HIPAA Compliant App Development: Key Principles and Tips
By Stephen Trout, , HIPAA Blog, HIPAA Hosting, Resources, Security

The world has gone mobile, and healthcare will never be the same.

Ever since their first appearance in Apple’s App Store in 2008, healthcare apps have exploded out of the gate and haven’t looked back.

(Apparently Mr. Jobs was approached about a fledgling healthcare app all the way back in 1977, but wasn’t ready to pull the trigger – but that’s another story.)

In our day of ubiquitous smartphones, the app stores are brimming with a host of exciting new possibilities:

“Healthy lifestyle” and wellness apps abound; smart apps for diet and exercise – even to help track vital health measures like blood pressure, diabetes, sleep patterns, and water consumption – appear regularly.

Yet even as patients are tapping apps to improve their own health, providers themselves are increasingly leveraging mobile health (mhealth) apps as part of their regular “instruments of care”:   

  • physicians use apps like Mobile PDR for point-of-care prescribing of drugs
  • doctors and emergency workers receive timely medical data through mobile apps
  • specialists carry an essential library of large textbooks on their devices through apps
  • clinics use apps to improve patient experiences and build their brand

Clearly, the mhealthcare market has become big business, with all estimates projecting a bright future:

Valued at $50.7 billion globally in 2021, the mobile healthcare market will likely reach $639.4 billion by 2028. 

Opportunities and Challenges

All this to say, as a healthcare app developer, you’re ready to seize the moment. You’ll do this with effective patient engagement in mind; highlighting a provider’s services is also key.

In the end, you hope to clarify your brand and maximize usability so the patient and healthcare practice thrive.

“But wait,” you say, “how do HIPAA regulations (first enacted in 1996 to outline the lawful use of protected health information or PHI) apply to me, as a developer?”

A great question!

First, understand that HIPAA regulations are chiefly concerned with “3 pillars”: the confidentiality, integrity, and availability of PHI.   

Practically, this means that providers and their patients need health data that is free from corruption, and that remains private and accessible. In this way, critical health treatments will not be hindered.  

So here’s the bottom-line answer to your query: 

Yes, HIPAA regulations apply to you if your app will handle PHI for a covered entity. 

Note: for actual consumer scenarios involving app usage and to help determine whether you require HIPAA-compliant app development, see this helpful publication from HHS: Health App Use Scenarios & HIPAA.


“Thanks – what’s a Covered Entity?”

Another excellent question. 

As defined by the National Institutes of Health, covered entities are 

  1. health care providers who electronically transmit any health information protected by HIPAA privacy standards 
  2. health plans, and 
  3. health care clearinghouses

Lest you think you’re off the hook, however, all third-party healthcare app developers should take note: the NIH also points out that:

“… the Privacy Rule also protects individually identifiable health information when it is created or maintained by a person or entity conducting certain functions on behalf of a covered entity—a business associate.” 


So, What Data will your App Handle?

If your app collects, uses, stores, or transmits protected health information in the context of providing services to a covered entity, you are a business associate and HIPAA applies to you.

We pause to note that not all apps that handle health information are necessarily subject to HIPAA. As stated by the HIPAA Journal, 

“A good example would be health trackers – either physical devices worn on the body or apps on mobile phones. These devices can record health information such as heart rate or blood pressure, which would be considered PHI under HIPAA Rules if the information was recorded by a healthcare provider or was used by a health plan.”

Since the apps for many of these trackers are designed for personal use – not to share collected or recorded data with a health provider or plan – such apps would not, therefore, be HIPAA regulated.  


A Quick Refresher: What is PHI?

While we’re at it, you also need to know what constitutes protected health information, or PHI. The HIPAA Journal again provides us with a nice summary:

“PHI is any health information that can be tied to an individual, which under HIPAA means protected health information includes one or more of the following 18 identifiers. If these identifiers are removed the information is considered de-identified protected health information, which is not subject to the restrictions of the HIPAA Privacy Rule”:

Names

Dates, except the year

Telephone numbers

Geographic data

FAX numbers

Social Security numbers

Email addresses

Medical record numbers

Account numbers

Health plan beneficiary numbers

Certificate/license numbers

Vehicle identifiers and serial numbers including license plates

Web URLs

Device identifiers and serial numbers

Internet protocol addresses

Full-face photos and comparable images

Biometric identifiers (i.e. retinal scan, fingerprints)

Any unique identifying number or code”

As we’ll see, all HIPAA-covered entities and their business associates – including those involved in HIPAA-compliant app development – need to ensure that PHI is protected with the appropriate technical, physical, and administrative safeguards. These safeguards are the heart of the HIPAA Security Rule. 


Preparing your Company for HIPAA

Before we review the Security Rule, as a healthcare developer, it’s important to know what’s at stake.

When a HIPAA auditor comes knocking at your door, know that they’ll be looking at more than just your new app. They’ll examine your company as a whole, concerned to find any existing or potential liabilities or “holes” in your procedures, practices, and overall security. 

In essence, they’ll want to see how your organization is maintaining HIPAA-compliant practices on a daily basis. (For some help getting started on this, download our Free Compliance Checklist here.)  

So if you haven’t done it, now’s the time to formulate and execute a thorough risk assessment of PHI in your organization – examining how sensitive data will flow and be stored, and all potential vulnerabilities that may potentially compromise it.

The risks of not doing so can be staggering:

An annual study by the Ponemon Institute saw the average total cost for healthcare breaches increase to $10.1 million in 2022.

You simply can’t afford the cost of a HIPAA fine, a lawsuit from angry patients, or the negative reputation that goes with a breach of patient data.  


Becoming Compliant

Here’s another foundational issue that dovetails closely with the Security Rule:

Your organization’s compliance won’t be achieved by running out and purchasing a certification or even completing a course. Plenty of helpful courses exist, but none actually “make” you compliant. 

HIPAA compliance is more like a ‘snapshot in time’ of your actual practices; meaning, you might have compliant procedures being closely followed in one moment and sacrificed by a lapse in practice the next.

No mistakes may be made today, but tomorrow a document may be left in an insecure place, or an employee will fall prey to a social engineering “phishing” scheme, allowing hackers to discover their password and enter your network. 

Before you know it, you’ve been breached, unable to access your data.

Your goal, therefore – consistent with regular risk assessments – should be to try to anticipate breaches before they happen. Being cognizant of your information life cycle helps you to ensure that all steps in the process are fundamentally sound from a security perspective.

Consider teaching your employees about HIPAA at a fundamental level, and imparting a sense of what true security is – both in the digital and physical senses of the word.


Keys to Securing your App

As a healthcare developer, you need a secure, frictionless app that performs well and protects sensitive data if needed. To that end, you’ll want to keep in mind these FTC Best Practices, which you can find here

As always, when HIPAA compliance is involved, following the Security Rule will be key. 

The 3 facets of cybersecurity – people, processes, and technology – are addressed in the 3 HIPAA Safeguards: Technical, Administrative, and Physical.

I. Technical safeguards will help to protect your app and environment. 

Four basic implementations of technical safeguards must be implemented:

1. Access Controls

Access controls are about granting rights and privileges to your system; they clarify who will be authorized to access applications, programs, and files that contain PHI. 

Bearing the least privilege principle in mind (granting only those access privileges needed to those who are authorized to complete a given task), access controls consist of:

  • A unique user identification allows your organization to track each user’s activity in relation to health data, including when they log on and off the system or modify PHI. 

Users will have their own login credentials, and must not share them with other users. Strong passwords and Multifactor Authentication should be employed.  

  • An Automatic Logoff, to “terminate an electronic session after a predetermined time of inactivity.” (The use of a screensaver that locks your desktop after a period of time – a built-in feature of Windows and Apple – will help to prevent unauthorized access.
  • Emergency Access Procedures, specifying who has permission to access data in a controlled response during an emergency. There should be a way to access necessary ePHI during an emergency.

2. Audit Controls

HIPAA requires that a technical solution be implemented to monitor and log any changes to your system, and provide real-time feedback. This includes:

  • all system login attempts (date and time, with username) – both successful and unsuccessful
  • who accessed ePHI on your server(s) and devices used
  • who created, read, edited, or deleted application files with ePHI

3. Integrity Controls

Patient health and safety depend upon the integrity of data. These protections help prevent the accidental or intentional alteration or deletion of protected health information.

4. Transmission Security

These controls are meant to protect data against unauthorized access as it is transmitted through your communications network, including your WordPress site. 

As mentioned, the industry standard for this is encryption. 

II. Administrative Safeguards will help ensure regulations are followed.

  • implementing a Security Review Process that will include risk management measures for protecting data integrity, confidentiality, and availability.
  • assigning a Privacy Officer to oversee and ensure the development and implementation of security policies and procedures. 
  • establishing workforce policies for granting and revoking access to ePHI, as well as password management, 2FA, and employee training on malicious software and phishing. 
  • utilizing the Principle of Least Privilege for access, for both individuals and associated covered entities. This means limiting privileges to only those essential for performing an intended function. 
  • ensuring strong password policies for your WordPress site, to prevent hacks through brute-force attacks. A password manager tool can help! 
  • formulating your response and reporting procedures for security incidents. Who will identify and address incidents? 
  • formulating a plan to recover ePHI in the event of a disaster (fire, flood, equipment failure, or loss of power). Are regular backups being performed?   
  • ensuring that a written contract (or BAA) is in force to clarify data protection responsibilities.

III. Physical safeguards will provide tangible protections to you and your facility and patient data.

These include:

  • locked doors with access codes 
  • restricted area warning signs
  • cameras
  • alarms
  • security services
  • personnel and property controls, etc.
  • workstation security that restricts access to only authorized users
  • device and media controls, with methods to document and properly dispose of hardware and software so that patient data is not exposed.

Once the 3 safeguards have been implemented, your app will need a compliant, scalable infrastructure; in addition, you may want to containerize the app. However, building this yourself can be complex. 

Medical data needs a secure infrastructure – one built to preserve data integrity, availability, and privacy for HIPAA in both transit and storage. Providing this compliant infrastructure minimizes risks and liability to data.

If you have the expertise, you’ll derive excellent security benefits from packaging your app and its dependencies in a container.

Containers are an amazing technology, allowing you to increase the speed at which you can deploy applications, with greater flexibility, agility, and reduced cost. That’s because each container possesses all the self-contained code and system tools needed to run, requiring fewer resources.

As opposed to old bare metal or even VMs, a container orchestration tool like Kubernetes, for example, offers far greater resource efficiency, not to mention integrated security benefits.

This is by virtue of how container clusters are destroyed and new nodes and clusters created whenever a new version of an application is deployed, reducing security patching and updates.

Be sure to also encrypt all data moving in and out of your app (and containers).

PHI that passes through a container system and that will be stored on the app must be encrypted. End-to-end encryption with at least TLS (transport layer security) 1.2 is essential. 

AES-256 (at rest in storage) and RSA 2048 (in transit) encryption will provide superior protections for your healthcare data.

Why not inherit a proven infrastructure instead?

Configuring containerized apps for protected health information can be complex. For example, applying automated scanning of containers at all stages of deployment is just one aspect of keeping images and registries safe from vulnerabilities.

Many developers have taken up the challenge, however, only to discover that meeting all the complexities of HIPAA-compliant hosting can be daunting. Thousands of hours later, mounting development costs, ongoing server security concerns, and looming audit requirements take their toll – and they’ve only just begun.

Here’s where inheriting a proven, fully-managed infrastructure with fully-managed security can save the day.

You’ll increase your profitability without the expensive server equipment and maintenance costs, and leave the day-to-day security, patching, and updates in the hands of proven security specialists who know HIPAA.

Additionally, the ability to offer a proven, fully comprehensive, end-to-end supported infrastructure solution that customers can trust will help you get up and running with your app fast.

Test Well

Finally, you’ll want to be sure your HIPAA checklist for testing your app includes:

  • How does the encryption perform in data transfer?
  • Are all technical safeguards and security requirements – including logins and authorization checks, as well as audit/logging controls – performing to expectations and fulfilling HIPAA requirements?
  • Have you accounted for redundancy/backups? 
  • What about performance issues – now, and in the future?
  • Does your monitoring of app performance reveal any system anomalies?
  • How well will your app scale? 

These are just the basics of HIPAA-compliant app development. With all we’ve mentioned above, it’s clear that building a healthcare app can be daunting.

Don’t cut corners, but know that you can build wisely and economically with HIPAA Vault on your side.  

Our comprehensive, end-to-end supported infrastructure solution can provide a solid foundation, and help you on the way to launching your successful new healthcare app.

HIPAA Vault is the leading provider of HIPAA-compliant solutions, enabling healthcare providers and business organizations to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to providing secure infrastructure and compliance for health companies, HIPAA Vault provides a full array of HIPAA solutions, including secure hosting, email, HIPAA WordPress, file sharing, and more.  

Stephen is an award-winning writer with a depth of experience in healthcare security and HIPAA compliance. In addition to writing for HIPAA Vault, his work has been published in Security Magazine, New England Society for Healthcare Communications, and others. Stephen has a degree in Engineering from Temple University, and can be reached at strout@hipaavault.com.