Achieving HIPAA Compliance with Mobile Devices

Last year, Google Fit and Apple Health brought health applications into the mainstream. While these devices can provide a wealth of data for app developers looking to help consumers get more out of their wearables, the data itself may fall under the scope of Federal laws protecting patient health information under HIPAA. Developers unfamiliar with this space must learn how to maintain HIPAA compliance.

So, how can mobile app developers make sure that their applications protect personally identifiable health information and avoid incurring HIPAA violations (and the fines that come with them)? In this article, we’ll explore ways developers can get ahead of the curve and ensure that they’re making the right choices to protect patient data.

In This Article

• Study: Health IT Will Change Rapidly
• Possible PHI Issues
• Example: Mobile HIPAA Provider Selection Story
• A Simple and Predictable Plotline

Study: Health IT Will Change Rapidly

Two major trends, a boost in cloud adoption among healthcare providers and a drop in the expenses to deploy systems, will significantly impact the American HIT market through 2018, per a whitepaper released last year.

The report, created by the consultancy RNCOS, forecasts that health IT  will expand at a CAGR of almost 10%.  How good is 10%?  The creation of increasingly better technologies and public-sector promotion for this type of application (e-health applications) will contribute to the strong growth rate of this sector.  As an example, the Economist Intelligence Unit and International Monetary Fund agree that the US GDP growth rate will be around 3% over the same period.

Remember, though, that this isn’t just a time of growth but a time of change.  For health, IT to be delivered as effectively as possible, resulting in better care and better ROI, a complex network of stakeholders (doctors, insurance companies, pharmaceutical firms, medical device manufacturers, drugstores, and patients) must work collaboratively.

“The full value of health IT is realized when all parties come to the table to ensure data liquidity and ultimately, information and support flowing to people and patients,” advised health management consultant Sarasohn-Kahn. “More value can be derived when technologies don’t add costs but conserve costs and resources.”

Possible PHI Issues

If your technology handles personal health information that falls under the scope of Federal law, it can be critically important to protect your business from fines from the US Office for Civil Rights. If you are creating a mobile app (whether for wearables or standard smart devices), you want to know the parameters of HIPAA compliance. Compliance is necessary specifically for systems that have two characteristics:

1. Use health data that is personally identifiable (PII in some form).
2. Exchange the data with healthcare providers (PHI, much of it patient-generated health data).

If your application meets those two criteria, you must be intimately familiar with the law – especially the privacy, security, and breach notification rules.  Consider the issues you can run into with protected health information in the mobile arena:

1. Mobile devices are often stolen.  If PHI is unencrypted, you could end up with a fine.
2. The device typically provides access to email and social media.  Accidental posting could occur.
3. Push notifications and other features could represent violations.
4. You could have instances of purposeful or accidental sharing of protected health information between users.
5. If a user turns off the password protection that locks the phone’s screen, anyone present could access immediately visible data.
6. Since mobile devices are often smaller, many users shorten their passwords (thereby making them less secure), so it’s easy to get online.

Developers can’t control against all those scenarios, but they can ensure they maintain compliance on behalf of their customers and themselves (as of 2013).

Example: Mobile HIPAA Provider Selection Story

Below is a snippet from a developer selecting a solution for a HIPAA-Compliant Hosting mobile application, anonymized and edited for privacy.  The intention here is to look at questions and concerns rather than the specs of particular plans.

Note that we’re looking at an excerpt from the middle of their back-and-forth, right after the Hosting Consultant has explained the 12-month agreement.

Healthcare Client:

1. So what would be the penalty if we break the agreement or would like to move to a different establishment?
2. Do you have any referral incentives since this will be for our client?
3. The business associate agreement will be between the business owner and you folks?

Hosting Consultant:

Here are the answers to your questions.

1. You would be responsible for the balance of the term of the agreement.  So if you
   canceled after six months, you would owe us another six months.
2. Will the HIPAA Hosting agreement be under the name of your company or under the name of your client (which means that they would be paying the monthly bill)?
3. It will be if your client is signing the HIPAA hosting agreement and paying the bill.

Healthcare Client:

Since we are managing the application, we typically overlook the hosting as well.  However, the owner of the application is our client.  So is it possible that we will manage the application and hosting issues, but the business (application owner) signs the agreement and pays through us?

Hosting Consultant:

I have permission to provide you with pricing based on a 6-month agreement.  I have attached the updated pricing.

A Simple and Predictable Plotline

Do you need HIPAA compliance for an e-health application?  Work with the mobile HIT industry leader.  Make sure there aren’t any surprises in your success story.

“[Atlantic.Net’s] financial strength and proven track record are something we view with great confidence,” commented Complete Healthcare Solutions VP Joseph Nompleggi.

Choose Atlantic.Net, and you can mobilize healthcare with confidence.