This is a guest post from Gene Fry, VP of Compliance for Scrypt. Scrypt is healthcare’s document platform that transforms your workflow via a HIPAA-compliant cloud-based environment.
When developing a healthcare app, determining whether or not it needs to meet HIPAA compliance can be a difficult process. From developers to consumers to organizations, the regulations around healthcare apps and HIPAA are complex for all parties involved.
Healthcare App Complexity and Security Concerns
Criticism over HIPAA language was raised with Congress last year because many developers believe it isn’t easy to understand — nor do they see how it relates to apps. Additionally, the HHS Guidelines on remote use haven’t been updated since 2006, which makes it difficult for developers to verify if their apps must be created in compliance with the HIPAA Security Rule.
The Health Information Technology for Economic and Clinical Health Act (HITECH) extends HIPAA to those who create, receive, maintain, or transmit identifiable health information. However, any healthcare app that a consumer chooses to use is not protected by HIPAA. This is because the majority of data collected from apps is stored locally on the user’s device. The healthcare organization or researcher only becomes responsible for use and protection of electronic protected health information (ePHI) collected by the app once it’s sent to them.
Additionally, HIPAA rules only apply to protected health information, so data transmitted from an app that does not contain any personally identifiable information is not required to be protected under HIPAA.
Concerns regarding the lack of compliance and regulation around these apps have been raised. This is especially true since the launch of the open-source Apple ResearchKit framework, which allows researchers to collect data on medical trial participants when used in conjunction with HealthKit (the API that supports it). As it stands, there is little regulation to check the credentials of the developer or organization developing the apps; they only need to obtain IRB Ethics approval for the app to be available in the app store. Without properly vetting the app creators, there is potential for rogue parties to create apps that collect medical data for fraudulent activities. Though the majority of people developing healthcare apps are legitimate and will follow HIPAA, being able to collect medical information under a veil of legitimacy may leave participants vulnerable.
Organizations that have already used the ResearchKit framework to collect data have been cautious about the way they collect, transmit, and store the information. Eric Schadt, director of the Icahn Institute at Mount Sinai, is responsible for a number of medical studies using ResearchKit. He says the data is encrypted when transmitted, and the cloud systems storing the information are HIPAA compliant: “We meet or exceed industry standards regarding the secure communication and storage of sensitive data.”
Developing a HIPAA-compliant App
Many healthcare providers already use apps to access and transmit ePHI, which helps them treat patients more efficiently. These apps often allow access to information stored on a secure cloud, eliminating the need for paper records and minimizing the risk of data breaches. These organizations are usually aware of HIPAA compliance, and they are likely to have conducted in-depth research before selecting a vendor responsible for keeping data secure once it has left the app.
In short, any medical researcher or developer behind an app that collects ePHI is solely responsible for HIPAA compliance once the data has been shared with them. For those unfamiliar with HIPAA who are considering developing an app, your first step is to find out whether or not the data you collect would be subject to HIPAA rules. If so, ensure your app has:
- A back-end system in place that meets all HIPAA safeguards
- Consent from the consumer (including information on how their data will be used)
- Access only via a secure login
- Data encryption during transit
- Data stored on a HIPAA compliant server (and encrypted at rest)
- HIPAA compliant data sharing within the organization, across a network, or within an application
- A system implemented to audit data and ensure it hasn’t been accessed or modified
- Regular security updates
- The ability to wipe user information remotely if a device is lost or stolen
If in doubt when creating an app, select a vendor with a proven track record of providing back-end solutions that meet HIPAA compliance. Organizations planning to develop a healthcare app should do all they can to protect healthcare information. Afterall, creating a secure app login, as well as making sure transmitted data is encrypted should be steps all developers take — regardless of whether the data is sensitive.
* * *
Looking for more advice on HIPAA compliance, secure data sharing, and cloud computing in healthcare?
Make sure to check out the upcoming BoxWorks conference September 28-30, where you can learn about lightweight, agile tools for healthcare providers. Hear how key healthcare executives use Box to eliminate unsecure file sharing and the potential for data breach and data loss while increasing employee mobility and virtualization. Industry experts include Bill Russell, CIO of Saint Joseph Hospital; Dr. Sam Sayson, VP of Operations at Providence and Anesthesiology Associates; and Craig Guinasso, Chief Security Officer at Genomic Health.