The global healthcare software market is growing at a 13% CAGR, estimated to reach USD 76.45 billion by the year 2025. For the mobile health (mHealth) marketplace, Gartner estimates growth at 43.9% CAGR by 2027. Propelled in part by the COVID-19 pandemic, significant growth will be seen in areas such as telemedicine, augmented and virtual reality, artificial intelligence, wearable technology, and the Internet of Medical Things – all areas poised to either improve patient health, aid in medical discoveries, or reduce healthcare costs.
If you are looking to build a healthcare app that will interact with electronic protected health information (ePHI), like a hospital or healthcare startup, HIPAA will be on your radar. The Healthcare Insurance Portability and Accountability Act (HIPAA) of 1996 is a Federal law that requires covered entities and business associates to self-regulate their security practices to be compliant with specific standards. HIPAA is just one of many data protection laws in the US.
This guide will provide a general introduction to HIPAA and how to develop HIPAA-compliant software.
Which Healthcare Apps Should Comply With HIPAA Rules?
If you are planning to develop healthcare software or a mobile healthcare app, particular attention must be paid to HIPAA. The important questions to answer about whether or not your mHealth app or healthcare software needs to be HIPAA compliant are:
What type of entity will use the application?
With HIPAA, the onus for compliance falls with the covered entity (healthcare provider, health plan, healthcare clearinghouse) or business associate (any associate who has access to PHI).
What type of data will the application use, share, or store?
Healthcare apps that plan to store, record, or share PHI will be subject to HIPAA rules during their use. Protected health information (PHI) and electronically protected health information (ePHI) refer to any identifiable data about the patient, including name, address, date of birth, SSN, device identifiers, email addresses, biometric, lab or imaging results, medical history, and payment information.
Examples of healthcare and mHealth apps that need to be HIPAA compliant are:
- Telemedicine or secure / private messaging apps
- EHR apps
- Healthcare apps that collect data for, or communicate with, healthcare providers
- Medical records / lab results apps
- Patient monitoring apps or medication compliance apps, if connected with physicians
It is important for healthcare software developers to be aware of what HIPAA will require of the app in terms of security controls as well as certain workflows such as PHI removal (continue reading for more).
With the growth of the mobile marketplace and the number of wearable tracking devices, we are seeing a boom in the use of mHealth apps – but not all of these apps need to be HIPAA compliant. The OCR stated that HIPAA is limited in the regulation of third-party health apps that are chosen by and used by patients and are not connected to or used by physicians – unless the app developer is a covered entity or business associate. Examples of mHealth apps that may be excluded from HIPAA include:
- Nutrition tracking or diet apps
- Personal health or mental health tracking
- Fitness or exercise apps
What are the Requirements of HIPAA Compliance?
HIPAA compliance involves meeting the requirements of HIPAA and its related rules, amendments, and related legislation. Generally speaking, HIPAA is both strict (with many rules and severe penalties) and vague (with liberty on how best to apply the rules).
HIPAA defines 5 major rules that all healthcare software applications must follow:
1. The HIPAA Privacy Rule
The Privacy Rule standards were designed to protect the use and disclosure of medical records and other PHI. The rule is meant to facilitate the flow of health data in a way that limits fraud and theft. The rule also gives patients certain rights over their health information, including the rights to view, obtain a copy, and request corrections of their records.
2. The HIPAA Security Rule
The Security Rule sets forth standards to protect ePHI that is created, received, used, or maintained by a covered entity. The Security Rule requires that covered entities institute “appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security” of ePHI. Although HIPAA does not always state minimum or exact requirements, it is common to reference the NIST guide to implementing HIPAA (note, a revision is due within 2022).
3. The HIPAA Enforcement Rule
The Enforcement Rule establishes how the Department of Health and Human Services (HHS) enforces HIPAA, with regulators determining liability and calculating fines for non-compliance. Investigations typically stem from a complaint or a data breach, but HHS retains the right to investigate without a trigger.
4. The Breach Notification Rule
The Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification of a breach of unsecured PHI, both of paper-based and electronic PHI. HHS further defines what qualifies as a breach based upon the nature and extent of the PHI involved, the type of disclosure, whether the data was viewed, and the level of risk of exposure. In addition to other requirements, breaches that affect more than 500 residents must include a media notice.
5. The Omnibus Rule
The Omnibus Rule is the most recent addition to HIPAA, updated in 2013, modifies several HIPAA Privacy, Security and Enforcement Rules. The Omnibus Rule is more stringent, making it harder to avoid a breach notification, extending non-compliance liability to business associates, and instituting new privacy restrictions for the use of PHI.
Compliance Beyond HIPAA
HIPAA is just one of a myriad of privacy and security laws and regulations that could potentially apply to new apps – be sure to consult a compliance lawyer to understand the requirements at the state, federal, global, and industry levels.
Want to know what laws apply to your mobile health app? The FDA released an interactive tool to help decide which laws apply in the US.
How to Ensure HIPAA Compliance for Healthcare Apps
What are the rules for developing HIPAA-compliant software and mHealth apps? The 5 HIPAA rules above layout the general expectations for data security and privacy, but in reality, there are many paths to implementing each rule.
It is important to note that HIPAA compliant software does not guarantee compliance. It is the responsibility of the users of the software – the covered entities and business associates – to ensure that the use of the software remains HIPAA compliant.
Before starting on a healthcare app development, it is best to first understand your level of compliance (as above), and then to do a risk assessment of your organization, policies and IT infrastructure to identify gaps in compliance. Look specifically at:
- What PHI will be collected, stored, or sent to other entities or associates
- Data management policies
- Employee training
- Data security practices and technologies
Next, as part of the new product development process, lay out specific policies and features to build into your healthcare app to make it HIPAA compliant.
Data Storage & Minimization
If data includes ePHI, it must be hosted on a server (on-premise or remote) with a signed Business Associate Agreement (BAA). Most of the large Cloud storage servers such as AWS, Google Cloud Platform, or Microsoft Azure are familiar with HIPAA.
Data security best practices are built around the concept of data minimization. Collect only the information necessary for the task at hand – and nothing more. In the practice of health apps, this means not collecting PHI unless it is necessary.
Encryption remains one of the ways that covered entities and business associates can potentially avoid a data breach notification. Healthcare software and mHealth apps can adhere to the HIPAA Security Rule which requires that ePHI be encrypted with “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption).
Data should be encrypted at-rest (in all places, including Cloud back-up) and in-transit, with decryption tools stored on a device or at a separate location per NIST standards.
Data backup & Disaster Recovery
The HIPAA Security Rule sets forth the need for robust backup and disaster recovery plans. In order for a healthcare app to meet these requirements, it must have a policy for when and where to back up PHI and other essential data. Data is ideally stored in an offsite or mirrored Cloud facility to maintain uptime. Regularly monitor storage logs.
A disaster recovery plan describes what happens during a threat or attack.
Right to be Forgotten: Data Disposal
Although the term “right to be forgotten” is most often associated with the EU GDPR (a different regulation), HIPAA does require adequate disposal of PHI. In the case of ePHI, healthcare software must have a way to completely overwrite (clear) or purge (degauss) data or destroy (physically) the data or data device in all its forms (including back-up).
HIPAA requires that not only do you store the least amount of information but that you implement controls around Access Management to limit access of PHI to only those authorized to see or use it. When mHealth app store data between patient and physician, or between different users in a healthcare setting, these practices should apply.
Healthcare apps should include the following:
- Unique user identification (one login per user)
- Automatic log off
- Emergency access to data (if ePHI needs to be accessed by a health provider, known as Emergency Mode)
- Strong authentication (see below)
- Access monitoring
As stated above, the app activity logs should be analyzed to identify unauthorized access or access attempts. Ideally, the healthcare software provides these kinds of alerts as a notification for IT teams to take rapid action.
A robust user authentication is the root of strong security. There is growing evidence that passwords are no longer adequate and that even two-factor authentication leveraging SMS-based one-time passwords may be open to attack. However, HIPAA does not specify which kind of authentication be used, so more advanced security relies as much on the vague Security Rule as it does on avoiding the Breach Notification Rule.
The Zero Trust model for security is based upon the premise that there is no trust when it comes to access, assigning the least amount of privilege to users to allow them to access what they need and validating user accounts with as much trust as possible that people are who they say they are. The FIDO provides authentication standards that include 2FA (two-factor authentication), MFA (multi-factor authentication) or password-less (using biometric, facial, voice or security key).
Integrity & Audit
HIPAA-compliant apps must implement technical and administrative safeguards to examine and track the activity in the systems storing and transmitting data to ensure integrity (that data is not unintentionally modified, corrupted, accessed, or removed) and to protect against (and detect) unauthorized access. This is done through:
- Authentication (as above)
- Transmission security (encryption in-transit)
- Digital signature and verification (PGP, SSL)
- Healthcare app architecture (blockchain)
- Data safeguards (facility & device access controls for ePHI)
- System integrity, separating layers and adding controls to each layer
- Push notification formatting should not contain PHI
Security Policies, Monitoring
Security technologies and policies still have a human element of concern – in almost every instance, human weakness can introduce risk of cyber attack. Lost passwords, phishing attacks, sending data by email, unhappy employees, or unpatched software can open the door to data breach. You need to be able to secure your app (lots of locks) and also have an alarm system (monitoring) to know when an issue has taken place.
In software development, you want to be sure that your house (where you’re developing and using the software) is secure as well as build strong security into your app. Your app should provide:
- Minimum level of security for passwords
- 2FA or MFA or the option for hardware-backed security (passwordless)
- Automatic log-off
- Intrusion detection
Employees need to be trained in all of the above elements in order to build them into a healthcare app and to abide by them internally if a covered entity or business associate.
In the event of a data breach, there must be a plan in place to identify who was affected and to notify those users of a breach.
HIPAA Checklist for Building Healthcare Software
We respect your privacy. Your information is safe.
1. What is HIPAA Compliance?
HIPAA compliance involves meeting the requirements of HIPAA and its 5 related rules and amendments.
2. What is Protected Health Information (PHI) in HIPAA?
PHI refers to any identifiable data about the patient, including name, address, date of birth, SSN, device identifiers, email addresses, biometric, lab or imaging results, medical history, and payment information. When data is electronic, we refer to ePHI.
3. Who are Business Associates under HIPAA?
A business associate is any person or entity that performs functions for a covered entity that involves the use (holding or transmission) of PHI.
If you are looking for a technical partner to bootstrap your healthcare startup or internal product, our experienced team of UX / UI Designers and Developers here at Net Solutions can consult, design, and build your next transformative idea.