What makes an App HIPAA-Compliant?

July 10th, 2017

In the last ten or so years, apps have swept through the world alongside the smartphone boom. Smartphones enabled us to carry miniature computers everywhere we went, so we quickly began to integrate them into our everyday lives.

We stopped asking for directions and used the GPS app instead, we checked out the Yelp app when we wanted to find somewhere good to eat, and we kept track of our friends on Facebook from our mobiles.

People have become accustomed to using apps these days, which has put pressure on many organizations to conduct their services through them. If they don’t offer an app, they may lose customers to their more tech-savvy competitors. The health industry is no different, so apps have become an essential offering for many organizations.

In some industries, developing apps may be relatively straightforward, but those that deal with PHI need to make sure that their app is HIPAA compliant. If your company’s app isn’t HIPAA compliant, it could result in heavy fines or a breach of patient data, which could seriously harm your business’s finances and its reputation.

To make a HIPAA-compliant app, privacy and security need to be consider at each step of development.

What Exactly Is an App?

Before we get too deep into HIPAA-compliance, we should take a step back and clarify what an application actually is. Most people probably have a rough idea, because we use them every day, but not everyone will know how they differ from other kinds of software.

At its highest level, an app is a software program that is designed to help users perform activities. This contrasts with system software, such as an operating system, which generally works in the background.

The three main types are web apps, desktop apps and mobile apps. Web apps run in your browser, things like your webmail or Google Translate. Desktop apps tend to be full-featured, while mobile apps are stripped-back versions that focus on making the most out of the tablet or smartphone experience. There are also hybrid apps that embed mobile websites inside apps.

While Microsoft Word and the alarm clock on your phone are both apps, people will often be referring to mobile apps when they use the term.

Which Apps Are Regulated by HIPAA?

In recent times, the health niche has seen explosive growth in the number and diversity of apps, however many of these do not need to meet HIPAA regulations. To determine whether an app will have to meet HIPAA standards, you need to consider whether your business practices make you a covered entity (an organization that falls under HIPAA regulations), or a business associate of an entity.

Another complex aspect is understanding what actually counts as PHI. PHI is identifiable information that includes medical test results, prescriptions, billing details and insurance, among an array of other things. Weight loss data, calories burned, heart rate and other similar readings are not normally considered PHI unless they are attached to identifiable information.

If your business processes PHI as a covered entity or a business associate, you will find that it is subject to HIPAA regulations. If your company offers services directly to the customer that are unrelated to their healthcare provider or insurance, it is unlikely to be covered by HIPAA.

Because of this, apps like MyFitnessPal are exempt from the regulations, because they don’t process PHI, nor do they conduct their business through healthcare providers. Conversely, an app from your health plan that stores your healthcare records would be regulated under HIPAA.  Similarly, email, chat, texting, and video conferencing apps that may be used by healthcare providers would also need to be HIPAA compliant. 

How to Make Your App HIPAA Compliant

If your company has an app that falls under HIPAA regulations, you will need to put serious consideration into its privacy and security measures. It is best to keep HIPAA in mind from the earliest planning stages to ensure that the app is compliant and to reduce the chance of penalties or any significant breaches.  App security starts with corporate compliance; your company and your developers need to do all of the things necessary for compliance (see HIPAA-Compliance Checklist), including training, risk assessments, etc.

From the app design stage forward, you should limit the use and sharing of PHI in your App to the minimum that is necessary to complete the task. If your data is processed by any outside entities, you will also need to sign a business associate agreement (BAA) with them to ensure that they are complying with the regulations as well.

You should also understand the additional risks that come with processing PHI on devices. Smartphones and tablets can easily be lost or stolen and they have a range of features that bring new security challenges.

Developing an app brings up a different set of complications when compared to SaaS (software-as-a-service .. i.e. using web-based applications), because apps generally store data locally and need access control measures in place to ensure that the data is secure. Because of this, it is best to go above and beyond HIPAA regulations to safeguard your customer data.

Control Access to Protect PHI

Access control is critical for apps that process PHI. This is because devices have a high risk of being stolen or accessed by unauthorized entities. With the right access control measures in place, the risk of anyone being able to view sensitive patient data is minimized.

The first step is to ensure that your app can only be accessed with a unique ID. To authenticate their identity, a user also needs to prove who they are. This is generally done through either a strong password or with biometric data such as finger prints.

If PHI is going to be available in an app, automatic logoff is important for preventing unauthorized access. This is because people often keep their apps logged in and even leave their devices unattended. Without automatic logoff after a set period of time, the user’s PHI becomes more vulnerable to unauthorized access.  Many apps used with PHI neglect auto-logoff and keep users logged in indefinitely, relying instead on the device’s own login and logoff functionality instead.    This may be sufficient to pass your HIPAA risk assessments; however,  it is far more secure (though far more annoying) to institute app-level login and logoff requirements.  Perhaps the pervasiveness of biometrics will make remove the annoyance factor of requiring authentication to gain access on demand.

We highly recommend that app developers institute auto-lockout after a short period of inactivity and use fingerprints or other quick means to resume access.  Several access failures should cause your app to back off and require the full regular password to re-authenticate.  This mitigates the weaker nature of a fingerprint or pin for access resumption.

Encryption is another key aspect of preventing PHI from being exposed. It should be encrypted at all times except when it is in use. This prevents anyone who may be listening in from accessing the data. Instead of being able to view the PHI, all they will see is ciphertext.  Use of date encryption is important as well to safeguard PHI from other running apps and from attackers who may be trying to break into a device’s hard drive.  Relying on a device’s disk encryption provides a basic layer of safety, but it does not protect data against other malicious running apps.

Auditing to Monitor Access

Mechanisms need to be put into place so that you can monitor and log access to PHI. These can be used to detect any unauthorized access and for forensic purposes in the event of a breach.

HIPAA-Compliant Web Hosting

Apps are often just the front-ends of a company’s website. Because of this, it is important that the website is hosted by a HIPAA-compliant provider. Your company will need to sign a business associate agreement with the provider to ensure that they are safeguarding any PHI that they touch. LuxSci offers HIPAA-compliant hosting and we even have a free eBook that goes through the subject in more depth.

Keep Your App Updated

The threat landscape is constantly changing, so it is important that you update your app whenever new vulnerabilities are discovered. Outdated apps are easy targets for hackers, so it is essential to patch regularly.

Be Careful with Push Notifications

Push notifications can pop-up even when a screen is locked, so it is important that these do not contain PHI. If they do, it can result in unauthorized access , which could result in fines for your organization.

Apps Are Easy to Use, but Are They Secure?

Many healthcare organizations are seeing the value in developing apps for their patients because of their simple nature and ubiquity. While apps can certainly be useful, companies need to tread carefully and consider HIPAA regulations from the start.

Devices and apps bring a range of security and privacy issues with them, so it is important that adequate measures are taken to guard the PHI of users. If these are neglected, your organization could face significant penalties or a serious breach. Like they say in healthcare, “prevention is better than cure”.