At the Apple Worldwide Developers Conference in 2014, Apple unveiled Health, an iOS8 application designed to create a data collection point for third-party accessories. In theory, Health centralizes health data collected by a user in order to interface with wearable technology.
In addition to Health itself, Apple also unveiled HealthKit, the developer application programming interface (API) necessary to write applications interfacing with iOS and Health.
For many years, iOS has been a hotbed of application development and has been home to many different types of applications. As of July 9th, 2014, there are over 40,000 personal health apps available in the App Store.
Basically, the idea of using one’s iPhone or iPod as a health aid is not a new one. HealthKit, however, intends to make health data collected through the device available to healthcare providers. This medical information is categorized as protected health information (PHI) and thus subject to the Health Insurance of Portability and Accountability Act of 1996 (otherwise known as HIPAA) regulations.
HealthKit has made it easier than ever to share health information with providers and will continue to do so as innovative applications are created to take advantage of its capabilities.
However, collecting health data (especially that which would be categorized as personally identifiable information {PII}) and sharing this information is a dangerous area when it comes to HIPAA regulations. Any developer who builds an application that stores, shares, or handles PHI in some way must be familiar with HIPAA guidelines.
First, make certain that your application will actually collect or share PHI. If not, HIPAA is not something you need to be concerned with. However, make sure to perform proper due diligence. Accidental breaches of compliance are still breaches, and may still result in a hefty fine.
Your application can collect health information, but it is not subject to HIPAA compliance until it shares the data with a covered entity. For example, a tracker for blood pressure would not need to be compliant, but if the tracked BP log was shared with a cardiologist or clinic, then it would be subject to HIPAA rules. Some sources recommend erring on the side of compliance despite the commitment to fulfill compliance requirements. Those fines are simply too expensive to be risked, especially for a young startup.
One of the particular nuances of iOS is push notifications. If by some mistake or feature, PHI appears on the lock screen of the device in question, HIPAA has been violated. It is possible for someone to see this information without the user’s permission, thus violating privacy law. If, for example, you developed an app and 100,000 are using it when a breach like this occurs, this wouldn’t be 1 breach, it would be 100,000 multiplied by the fine. That’s millions of dollars for one simple breach.
In addition, email and SMS are emphatically not HIPAA compliant ways of transmitting data. Sending PHI by means of any of these methods is insecure and not compliant.
Furthermore, iOS8 introduced the idea of information sharing between applications. While this factor makes it easier for developers to write dynamic applications, it should also be noted that if an app is compliant and follows best practices, and then shares data with an app that does not do these things, the app is not compliant after all.
With all of this in mind, be advised that any PHI that needs to be stored must be housed in a HIPAA-compliant environment. While not all of the data this app interacts with is guaranteed to be PHI, those portions that are will need to be hosted in a HIPAA compliant environment.
Developing apps for HealthKit is a burgeoning field and one that is ripe for new ideas that think outside the box. Health is a dynamic application and will undoubtedly be at the forefront of a new wave of innovative medical technology. While developing apps in the HIPAA space is not a simple task, it will be worth the extra effort in the long run to ensure compliance. If this is too daunting, there are companies that offer HIPAA compliance as a service, taking the guesswork out of developing the first application.