Is your telehealth app HIPAA compliant? 

Because, these days 92% of healthcare providers use non-HIPAA compliant messaging applications, revealed a study

Following the COVID-19 lockout, app usage has doubled, and App Annie supports evidence that people are now investing 20 percent more time in applications. 

And amidst these unprecedented circumstances, when sensitive doctor-patient information is being exchanged through telehealth technology, it is crucial that you be aware of HIPAA privacy, and why we need to be wary of this now more than ever.

Why is it Important for Apps to be ‘HIPAA Compliant’?

As a patient, it’s for your safety 

Well, If you asked the 32 million patients whose records were breached in the first half of last year (2019), they would say ‘obviously for security reasons’. 88 percent of those breaches were caused by hacking. If that doesn’t suffice either, then take it from a recent study: this recent study by the Ponemon Institute explores that healthcare data sells for 250% more than any other type of information on the dark web. Data, after all, is the digital currency.  

Over the past five years, the number of data breaches in the healthcare sector has increased dramatically. And although cyberattacks are on the rise in all sectors, the healthcare sector is particularly susceptible.

With the availability of healthcare to patients in isolation due to COVID 19 – to put a full stop to virus spread – it is necessary to avoid non-HIPAA compliant apps for your own good.

HIPAA safeguards patients from prevalent crimes linked to fraud involving personal data as well as identity theft. 

As a fine-fearing healthcare provider, to avoid ‘colossal’ fines

Any single instance of data theft could result in a fine of $100 to $50,000. Where a data breach occurs due to a hospital’s failure to follow HIPAA standards, each person whose data has been compromised is a separate case, meaning a fine is payable to each individual with data compromised.

In fact, there are several cases of hospitals facing fines because their devices or software wasn’t amply safe. For example, in 2015, a Massachusetts hospital received a $218,000 fine for having risked data of almost 500 patients. Their medical application for file sharing had failed to comply with the basic HIPAA security standards.

And if you’re someone without any previous knowledge of ‘Hipaa Compliance’ then you are in luck because the article is steering in the very direction. This article will be especially helpful to both a user as well as a mobile application developer. 

What is HIPAA Compliance? 

HIPAA stands for the Health Insurance Portability and Accountability Act, enacted in 1996 by the United States Congress. HIPAA’s initial goal was to simplify and reduce the administrative burden resulting in increased insurance and healthcare reform. 

Now, in the language of a layman, HIPAA compliance is like a set of guidelines for protecting sensitive information. Healthcare providers and healthcare organizations are required to abide by these guidelines and hence, implement to safeguard the Protected health information: thereby, protecting the privacy, security, and integrity of protected health information. 

But what is meant by Protected health information? Here are some common instances; names, phone numbers, addresses, SS numbers, financial info, medical records, and facial photos.

 However, apps like the Google Fit and Apple Health apps that do not collect any PHI, so HIPAA compliance is not mandatory in such cases.

Recent Changes in HIPAA 

Although the initial law was passed in 1996, many of the revised HIPAA regulations for 2013 compensate for improvements in working procedures and technical advancements.

The Security Standard has implemented three “safeguards” to preserve the confidentiality of electronically protected health information (ePHI) under recent amendments to the HIPAA. Those three conditions are:

  1. Administrative Safeguards – Includes things like the appointing of an Information Security Officer, business partner arrangements, risk evaluations, training, and policy development.
  2. Physical Safeguards – Covers hardware requirements, device and media controls used to store ePHI (including flash drives), and physical access to the servers and other devices that store ePHI.
  3. Technical Safeguards – Covers things like who can access the ePHI database remotely, audit controls, transmission security, and how ePHI access is monitored and communicated. 

Who Needs to be HIPAA Compliant?

Literally, everybody. A safe telehealth platform isn’t the only one that needs to be compliant, basically, all healthcare suppliers, patients, and personnel using the service also need to make absolutely sure that they are compliant with HIPAA.

This mutual obligation can be formally established into a Partner Business Agreement (BAA). The arrangement is a risk-sharing mechanism, which is a guarantee of transparency when a violation of HIPAA takes place.

HIPAA compliance thus extends, not only to health-care facilities (e.g. hospital, physicians’ office, insurance providers, etc.) but also to any business establishments associated with ePHI – entities providing healthcare on behalf of healthcare providers. A healthcare company that uses an IT provider’s or subcontractors’ services must have a “Business Associate” arrangement in order to ensure that the partnering IT provider is also compliant with HIPAA.

What Criteria Justifies a Telehealth App is HIPAA Compliant?

There are three key parameters that determine whether an app should be regulated by HIPAA. Let’s browse through those:

1. Entity 

If a covered entity such as a physician, hospital, or health insurance company uses an application, it would most definitely have to meet HIPAA standards.

Apps that facilitate doctor-patient interactions would need to comply with HIPAA; they work for covered entities like a doctor and a hospital.  Simultaneously, an app that actually helps a patient follow a schedule for medication does not qualify for HIPAA because there is no protected agency involved in this scenario (that is if the patient enters information itself and no doctor sees it).

Two categories of companies are subjected to HIPAA, under the Privacy Rule:

1.1. Covered entities

These are typically the healthcare programs, healthcare clearinghouses, and healthcare providers which handle certain financial and administrative transfers electronically, such as digital payments and fund transfers, for which the Secretary for Health and Human Services has implemented certain guidelines.

1.2. Business associates.

Entities that collect, store, process, or transfer PHI on behalf of the protected health entities.

To ensure PHI’s security and overall compliance with HIPAA, a covered entity must sign a HIPAA business associate agreement with each of its business partners.

2. Data

HIPAA is typically concerned with protected health information(PHI), which is any type of health information that could easily distinguish a patient, as well as any information that is created, accessed, or disclosed during and after the provision of managed healthcare services, like those of the diagnosis or treatment.

PHI comprises two parts: health information and data which is personally identifiable. The health records only become PHI when personal identifying information is linked to medical data.

2.1. Data subjected to HIPAA regulations 

The US Department of Health and Human Services identifies 18 types of personal information that along with health data account for the PHI:

  • The name of a patient
  • All subdivisions smaller than a State
  • Dates related specifically to a person including date of birth, date of admission, date of discharge, date of death
  • Fax numbers
  • Phone numbers
  • Email IDs
  • Medical record numbers
  • Social security numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Account numbers
  • Device identifiers and serial numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Web URLs
  • IP addresses
  • Biometric identifiers, including voice and fingerprints
  • Photos of full face and other corresponding pictures
  • Any other unique number, feature, or code identifier

In short, if the data collected and shared in an application can be used to identify an individual (e.g. a profile that includes the first and the last names of a user and can be traced back to a patient), then the app must address the required HIPAA standards.

3. Software security

The final requirement for deciding whether a telehealth app falls under HIPAA is specifically related to the technologies used. This covers a range of tenets for securing and regulating access to electronically protected health information (ePHI).

The criteria include audit, integrity, and access controls. Let’s look at every single one of them one by one,

3.1. Audit controls 

Audit controls mean that a developer of health apps needs to incorporate hardware, software, and/or procedural mechanisms that document and analyze activities in systems containing or using ePHI.

3.2. Integrity of ePHI

This requires that a protected entity enforce policies and procedures to protect ePHI from unauthorized interference or damage.

3.3 Access controls

 To clarify this standard, let’s look at some of its implementation requirements: 

  • Specific user identification 
  • Emergency access protocol 
  • Automatic logoff 
  • Encryption and decryption

As for telehealth mobile application developers

You have to make peace with the fact that when it comes to HIPAA and mobile app development there are complexities involved, it can always get a bit nasty however, it’s all about making sure it’s executed the right way.

HIPAA is a very specific regulation that impacts whoever handles confidential health information about people. And the developers of mobile applications are as responsible as any protected person. 

Therefore, it is important that we understand the intent of the app, keeping in mind the audience, as well as what data will it store, collect, or share.  

We’ll need to understand who’ll be uploading personal health information. Whether it will be a patient or will it be the doctors or the medical staff?

 With HIPAA there is a range of complexities, the important thing to be mindful of is that any mobile application that uses personal data should always be developed with security and privacy in mind.

This is why, here at Citrusbits – keeping in mind patient privacy – we opt for HIPAA-compliant application development solutions.