Health care iPhone apps meet HIPAA compliance

October 18, 2014

Chances are, if you are in the health care field, you are familiar with HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) is often one of the largest questions facing mobile application development. One of the common questions is not only how to comply but “when does HIPAA apply?

According to recent research by the HHS Office for Civil Rights and Patient Privacy, there are two key questions to ask when seeking to understand if a piece of software will falls under HIPAA rules:

  1. Who will be using the app?
  2. What information will be on the application?

To quote the research…

The HIPAA rules only apply to “protected health information,” information that identifies an individual and that relates to an individual’s physical or mental health, health care services to the individual, or payment for such health care services. There are exceptions for employment records and records of educational institutions. The fact that an individual has received services from a covered entity is itself protected health information. Accordingly, the name or address of an individual, although publicly available, is protected health information when residing on a covered entity’s computer if the presence of the information suggests that the individual is or was a patient or enrollee of the covered entity. Protected health information also includes otherwise anonymous information that includes a date of service (anything more detailed than a year). An e-mail referring to “the patient who was in last week” is protected health information, because it includes a date of service that can be used to identify the patient.

This means that HIPAA will only apply with certain types of patient information and not everything just because it is a health care app. For example, MichiganLabs recently developed an iPad application for a large medical organization that does not include patient specific information. Although the iPad app is still within the health care field, the HIPAA act did not apply. If, however, patient specific information was included within the app, HIPAA may have applied even if the information was anonymous. So, knowing this, what are some safeguards that developers can put in place for HIPAA compliance?

Glad you asked.

The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).

In order to meet HIPAA compliance software requirements you need to ensure you’re meeting the four main requirements of the HIPAA law. The four main requirements of the HIPAA Compliance Checklist are:

  1. You must put safeguards in place to protect patient health information.
  2. Reasonably limit use and sharing of protected health information to the minimum necessary to accomplish your intended purpose.
  3. Have agreements in place with service providers that perform covered functions. These agreements, called Business Associate Agreements (BAAs) ensure that service providers (Business Associates) use, safeguard and disclose patient information properly.
  4. Procedures to limit who can access patient health information, and training programs about how to protect patient health information.

If that seems like a lot of work, there are several third-party vendors that will work to ensure your application is on the path to HIPAA compliance such as TrueVault or Tapestry Telemed.

In conclusion, there is no one that can “certify” that an organization is HIPAA compliant. The Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body that determines compliance. HHS does not endorse or recognize the “certifications” made by private organizations.

There is an evaluation standard in the Security Rule § 164.308(a)(8), that requires you to perform a periodic technical and non-technical evaluation to make sure that your security policies meet the security requirements outlined in the rule. HHS doesn’t care if the evaluation is performed internally or by an external organization—just as long as it happens.

Legal disclaimer: I am not a lawyer. Please consult your legal professional for specific advice about how your app relates to HIPAA.

Mark Johnson
Mark Johnson
Co-founder & Managing Partner

Stay in the loop with our latest content!

Select the topics you’re interested to receive our new relevant content in your inbox. Don’t worry, we won’t spam you.

How to Prepare for our Associate Software Developer Position
Team

How to Prepare for our Associate Software Developer Position

June 30, 2023

Tips for applying to MichiganLab's Associate Software Developer program

Read more
Michigan Software Labs Named One of the Country's Best Workplaces by Fortune
Press Release

Michigan Software Labs Named One of the Country's Best Workplaces by Fortune

August 9, 2021

Michigan Software Labs has been named as one of the 100 Best Small and Medium Workplaces based on an independent survey by consulting firm Great Place to Work® and Fortune Magazine. Michigan Software Labs came in 79 on the list. This is the second year the company has won the prestigious award.

Read more
Michigan Software Labs breaks ground on new office
Press Release

Michigan Software Labs breaks ground on new office

June 19, 2020

Michigan Software Labs recently broke ground on a new office building in its hometown of Ada. The 16,500-square-foot, three-story building will have office space for the growing software company and support up to 75 team members. The company currently is hiring for developers, UX designers and project managers.

Read more
View more articles