4 Things to Keep in Mind about HIPAA Compliance
HIPAA was created about two decades back, when mobile applications had not even been envisioned. And today we have developers creating applications which fall within the purview of HIPAA compliance. However, this wide time-gap has make HIPAA a challenge for developers who try to apply the 20 years old law to the rapidly changing face of technology. There are several aspects of the law which make it difficult to identify the apps which must be HIPAA compliant or not.
At a broader level, the spirit of HIPAA is to prevent any unauthorised access to protected health information (PHI) in transit, or otherwise. Any health application or software that gathers, stores, or shares PHI with covered entities (such as doctors and hospitals) has to be HIPAA-compliant. The PHI includes medical records, images, scans, appointment dates, or any other kind of personal health data like sleep patterns, reports including blood glucose, blood oxygen saturation, blood pressure, or study records including electrocardiogram tracings. Any such data that can be measured, stored, or shared for feedback will fall under HIPAA regulation.
To ensure that your application is within the HIPAA framework, here are a few pointers that can help understand the pre-conditions.
- Exchanging protected health information (PHI): It is the foremost requirement for HIPAA. If the application has any chance of storing, collecting, managing or transmitting PHI, it is imperative that it conforms the HIPAA regulatory compliance.
- The channels used for sending the information should be secure: HIPAA regulations were being mandated with a sole aim of protecting patient information. E-mail that are not compliant with HIPAA lack the encryption ability for the content it contains. It is hence important to understand the content categories that should be strictly avoided as a part of such mails. In such cases, it is a safer bet to send such communication through a HIPAA compliant e-mail service provider.
- PHI should not be sent over push notifications: Push notifications usually appear on mobile phones and can be viewed by anyone even while the phone is locked. It is hence critical to ensure that any information which falls in the category of PHI is not used for push notification for mobile phones.
- Your app could fall under the category of a medical device: Mobile applications that deal with PHI can also be classified as “medical devices”. Such medical devices need to be compliant to FDA regulations, apart from HIPAA mandates.
HIPAA compliance mandates the fulfilment of several requirements, which are both technical as well as non-technical in nature. However, there are not prescriptive in nature. However, mere compliance doesn’t mean much to the hospitals or customers. One needs a robust compliance program that can address the compliance obligations in consonance with the environment and consumer needs.
While above are the major pitfalls that a developer can avoid, an easier option is to work with companies which offer HIPAA compliant services and have the expertise and professional experience in the domain. Such service providers offer technical as well as physical protection for the transmission, storage, collection and management of PHI.