Health care iPhone apps meet HIPAA compliance

October 18, 2014

Chances are, if you are in the health care field, you are familiar with HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) is often one of the largest questions facing mobile application development. One of the common questions is not only how to comply but “when does HIPAA apply?

According to recent research by the HHS Office for Civil Rights and Patient Privacy, there are two key questions to ask when seeking to understand if a piece of software will falls under HIPAA rules:

  1. Who will be using the app?
  2. What information will be on the application?

To quote the research…

The HIPAA rules only apply to “protected health information,” information that identifies an individual and that relates to an individual’s physical or mental health, health care services to the individual, or payment for such health care services. There are exceptions for employment records and records of educational institutions. The fact that an individual has received services from a covered entity is itself protected health information. Accordingly, the name or address of an individual, although publicly available, is protected health information when residing on a covered entity’s computer if the presence of the information suggests that the individual is or was a patient or enrollee of the covered entity. Protected health information also includes otherwise anonymous information that includes a date of service (anything more detailed than a year). An e-mail referring to “the patient who was in last week” is protected health information, because it includes a date of service that can be used to identify the patient.

This means that HIPAA will only apply with certain types of patient information and not everything just because it is a health care app. For example, MichiganLabs recently developed an iPad application for a large medical organization that does not include patient specific information. Although the iPad app is still within the health care field, the HIPAA act did not apply. If, however, patient specific information was included within the app, HIPAA may have applied even if the information was anonymous. So, knowing this, what are some safeguards that developers can put in place for HIPAA compliance?

Glad you asked.

The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).

In order to meet HIPAA compliance software requirements you need to ensure you’re meeting the four main requirements of the HIPAA law. The four main requirements of the HIPAA Compliance Checklist are:

  1. You must put safeguards in place to protect patient health information.
  2. Reasonably limit use and sharing of protected health information to the minimum necessary to accomplish your intended purpose.
  3. Have agreements in place with service providers that perform covered functions. These agreements, called Business Associate Agreements (BAAs) ensure that service providers (Business Associates) use, safeguard and disclose patient information properly.
  4. Procedures to limit who can access patient health information, and training programs about how to protect patient health information.

If that seems like a lot of work, there are several third-party vendors that will work to ensure your application is on the path to HIPAA compliance such as TrueVault or Tapestry Telemed.

In conclusion, there is no one that can “certify” that an organization is HIPAA compliant. The Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body that determines compliance. HHS does not endorse or recognize the “certifications” made by private organizations.

There is an evaluation standard in the Security Rule § 164.308(a)(8), that requires you to perform a periodic technical and non-technical evaluation to make sure that your security policies meet the security requirements outlined in the rule. HHS doesn’t care if the evaluation is performed internally or by an external organization—just as long as it happens.

Legal disclaimer: I am not a lawyer. Please consult your legal professional for specific advice about how your app relates to HIPAA.

Mark Johnson
Mark Johnson
Co-founder & Managing Partner

Stay in the loop with our latest content!

Select the topics you’re interested to receive our new relevant content in your inbox. Don’t worry, we won’t spam you.

Press Release: University of Michigan partnership
Team

Press Release: University of Michigan partnership

March 19, 2019

Michigan Software Labs announces new University of Michigan partnership to expand talent pipeline

Read more
Chicago Roboto 2020: A Virtual Success
Android

Chicago Roboto 2020: A Virtual Success

January 19, 2021

Looking back on last year’s Chicago Roboto, it was a great opportunity to learn while spending time hanging out with teammates. So, when it was announced that this year’s event was going to be virtual, it was hard not to be disappointed. Then again, with so many great speakers lined up, there was still plenty to look forward to.

Read more
MichiganLabs named #1 iOS Development Company by MobileAppDaily
Business iOS Press Release

MichiganLabs named #1 iOS Development Company by MobileAppDaily

January 28, 2020

The report features leading iOS companies of the mobile app industry, who have made themselves known because of their exceptional app development services.

Read more
View more articles