What You Need To Know About HIPAA-Compliant Development

What You Need To Know About HIPAA-Compliant Development

Now more than ever, people are getting invested in their personal health. And that’s awesome because our society isn’t exactly known for being healthy. Quite the opposite, in fact.

Times are changing, though – and especially as hospitals and other care organizations move forward into the digital world, the market for healthcare-related applications has never been better.

Maybe you want to get involved in that market. Maybe you’ve got an idea for a killer app that will make patient care easier than ever, a platform that doctors can use to revolutionize how they work. Before you start working on that idea – on any idea related to healthcare – you need to take a step back and think.

No, I’m not saying that developing a healthcare app is a bad idea. Rather, I’m saying that doing it without a solid understanding of HIPAA – the Health Insurance Portability and Accountability Act – is like playing with fire. While there’s certainly a chance you’ll make it out unscathed, you’re likelier than not going to end up getting burned.

I’m not going to mince words here. If you’re developing an app that’s going to be used in the health industry in any capacity, there’s a very good chance it needs to be HIPAA compliant. No ifs, ands, or buts.

But what does that mean, exactly?

  • A qualified security specialist – someone with expertise involving HIPAA – needs to sit down with your development team to define and outline your app’s security requirements.
  • Your app must use Protected Health Information (PHI) only where it is absolutely necessary for the app’s functionality. It must not extraneously access, store, display, or utilize PHI. This includes displaying PHI as a push notification.
  • Your app must utilize strong encryption to protect data both in-transit and at-rest. This means that if your app transmits data, it should never do so via SMS or MMS. Neither is especially secure, and both are easily hijacked/compromised.
  • Where storing PHI is concerned, your app must do so securely. Never allow it to store PHI in backups or log files, and avoid using on-device memory as much as possible.
  • Your app must incorporate some form of authentication, coupled with a timeout period.
  • You must maintain a clear, concise privacy policy, and follow it to the letter.
  • Your app should be developed with best practices like OWASP in mind.
  • Security on your app should be thoroughly pen-tested.
  • Depending on what your app is used for, it may need to go through FDA approval due to it qualifying as a medical device.

That’s a pretty comprehensive list, right? The good news is that it’s not one that every health app developer needs to worry about. For instance, you don’t really need to break into a sweat about HIPAA if your app’s primary function is any of the following:

  • Exercise or weight tracking.
  • Food tracking/diet management.
  • Medical reference/symptom checking.

Basically, if your application is going to be used exclusively by regular people (rather than by doctors, nurses, or staff at a covered entity), then HIPAA isn’t something you need to concern yourself with. If you are intending for your app to be used in a hospital or healthcare setting, though?

Best study up – and when in doubt, contact the FDA.

Follow Liberty Center One:

Subscribe with Feedly