" smartphone Archives - LuxSci

Posts Tagged ‘smartphone’

The Future of Protected Health Information

Wednesday, May 10th, 2023

HIPAA was introduced in 1996 to protect patient privacy and enable individuals to control their health records. However, over the last 30 years, the proliferation of technology has enabled patients to collect, transmit, and store personal health data in ways that were unimaginable to the original authors of the legislation. This article discusses how the definition of protected health information may expand in the future to account for new types of data, covered entities, and technologies.

the future of phi

Protected Health Information Today

Under the current iteration of HIPAA, protected health information, or PHI, is defined as “individually identifiable protected health information.” Protected health information refers specifically to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

For protected health information to be “individually identifiable,” the data must be linked to a specific individual (even if this is very indirect). There are 18 types of identifiers for an individual. Any one of these identifiers, combined with health data, would constitute PHI.

protected health information

In addition, under today’s HIPAA rules, only covered entities and business associates must abide by the regulations. Covered entities fall into three categories:

  1. Healthcare providers include hospitals, doctors, clinics, pharmacies, nursing homes, psychologists, and other providers.
  2. Health plans – Health insurance companies, company health plans, HMOs, and Government-paid health care plans such as Medicare are all considered health plans.
  3. Healthcare clearinghouses – These entities either process or facilitate the processing of health information they receive from other entities.

Business associates include a wide range of companies, but most importantly, they are contracted by a covered entity to perform a business function involving PHI. Business associates can include web hosts, billing companies, marketing agencies, legal firms, accountants, and more.

The Future of Protected Health Information

As the world has rapidly changed, new technologies that challenge how we think about personal health data have evolved. IT security teams must consider future security challenges and regulatory changes to futureproof their organization and mitigate risks. Below we explore how technology and PHI have progressed in a way that is pressuring regulators and legislators to protect patient privacy.

Technological Advances

The smartphone was still a decade away from being invented when HIPAA was introduced. In today’s world, the success of the iPhone has trickled down to other internet-connected smart devices like watches, scales, and other wearable devices. Even medical devices, including heart rate monitors and remote patient monitoring devices, can be found in people’s homes today. When medical providers ask patients to use these devices to capture biometric data, HIPAA rules apply.

But what about when healthcare providers do not recommend these technologies? If a consumer wants to use an application to record their daily activity, record their weight, or monitor their heart rate without direction from a doctor, HIPAA does not apply. However, due to the sensitivity of the data and lack of consumer understanding, some are calling for additional privacy protections for device and application manufacturers. It is not hard to imagine that any application designed to collect, store, or transmit health data will become subject to stricter regulations regardless of whether they are involved in an individual’s healthcare.

New Types of Data

When HIPAA was envisioned, genetic science was progressing but still confined to the upper levels of academia and research. Improvements in genetic testing and increased knowledge of the human genome could completely alter what is defined as PHI and how individuals interact with their healthcare providers. In 2013, amendments to the Privacy Rule clarified that genetic information is PHI and needs to be secured. However, over the past decade, genetic testing capabilities have exploded. Anyone can order a genetic test from numerous consumer-facing companies. As a result, personalized medicine is thriving and is likely to grow over the next decade.

As doctors have more access than ever before to information about our genomics, it’s of the highest importance to ensure it is secured.

Change is On The Way: Are You Ready?

Covid-19 rapidly accelerated many of these technological changes, and recent events in the news have already sparked changes to HIPAA enforcement. For example, the use of online tracking pixels to collect and transmit PHI recently caused OCR to issue a statement on their proper use. In addition, last year’s Supreme Court decision in Dobbs vs. Jackson Women’s Health spurred many reproductive health-tracking apps to take additional steps to protect users’ data. The incident highlighted just how much personal health data is contained in unregulated applications.

Even without government intervention, organizations that process health data must secure it to build consumer trust and differentiate from the competition. With breaches and cyberattacks on the rise, only the best-prepared organizations will be able to grapple with future challenges and regulatory changes.

HIPAA Compliance for Mobile Apps

Tuesday, November 9th, 2021

Many people rely on mobile devices to access the Internet, and apps are a convenient way to deliver online services. The health industry has also turned to mobile apps to provide health care services on the go.

In some industries, developing apps may be relatively straightforward. However, those that deal with PHI need to understand the HIPAA compliance requirements for mobile apps. If your company’s app isn’t HIPAA compliant, it could result in heavy fines or a data breach, which could seriously harm your business’s finances and its reputation.

To develop a HIPAA-compliant app, privacy and security need to be considered from the start.

hipaa compliance for mobile apps

What Exactly Is an App?

Before we get too deep into HIPAA compliance, we should take a step back and clarify what an application is. Most people use them every day, but not everyone will know how they differ from other kinds of software.

At its highest level, an app is a software program that is designed to help users perform activities. This contrasts with system software, such as an operating system, which generally works in the background.

The three main types are web apps, desktop apps and mobile apps. Web apps run in your browser, things like your webmail or Google Translate. Desktop apps tend to be full-featured, while mobile apps are stripped-back versions that focus on making the most out of the tablet or smartphone experience. There are also hybrid apps that embed mobile websites inside apps.

While Microsoft Word and the alarm clock on your phone are both apps, people will often be referring to mobile apps when they use the term.

Does My App Need to Be HIPAA-Compliant?

Health and wellness apps have become more sophisticated and are often recommended by medical practitioners to help patients manage medical conditions. However, not every app is required to meet HIPAA regulations. To determine whether an app should be HIPAA-compliant, consider whether your business practices make you a covered entity or a business associate of an entity.

Another complex aspect is understanding what actually counts as PHI. PHI is identifiable information that includes medical test results, prescriptions, billing details and insurance, among an array of other things. Weight loss data, calories burned, heart rate and other similar readings are not normally considered PHI unless they are attached to identifiable information.

If your business processes PHI as a covered entity or a business associate, you are subject to HIPAA regulations. If your company offers services directly to customers that are unrelated to their healthcare provider or insurance, it is unlikely to be covered by HIPAA.

Because of this, apps like MyFitnessPal are exempt from the regulations, because they don’t process PHI, nor do they conduct their business through healthcare providers. Conversely, an app from your health plan that stores your healthcare records would be regulated under HIPAA. Similarly, email, chat, texting, and video conferencing apps that may be used by healthcare providers to communicate with their patients would also need to be HIPAA-compliant. 

If you do not secure PHI properly, you could be subjected to financial penalties. The FTC recently announced it will begin enforcing the Health Breach Notification Rule for health apps. The rule requires entities to deliver breach notices to customers by first class mail no later than 60 calendar days after discovering a breach. Companies must also notify the FTC and in some cases, the media. Companies can face penalties up to $43,000 per violation per day for noncompliance.

HIPAA Compliance for Mobile Apps

If your company has an app that falls under HIPAA regulations, you will need to put serious consideration into its privacy and security measures. It is best to keep HIPAA in mind from the earliest planning stages to ensure that the app is compliant and to reduce the chance of penalties or any significant breaches. App security starts with corporate compliance; your company and your developers need to do all of the things necessary for compliance (see HIPAA Compliance Checklist), including training, risk assessments, etc.

From the app design stage forward, you should limit the use and sharing of PHI in your App to the minimum that is necessary to complete the task. If your data is processed by any outside entities, you will also need to sign a business associate agreement (BAA) with them to ensure that they are complying with the regulations as well.

You should also understand the additional risks that come with processing PHI on devices. Smartphones and tablets can easily be lost or stolen and they have a range of features that bring new security challenges.

Developing an app brings up a different set of complications when compared to SaaS (software-as-a-service .. i.e. using web-based applications), because apps generally store data locally and need access control measures in place to ensure that the data is secure. Because of this, it is best to go above and beyond HIPAA regulations to safeguard your customer data.

Control Access to Protect PHI

Access control is critical for apps that process PHI. Mobile devices have a high risk of being stolen or accessed by unauthorized entities. With the right access control measures in place, the risk of anyone being able to view sensitive patient data is minimized.

First, ensure that your app can only be accessed with a unique ID. To authenticate their identity, a user also needs to prove who they are. Require the use of a strong password or biometric data (like fingerprints) to login.

If PHI is going to be available in an app, automatic logoff is important for preventing unauthorized access. People often keep their apps logged in and leave their devices unattended. Without automatic logoff after a set period of time, the user’s PHI becomes more vulnerable to unauthorized access. Many apps neglect auto-logoff and keep users logged in indefinitely, relying instead on the device’s own login and logoff functionality instead. This may be sufficient to pass your HIPAA risk assessments; however, it is far more secure (though far more annoying) to institute app-level login and logoff requirements. Perhaps the pervasiveness of biometrics will make remove the annoyance factor of requiring authentication to gain access on demand.

We highly recommend that app developers institute auto-lockout after a short period of inactivity and use fingerprints or other means to resume access. Several access failures should cause your app to back off and require the full regular password to re-authenticate. This mitigates the weaker nature of a fingerprint or pin for access resumption.

Encrypt App Data

Encryption is another key aspect of preventing PHI from being exposed. Data should be encrypted at all times except when it is in use. This prevents anyone who may be listening in from accessing the data. Instead of being able to view the PHI, all they will see is ciphertext. Data encryption can safeguard PHI from other running apps and from attackers who may be trying to break into a device’s hard drive. Relying on a device’s disk encryption provides a basic layer of safety, but it does not protect data against other malicious running apps.

Auditing to Monitor Access

Any HIPAA-compliant app should have mechanisms in place to monitor and log access to PHI. These logs help detect any unauthorized access in the event of a breach.

HIPAA-Compliant Web Hosting

Apps are often just the front-end interface of a company’s website. To protect data on the back-end, host the website with a HIPAA-compliant provider. Your company needs to sign a business associate agreement with the provider to ensure that they are safeguarding PHI. LuxSci offers HIPAA-compliant hosting and we even have a free eBook that goes through the subject in more depth.

Keep Your App Updated

The threat landscape is constantly changing. Update your app whenever new vulnerabilities are discovered to protect patient data. Outdated apps are easy targets for hackers, so it is essential to patch regularly.

Be Careful with Push Notifications

Push notifications are visible even when a screen is locked. Do NOT include PHI in these notifications. If someone else sees a push notification that contains PHI, it could be considered an unauthorized access violation. This unauthorized disclosure could result in fines for your organization.

Mobile Apps Are Easy to Use, but Are They Secure?

Many healthcare organizations are seeing the value in developing apps for their patients because of their simple nature and ubiquity. While apps can certainly be useful, companies need to tread carefully and consider HIPAA regulations from the start.

Devices and apps introduce a range of security and privacy issues. It is exceedingly important that adequate measures are taken to guard the PHI of users. If neglected, your organization could face significant penalties or a serious breach. When developing a mobile application, consider your security and compliance requirements from the start.