Things to consider while building HIPAA compliant mobile application

According to report by AppAnnie, smartphone users access over 40 apps on a monthly basis. These apps have access to most of our basic information, i.e. name, email ID, mobile numbers and access to files on the device’s storage. Given this plethora of readily available information, it would be disquieting if it fell into the wrong hands. In such scenarios, you may change your mobile number and email id but imagine if someone gets unauthorized access to our medical records data, our health condition, ailments, allergies etc. What will we do? Sounds scary right? We cannot alter that information so the only way to handle this is to prevent it from happening?

To tackle such scenarios, the HIPAA (Health insurance portability and accountability act) came into the picture way back in 1996. So, what does it mean exactly? Let’s try to delve deeper to understand the concept.

Protected Health Information (PHI)

Before we understand HIPAA, let’s take a look at what Protected Health Information (PHI). As per definition mentioned under US law, Protected health information (PHI) is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity), and can be linked to a specific individual.

Let’s break it down into 3 parts:

a) Type of protected health information covered under the compliance

HIPAA regulations list 18 different personal identifiers which, when linked together, are classed as PHIs. These 18 personal identifiers are

  1. Names
  2. All geographical data smaller than a state
  3. Dates (other than year) directly related to an individual
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers including license plates
  13. Device identifiers and serial numbers
  14. Web URLs
  15. Internet protocol (IP) addresses
  16. Biometric identifiers (i.e. retinal scan, fingerprints, Etc.)
  17. Full face photos and comparable images
  18. Any unique identifying number, characteristic or code

b) Covered Entities

  • Healthcare clearinghouses
  • Health plan services
  • Healthcare providers who need to certain healthcare transactions electronically.

c) Business Associate of a Covered Entity

This covers anyone who stores, collects, maintains, or transmits protected information on behalf of a covered entity.

Do we need to follow HIPAA compliance?

If you handle, store or transmit PHI to or from a covered entity then you need to be HIPPA compliant. Compliance violations can result in serious penalties. These are based on the level of negligence and can range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year for violations of an identical provision.

What accounts for HIPAA compliance?

The Privacy and the Security Rules are the two rules that define HIPAA compliance

A) HIPAA Privacy Law

This has to mainly do with what qualifies as PHI and who is responsible for ensuring that it is secure. It is applicable to all entities associated with storing or transferring such information.

B) HIPAA Security Law

The security laws revolve around securing electronic information

There are 3 parts for HIPAA Security Rule:

  1. Administrative Safeguard — related to access control and training
  2. Technical Safeguards — related to data security
  3. Physical Safeguards — related to device safety and protection

Building HIPPA compliant application can get costly 

Developing, documenting, implementing, and certifying all of these requirements takes months and could cost upwards of $100,000. One of the ways to minimize this cost is to select a right cloud provider with pre-certified portions of the stack and services.

Checklist to consider while building HIPAA compliant Mobile Application

HIPAA compliance adds more complexity in terms of adding Physical, Technical, Administrative, documentations safeguards and privacy rules. Hence let’s try to understand do’s and don’ts while developing such apps.

  1. Store what you need only
  2. Write a clear privacy Policy
  3. Secure in transit and on-device data

Data at rest, on the device Any PHI in the device must be encrypted as Android and iOS tend to store data on the disk when the network is offline. This does not comply with HIPPA and will attract penalties.

Data in transit, from device to server-  For this use TLS and modern cipher suites. Certificate pinning is critical if the devices will operate in untrusted networks like public Wi-Fi.

Server-side – The data at server side must be protected for encrypted backup, audit logs, key management, key rotation

  1. Do not send push notification containing PHI as they can appear and be publicly visible even when a phone is locked.
  2. Local session of the app must timeout after a certain period of time. Isolate the app so that it’s virtually invisible to other apps in your smartphone.

Middleware Server

  • Authentication — Every request to server must securely authenticate users who will have access to PHI.
  • Authorization — The server must control access to PHI by the assigning roles and levels of privileges to users.
  • Unique user — HIPAA requires unique user IDs for all users and prohibits the sharing of user login credentials.
  • Regular updates — Regular software upgrades to ensure that software is always running the latest and best tech available
  • Server Backups Must be created, tested and securely stored. All server backups must themselves be fully encrypted if they contain PHI. Note that, under current HIPAA Rules, data that has been properly encrypted does not trigger mandatory Breach Reporting if the data is stolen or compromised.
  • Transport Security (ATS) to force mobile apps to link back-end servers on HTTPS (SSL), instead of HTTP, to encrypt data in transit.
  • Network Environment setup — Complete separate VPC setup for development, QA, Staging with the production environment.
  • Audit Logs All data usage (user logins, reads, writes and edits) must be logged in a separate infrastructure and archived according to HIPAA requirements. Generally, this means at least six years.
  • Application logs — No PHI related data are stored in application logs.
  • Cloud/Hosting Provider — Needs to comply and certified BAA

Database Server

  • Encryption — allows us to encrypt databases using keys
  • Secured Connections — containing PHI must use transport encryption.
  • Server Backups Must be created, tested and securely stored. All server backups must themselves be fully encrypted if they contain PHI. Note that, under current HIPAA Rules, data that has been properly encrypted does not trigger mandatory Breach Reporting if the data is stolen or compromised.
  • Environment Setup: Complete separate VPC setup for development, QA, Staging with the production environment.
  • Cloud/Hosting Provider — Needs to comply to BAA

Email Service AWS SNS

  • Use key encryption to use Amazon Simple Notification Service (SNS) with Protected Health Information (PHI).
  • Use the HTTPS API endpoint that SNS

Media hosting Server AWS S3

  • We have several options for encryption of data at rest when using Amazon S3, including both server-side and client-side encryption and several methods of managing keys.
  • For more information see Link. Connections to Amazon S3 containing PHI must use endpoints that accept encrypted transport (HTTPS).
  • We should not use PHI in bucket names, object names, or metadata because this data is not encrypted using S3 server-side encryption and is not generally encrypted in client-side encryption architectures.

If you have any questions around building HIPAA compliant app then please feel free to reach out to us.

    Let's build your app

    we would like to hear from you

    Never miss a story!

    Sign up for our newsletter and get the best stories delivered to your inbox.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    32  ⁄  4  =