section 201(h) (or a radiation-emitting product as defined in Section 531) on the FDA website. (Visit Is This Product a Medical Device? for more information.) You can also contact the FDA directly if you are unsure whether your mobile app is considered a “Mobile Medical App” and will need to be FDA-regulated. (See Mobile Medical Applications.)
Work with a HIPAA-compliant cloud storage service provider.
Storing data in the cloud is appealing to the healthcare industry because of the amount of data that needs to be stored and easily accessible yet remain secure. The cloud allows individuals and businesses to store large amounts of information in massive data centers around the globe, rather than on internal servers and software. That data can be accessed from anywhere, anytime. Depending on the amount of data (which in healthcare can be A LOT), it can be more cost-effective to store data in the cloud when you account for the costs of hardware, maintenance, staff, and energy when storing locally.
Get a signed Business Associate Agreement.
Just because you’re working with a HIPAA-compliant cloud storage service provider doesn’t mean you’re covered. Any vendor or subcontractor who has access to PHI is considered a Business Associate, and therefore must sign a Business Associate Agreement. That includes your cloud storage service provider.
Secure sensitive data.
Developers should take appropriate safeguards to ensure that PHI is secure and cannot be accessed by unauthorized individuals. People lose their smartphones and iPads or don’t enable passcodes at all, so it’s even more important to make sure the app or medical device is HIPAA-compliant. Things like data encryption, unique user authentication, strong passwords, and mobile wipe options are just a few requirements. See InformationWeek’s article about developers and HIPAA compliance for additional information.
Finally, there is no official certification process to ensure that you’re in compliance with HIPAA’s Security Rule. The U.S. Department of Health and Human Services website states:
“The purpose of the Security Rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (e-PHI) that is collected, maintained, used or transmitted by a covered entity. Compliance is different for each organization and no single strategy will serve all covered entities.” (HHS.gov)
That means that it is up to the organization to implement its own strategy and follow the requirements, or else face those hefty fines.
So that’s an overview of HIPAA compliance. Have you gone through this process? What obstacles did you face? Are you interested in building a mobile app or medical device but concerned about the regulations? Leave a comment below, or send us an email with your questions.
HIPAA Compliance Developers Guide | Github