The entry of Apple in health-care industry in 2014 marked the inflection point in digital technology curve for medicine. With Apple, Google, IBM, Samsung, HealthTap and hundreds of startups globally investing in health wearables, mobile applications and technologies such as Big Data and Cognitive IoT, it is clear that the healthcare industry is ripe for disruption.

While all these applications make the promise of real-time collection of personal health information and sharing it seamlessly across the care continuum a reality, developers face regulatory challenges such as HIPAA, HITECH and 21 CFR Part 11 that need to be addressed in order to develop apps that take full advantage of technology and offer real value without getting into regulatory soup.

The challenging part with HIPAA is that the law was written about two decades ago and pre-dates the iPhone, Android, WebRTC, biomedical microelectromechanical systems (Bio-MEMS) and other new technologies. Unlike other regulatory compliances such as PCI for credit card industry, no one can ‘certify’ that an organization or application is HIPAA compliant. The Office for Civil Rights (OCR) of the United States Department of Health and Human Services, which is the federal governing body that determines compliance, does not endorse any ‘third party’ certifications for HIPAA compliance.

Additionally, unlike regulatory compliances such as Digital Millennium Copyright Act (DMCA), there is no ‘Safe Harbor’ clause in HIPAA privacy and security rule for the inclusion of protected health information (PHI) in an application. This means that even if an application is not designed to collect or share PHI, the application developer shares the responsibility of HIPAA compliance if PHI makes its way into the application.

According to BigSight Technologies report, a patient’s electronic medical record sells for about $20 in black market while credit card data sells for approximately $1 per card. Among finance, utilities, retail, and healthcare and pharmaceutical industries, healthcare showed the worst performance overall in industry security ratings, according to the study. If a patient’s PHI becomes public or lands in the hand of information thieves, there is huge risk of patient victimization and severe HIPAA penalties on concerned covered entities and their business associates including application developers.

So, what developers need to do to make HIPAA compliant applications?

It is important for developers to have a thorough understanding of application use cases. If there is a slightest chance of application being used to store and transmit PHI, it is safe to be HIPAA compliant. In addition to the Administrative, Physical and Technical safeguards under HIPAA security rule, developers shall consider following things when developing healthcare applications:

Medical Device or Not: It is possible that based on the features and functionalities, the mobile application or wearable device fall under the definition of medical device. If it does, it may need to go through five hundred plus clearances to get FDA approval.

Communication Touchpoints: Many applications use emails, SMS, chat, bots, WebRTC for application-to-user and user-to-user communications. If any of these communications from app include or might include PHI, it is best to use HIPAA compliant third party service providers for these communication channels.

Notifications: Many applications use notifications (desktop notifications in case of web app and push notifications in case of mobile app) to notify users of updates and changes. This involves the risk of violating the data privacy and security regulations outlined in HIPAA as the PHI can be publicly visible.

Physical Device Security: Laptops, tablets, smartphones and other handheld devices are vulnerable to theft or being left unattended which can lead to unauthorized access and misuse of app data. Unfortunately, developers cannot do much in this area except enforcing a mechanism to unlock the app using some passcode after certain time of inactivity or app going to background and enable remote wiping of app data in case of device being stolen.

Looking for a trusted partner to build HIPAA compliant digital healthcare applications? Please visit our healthcare profile for more information about our services, or, write to us at healthcare@sourcefuse.com.