Issues Around HIPAA-compliant Development

HIPAA compliance issues affect medical practices, insurance companies and eCommerce companies that sell medical devices, equipment and increasingly popular fitness apps that measure key health and fitness functions. HIPAA, an acronym that stands for the Health Insurance Portability and Accountability Act, was passed in 1996 and took effect in 2003. The act mandates privacy protection for confidential health records including written and oral disclosures and digital electronic health or medical records, which are called EHRs and EMRs.

App Development for eCommerce

App development becomes increasingly critical for eCommerce companies, and consumers have embraced apps in a big way for their Internet-connected devices. Mobile apps sell in locations like Apple's App Store, Blackberry App World, Google Play and the Windows Phone Store, and more than 100 billion apps were downloaded from Apple as of the middle of 2015.[1] In particular, eCommerce companies get strong cost-value results by developing proprietary apps for their customers because these applications make it easier to order on mobile devices and provide shortcuts for many online activities. Fitness and health apps, which are usually subject to HIPAA Privacy and Security Rules, have become increasingly in-demand on eCommerce websites. Downloads of fitness apps have increased 87 percent faster than market averages according to TechCrunch.[2]

Wearable Applications Gain Traction

The latest generation of wearable applications monitors physical activity, health conditions and fitness metrics such as calories burned, steps taken, distance covered and others. Consumers are embracing wearable apps that are built into clothes and accessories and can track, record and store key metrics like blood pressure, pulse rates, glucose levels and other proprietary and confidential information that fall under HIPAA regulations. These products and their related apps provide bonanzas for eCommerce companies, but these apps could potentially expose health information to data breaches. Private medical practices, insurance companies and wholesalers and retailers of medical devices and fitness apps must comply with HIPAA rules or face fines, penalties, data breaches, lawsuits and damaged customer relations.

HIPAA Requirements for App Developers

Recent launches of Google Fit and Apple Health underscore how important it is to understand the law when developing apps. Not all healthcare apps fall under HIPAA rules, but if an application collects, stores, transmits or shares health information, then it must comply with HIPAA.

  • If an app sends or shares health information among doctors, medical staff workers, hospitals, clinics or insurance companies, it must meet HIPAA Privacy and Security Rules.
  • If an app shares information with a covered entity or business associate, it must be HIPAA compliant.
  • Apps that provide generic information about health, various illnesses, nutrition and similar matters don't necessarily need to comply with HIPAA, but they might if customers can use the apps to store personal health information.
  • Developers can protect apps from breaches by implementing strong, mandatory passwords and installing remote disabling programs to clear information from lost or stolen mobile devices.
  • App developers whose apps are subject to HIPAA rules need to develop plans for monitoring information, recording usage history, investigating breaches and taking steps to prevent future breaches.
  • If a breach in data occurs, the developer needs to inform any customers whose information was compromised.
  • Encryption and decryption programs are essential in apps that are subject to HIPAA rules.

 

Proactive App Development

Programmers for eCommerce apps need to think outside the app and anticipate that customers might use apps in different ways than expected. Anonymous data cease to be anonymous if customers use their apps and devices to store medical details like disease symptoms, personal health benchmarks and other protected health information like mental health indications and symptoms of mental disorders. If a device is capable of storing PHI -- even if it wasn’t intended to be used that way -- it falls under HIPAA rules. Examples of unexpected app use that's subject to HIPAA include:

  • Storing information about medical appointments and health care providers
  • Diaries of appointments that include specific dates of service that could be used to identify patients
  • Sharing symptoms or recovery times with other covered entities, individuals or business associates
  • Sending emails from an app that might breach privacy because emails aren't encrypted
  • Anticipating how to communicate with users when they're using an app because unprotected communications could expose information to data breaches
  • Using third-party services, such as TrueVault and others, to enable communications between a covered entity's database and the customer app's database
  • Considering how push notifications could expose confidential information to unprotected exposure on devices that are used in public settings
  • Researching FDA regulations to determine whether any given app could be considered a medical device under HIPAA rules
  • Understanding that passive devices that record activities like REM sleep, sleep habits, muscle use and respiration rates could be subject to HIPAA

Developers should consult attorneys and agencies like the Department of Human Services as part of their due diligence when building health-related apps. Regulatory complexity is rewriting the rules almost daily, so it's important to anticipate unexpected app uses and make apps that comply with HIPAA before launching eCommerce initiatives. The fines for HIPAA noncompliance are steep and could easily neutralize any expected profits or benefits of customers using noncompliant apps. Err on the side of caution by developing apps that are HIPAA compliant.

If a database contains any kind of protected health information, then it must be encrypted. Apps that share information must share decryption information to enable searches. Developers should also vigorously recommend that their customers use passcodes for their devices and apps. Although it's impossible to force customer compliance with passcode best practices, developers can build roadblocks and incentives in their apps to encourage compliance.

 

HIPAA Compliant Design Issues Challenge eCommerce Platforms

HIPAA-compliant apps generate the kind of marketing and promotional benefits that take center stage in eCommerce. These consumers apps are increasingly important because they provide strong value to customers while promoting greater loyalty and ordering convenience. However, eCommerce websites and business operations accomplish tremendous things in background operations that don't get as much attention as apps unless something goes wrong. Customers expect complementary and consistent websites and Web pages as standard because they routinely entrust their medical and billing information to these digital sites. If the design of a website or app isn't appealing, customers won't use either resource, so front-end design issues are critical. Other important business issues include having easy-to-navigate Web architecture, a searchable catalog, multiple shipping options and automatic calculations of sales taxes, value added taxes and import duties. Security issues -- especially for wholesale customers who might themselves be covered entities or business associates by HIPAA rules -- are of paramount importance. All these issues depend on each company's eCommerce platform, and HIPAA compliant website integrations are just one aspect of the demands that are placed on eCommerce software.

How Clarity Can Help

At Clarity, we can't guarantee that your apps or website are HIPAA compliant -- no organization can certify compliance because the Department of Health and Human Services doesn't endorse certifications made by private companies -- but we can provide technical assistance, encryption and decryption resources, audit and management tools and integrated and secure access procedures for eCommerce. HIPAA regulations are among the most complex and extensive rules that any eCommerce company faces, and we can simplify compliance by providing intuitive eCommerce features, secure integrations that fulfill the technical, physical and administrative security rules of HIPAA and customized eCommerce solutions for your business and customer-satisfaction needs. Our team of engineers can help you code your apps in C#, ASP.NET, HTML5, CSS, Ruby and other programming languages and recommend third-party HIPAA-development partners because we have decades of combined experience solving eCommerce problems with Web applications. Call or contact Clarity today for a consultation about HIPAA compliance or a free price quote.
References:
[1] Statista: Statistics and facts about mobile app usage www.statista.com
[2] Techcrunch.com: Fitness App Usage Is Growing 87% Faster Than The Overall App Market www.techcrunch.com