Health care iPhone apps meet HIPAA compliance

October 18, 2014

Chances are, if you are in the health care field, you are familiar with HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) is often one of the largest questions facing mobile application development. One of the common questions is not only how to comply but “when does HIPAA apply?

According to recent research by the HHS Office for Civil Rights and Patient Privacy, there are two key questions to ask when seeking to understand if a piece of software will falls under HIPAA rules:

  1. Who will be using the app?
  2. What information will be on the application?

To quote the research…

The HIPAA rules only apply to “protected health information,” information that identifies an individual and that relates to an individual’s physical or mental health, health care services to the individual, or payment for such health care services. There are exceptions for employment records and records of educational institutions. The fact that an individual has received services from a covered entity is itself protected health information. Accordingly, the name or address of an individual, although publicly available, is protected health information when residing on a covered entity’s computer if the presence of the information suggests that the individual is or was a patient or enrollee of the covered entity. Protected health information also includes otherwise anonymous information that includes a date of service (anything more detailed than a year). An e-mail referring to “the patient who was in last week” is protected health information, because it includes a date of service that can be used to identify the patient.

This means that HIPAA will only apply with certain types of patient information and not everything just because it is a health care app. For example, MichiganLabs recently developed an iPad application for a large medical organization that does not include patient specific information. Although the iPad app is still within the health care field, the HIPAA act did not apply. If, however, patient specific information was included within the app, HIPAA may have applied even if the information was anonymous. So, knowing this, what are some safeguards that developers can put in place for HIPAA compliance?

Glad you asked.

The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).

In order to meet HIPAA compliance software requirements you need to ensure you’re meeting the four main requirements of the HIPAA law. The four main requirements of the HIPAA Compliance Checklist are:

  1. You must put safeguards in place to protect patient health information.
  2. Reasonably limit use and sharing of protected health information to the minimum necessary to accomplish your intended purpose.
  3. Have agreements in place with service providers that perform covered functions. These agreements, called Business Associate Agreements (BAAs) ensure that service providers (Business Associates) use, safeguard and disclose patient information properly.
  4. Procedures to limit who can access patient health information, and training programs about how to protect patient health information.

If that seems like a lot of work, there are several third-party vendors that will work to ensure your application is on the path to HIPAA compliance such as TrueVault or Tapestry Telemed.

In conclusion, there is no one that can “certify” that an organization is HIPAA compliant. The Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body that determines compliance. HHS does not endorse or recognize the “certifications” made by private organizations.

There is an evaluation standard in the Security Rule § 164.308(a)(8), that requires you to perform a periodic technical and non-technical evaluation to make sure that your security policies meet the security requirements outlined in the rule. HHS doesn’t care if the evaluation is performed internally or by an external organization—just as long as it happens.

Legal disclaimer: I am not a lawyer. Please consult your legal professional for specific advice about how your app relates to HIPAA.

Mark Johnson
Mark Johnson
Co-founder & Managing Partner

Stay in the loop with our latest content!

Select the topics you’re interested to receive our new relevant content in your inbox. Don’t worry, we won’t spam you.

Michigan Software Labs #65 on Inc. Regionals Fastest-Growing Companies
Press Release

Michigan Software Labs #65 on Inc. Regionals Fastest-Growing Companies

March 11, 2022

Inc. magazine today revealed that Michigan Software Labs is No. 65 on its third annual Inc. 5000 Regionals Midwest list, the most prestigious ranking of the fastest-growing private companies based in Iowa, Illinois, Indiana, Kansas, Michigan, Minnesota, Missouri, North Dakota, Nebraska, Ohio, South Dakota, and Wisconsin. Born of the annual Inc. 5000 franchise, this regional list represents a unique look at the most successful companies within the Midwest region economy’s most dynamic segment–its independent small businesses.

Read more
Drinks on the Deck
Team

Drinks on the Deck

June 19, 2019

Join us and about 100 other friends for "Drinks on the Deck" 2019.

Read more
Are You Solving the Right Problem?
Team

Are You Solving the Right Problem?

February 26, 2020

In Art’s Principles, renowned architect Art Gensler described part of his Design Thinking consultation process as “finding the right problem to solve.” This resonated with me, particularly as I’ve thought about how Michigan Software Labs interacts with clients in the Product Strategy Phase; something I believe sets us apart from other software development companies.

Read more
View more articles