From social media platforms selling mined personal data to record identity fraud numbers, privacy on the Internet is all over the news. People want apps to be as connected and convenient as possible, yet, they need all of their personal information secure and safe. This is quite the tightrope for MedTech companies who are entering the booming medical app world to walk. But make no mistake, due to the exponential growth of connectivity through expanding networks and devices, the mobile medical app market is expected to hit over $102 billion in the next four years, according to this study. That’s an opportunity you don’t want to miss, so making sure your MedTech app is following hipaa privacy rules before launching it is a must. Let’s look at the hipaa compliance rulebook and see what needs to be done.
What is HIPAA?
Introduced in 1996 by the U.S. Department of Health and Human Services, the Health Insurance Profitability and Accountability Act (HIPAA) was signed into law in order to create national standards protecting individual medical record and personal health information privacy. It prohibits unauthorized transfer or sharing of medical information, known as Protected Medical Information (PHI), either physically or electronically.
WHO IS COVERED BY HIPAA PRIVACY RULE?
The legislation was recently expanded to encompass not only healthcare providers and employees, but “all entities dealing with storage, management, recording, and passing PHI to be HIPAA compliant.” If you’re developing a medical app that in anyway uses PHI, then that’s you. Don’t think it’s that big of a deal? Penalties range from civil fines of $100 for someone unaware of the rules to criminal penalties of up to $1.5 million and up to 5 years in jail for those who knowingly and repeatedly violated the law. That should get your attention.
Where Do I Start?
Let’s look a little closer. So, a covered entity, who is the organization or individual that must be HIPAA compliant, includes any healthcare professional that would have access to PHI. This ranges from health insurance brokers to pharmacies, doctors to nursing homes…basically, anyone who could see any or all of the patient’s PHI. This also includes “business associates”, or anyone that is doing business with or providing services for the covered entity. That’s a lot of entities to keep track of, and it applies to both the transmitter and receiver of PHI.
Now, if your developing app falls under the HIPAA legislation, you have certain obligations to responsibly safeguard this information: technical (that refers to the actual health data), physical (refers to the medical device and any media), and administrative (which is who is trained to have access to the PHI). All of these need to be accounted for, so in addition to asserting that all three of these safeguards are firmly in place, you also need to ensure that all your team and the business associates you might work with are trained up and know to use the minimal amount of PHI necessary to carry out any given task.
What Does PHI Consist Of?
This section seems basic, but you might be surprised about how many bits of personal information would constitute a HIPAA violation if improperly handled. Here’s a full list of all the pieces of information that are protected; more than we can list here, but anything from a zip code to a phone number can count against you. Knowing this, you’ll need to establish a firm privacy policy with your team and your developers, along with the requisite training that is required. This may cause some folks to walk on eggshells, but the earlier they all know the rules, the better they’ll adjust. Having the absolute minimum amount of PHI needed for your MedTech app accessible is also a good rule of thumb, because if it’s not available, no one can make the mistake of improperly sharing it.
How Can I Make a HIPAA Compliant App?
We’ve got a significant list of things not to do, so what should you do in the early stages of development of your mobile medical app idea to assure that you won’t get into any of this trouble? The first thing you should do is find an expert. There are HIPAA and other various digital security experts that can analyze and guide you through the various steps and precautions needed to make your app compliant. Measures like thoroughly encrypted data and transmissions, several stages of authentication and continuous security validation are necessary to keep these apps HIPAA compliant, and be sure to cover all possible platforms and operating systems you might be on. Truth be told, it’s unlikely you’ll get any significant investors or successful developers to jump on board unless you’ve set up a fully compliant measure before you’ve started.
Setting the Record(s) Straight
Hey, we don’t want to scare you here. True, the penalties can seem truly intimidating, but in this booming market, you shouldn’t let regulations stop your plans for a truly innovative app…plus, it’s entirely possible that your app won’t require any HIPAA accommodations at all. The important thing to take away here is that proper planning before you start development will save you time and money throughout the whole process, so it’s worth consulting with an agency that can provide advice and solutions from the get-go. After all, the customer is king; keeping their privacy interests in mind is just good business.
Do you have a MedTech app idea? Checkout out the MedTech app we developed for Luna to see if you like our work and find us to be a good fit for your great idea!
