You are here:
Image credit: Denver Health

Health Mobile APP: How to Stay HIPAA Compliant 101

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance.
By Serena Dao | EnvZone Staff
on June 27, 2019 | 7 min read
Image credit: Denver Health

Everyone is interested in protecting their privacy with the vast amount of information and personal data stored electronically today, it is totally normal if you want to ask the service provider what is your healthcare provider doing to protect your health care information.

So, this is…

What mobile app developers should do to stay HIPAA (Health Insurance Portability and Accountability Act) compliant:

1. Understand the role and responsibility thoroughly

For APP development, not everything should be done by regular APP developers. The security requirements for a healthcare app should be clearly defined and architecture reviewed by a qualified security specialist. HIPAA or security experts are needed, not regular APP developers.

Knowing what information will be handled and stored and where in particular it will be stored will be the key if you are having problems with PHI (Protected Health Information) so if you are the product owner, spend time to think about your use case for the app. You should also consider what other rules might play a notable role in forming your application’s design.

2. Minimize the risk and the reason to be attacked

Don’t ask information for nothing. Avoid using or storing data that is not important, for example, full birthday, previous phone numbers or hobby. Any personal data that you gather should have a clear purpose.

Writing and following a clear privacy policy is important in any mobile app that collects user data, but especially in health apps, because there is a lot of sensitive information in them that may affect the user’s life.

Avoid storing or caching PHI whenever possible because a highly effective and often underestimate way to avoid data security problems is not to store it at all.

For now, most data are uploaded to the Cloud. If you are planning to store data in the cloud, make sure that it must be transmitted and stored securely. Besides, you will also need a BAA (Business Associate Agreement) with any third party providers to guarantee the data will be safe.

Keep an eye in collecting geo-location data. Geo-location data about a patient can turn data that is fairly innocuous into PHI according to HIPAA guidance.

3. Store and transmit data securely

Health Mobile APP How To Stay HIPAA Compliant 101-Fig 1
Image credit: Denver Health

According to NowSecure CTO David Weinstein, 80 % of the 200 most popular, free iOS apps don’t use App Transport Security (ATS), a feature that forces mobile apps to connect to back-end servers using HTTPS, instead of HTTP, to encrypt data in transit, a risky number.

With the tools and protocols available today, there is no excuse not to implement them. As mentioned earlier, data must be encrypted when stored and when transmitted. This also ensures that the data is verified, another important compliance item, constantly.

People use many different protocols to send information for mobile devices. SMS and MMS are not encrypted, so don’t send any PHI via SMS or MSM because it is not secure.

When encrypting data locally, use widely tested protocols based on some sort of standard, which means don’t write your own encryption algorithm.

4. Secure the APP

The first thing to consider is local session time-out, your app should certainly force re-authentication after inactivity. Decide the length of the period base on the use-case.

Appearing in Mobile devices, push notifications are often considered as a vulnerability. Make sure that PHI is never sent to push notifications that could easily be seen by someone other than the patient who owns it.

Maybe there are some places you might think they are safe to store data, however, data can leak out where it’s not intended. Backups and log files are generally very loosely protected so avoid leaking PHI into them. Besides, the security of SD cards in Android devices is not high and it is not difficult to access a SD card, which causes huge problems.

5. Validate the security

This step is often forgotten after securing the APP. The only real surefire way to assess the security of a mobile app is via dynamic and static application security testing. Technology existing can help you do some of this yourself, but if you’re not an expert, you should consider hiring a third party to perform a penetration test of the app. Lastly, be sure to mention that the app is in scope for HIPAA compliance.

Biggest obstacle a company has to stay HIPAA compliant:

External data security threats, employee training, and evolving technology were all top concerns cited by respondents when it comes to difficulties in HIPAA compliance. 32% of those surveyed said that external threats to data security was the top issue, while 28 % listed employee training and evolving technology. So the HIPAA policies should be reviewed as many times as possible, especially when there are new employees.

Employee negligence, the evolving regulatory environment, and the evolving threat landscape were also listed as top concerns when it comes to HIPAA compliance.

Substitute for HITRUST

Health Mobile APP How To Stay HIPAA Compliant 101-Fig 2
Courtesy: HITRUST

HITRUST, or the Health Information Trust Alliance, was created in order to develop a consistent system for healthcare organizations and business associates to manage information security. Many organizations require that their business associates and partners utilize HITRUST as a consistent information security system. As a result, becoming HITRUST compliant allows your organization a point of differentiation amongst competitions. HITRUST is brutal but passable, but for some companies who want something else in case they can’t have HITRUST at the moment because it’s costly, there are alternative certifications that early-stage health IT startups can pursue before opting for HITRUST.

The closest thing HIPAA has is the annual Enterprise Risk Assessment or ERA which is not a certification but is useful in preparing for both the HITRUST and SOC 2 examinations.

Once your annual enterprise assessment is good, plan to work through SOC2 and eventually HITRUST. Most BAA and CEs will accept, at least the annual assessment as proof of overall compliance, they would prefer to see your SOC2, even if it’s bi-annual.

If you have a client that will only accept HITRUST you should point out the very low overall pass-rate and pass on the opportunity until your organization is more mature.

The Bottom Line

Once your HIPAA compliance is in place, you need to maintain it. It’s not hard, but if you let it go it can become out of date quickly and what was a HIPAA compliant environment can quickly slip away.  Staying HIPAA compliant takes some work, but it sure beats the pain of dealing with a breach investigation.

You Might Also Like:

7 Successful Telemedicine Companies and the 3 Driving Factors

SUBSCRIBE FOR THREE THINGS

Three links or tips of interest curated about offshore outsourcing every week by the experts at ENVZONE Consulting.