Over the last few years, with a large number of mobile health apps coming into the market, protection of patient information has become more critical than ever before. The Health Insurance Portability and Accountability Act or HIPAA, as it’s commonly known, was enacted by the Congress in 1996 with the aim of protecting and maintaining the privacy of the medical records and personal health information of individuals.
The law applies to protected health information or PHI (any health information that is individually identifiable or can be linked to a person) and the way it is stored and transmitted using technology, including mobile apps. Non-compliance with HIPAA can lead to hefty fines.
The nature of mobile devices makes protecting PHI a challenge, especially since these devices can be lost or stolen and often face the threat of virus attacks. Additionally, devices can be shared or used on unsecured Wi-Fi networks, posing the risk of accidental sharing or transmission of confidential data by email or on social media. This makes it essential to incorporate specific features in the app to protect unauthorized sharing of PHI. Of course, a lot depends on the nature of the information that is collected from the user.
While a primary consumer app related to fitness or weight loss may not need to comply with the standards, usually most apps that are used by medical professionals or healthcare providers should be HIPAA compliant. This is not an easy task, as the law has several ambiguities that only a mobile app developer with experience in this segment can decipher easily. Based on our experiences in developing apps for the healthcare sector, today, we would like to share some key factors to be included in an app to keep personal health information secure.
Unique User Authentication
While most mobile devices are password-protected, often users don’t use strong passwords. Therefore, in case of loss or theft, the information stored in the app can be accessed easily unless there is a layer of protection that requires the user to authenticate his credentials, such as entering a unique login ID and password.
Encryption of Data
Once data is collected on the device, it’s critical that it is kept secure both on the device as well as during transmission over networks. Incorporating the app with a feature to encrypt the data automatically can help to achieve this. Encryption should be created at two levels. The first, when it is temporarily stored on the device, and next, when it is sent over a network to be stored in a server.
Often, users forget to log out of an app, which provides easy access to PHI stored on the device, in case of loss or theft. It also enhances the risk of personal information being accidentally accessed or misused by someone else, when the device is shared.
While there are third-party apps that allow remote control and management of a mobile device to protect the user’s personal information, these might not be accessible always. A better option is to build a remote wipe feature into the app that permits admin controls to access and erase the PHI before it is misused.
All mobile devices face the threat of virus attacks, especially when they connect to unsecured networks. One way to prevent this is to provide frequent updates and alerts to the user so that he can download the update to have the latest version of the app with most current fixes against bugs and online threats.
Logs are essential for monitoring activity on any network. Activating this feature in the app helps to audit information such as the time of login by the user, the changes made to the data, details of the files accessed, the addition of a new user and other vital information that help to control the use and access of PHI.
Backup and Syncing
Once data is stored on the mobile device, it should be transmitted to the server where it can be kept safer. The user might not always have access to a secured Wi-Fi network for this to happen immediately. In such cases, the app should have a provision for automatic syncing and backup of data as soon as the device comes within range of a safe network.
The key guideline in designing mobile health apps is that personal information should always be protected, especially since the consequences of non-compliance to HIPAA involve enormous fines. It’s advisable to work with a developer who has experience in designing apps that meet the national standards prescribed by the Act.