Apps to track and promote health are extremely popular. Consumers have flocked to download apps to help them lose weight or quit smoking, track their exercise programs or combat particular conditions like gluten intolerance, diabetes, high blood pressure, or food allergies. Wearable tech has made these apps even more powerful, with the capability to track heart rate, monitor the steps a person takes, or track their breathing. But if you aren’t aware of HIPAA regulations and how they affect apps and developers, you could wind up in serious trouble.
Why is HIPAA a Concern for App Developers?
Most people think HIPAA only involves doctors’ offices and hospitals, but it actually covers private health information anywhere it is collected or stored.
These apps aren’t just lucrative, they can actually help people live longer, healthier, more satisfying lives. But if you’re developing apps related to a person’s health, the data collected and generated by these apps can be covered under HIPAA, or the Federal Portability and Accountability Act of 1996. Failure to comply can rack up stiff penalties of around $50,000, so it’s critical that developers are aware of and compliant with HIPAA.
HIPAA is designed to assure that people can get access to health insurance and keep their premiums reasonable. It protects information that could potentially be used to deny them insurance or charge them rates so high that they couldn’t afford to buy it. It covers a variety of health information, including all of their medical records and the dates which they have sought medical attention.
How to Determine if Data is Covered by HIPAA
Even information that isn’t specifically covered by HIPAA (such as how many calories the user ate) becomes covered once shared with a medical professional.
Where HIPAA regulations get tricky is when information that would not normally be covered under the law is shared. For example, the number of steps a user walked today is not covered under HIPAA under normal circumstances. However, if your app collects this information and shares it with a health care professional, it then becomes HIPAA-covered. Anything added to a person’s medical history or charts automatically falls under HIPAA, even if it is not information specified by the law.
How to Remain Compliant When Using or Collecting HIPAA Protected-Data
Since HIPAA comes with more gray areas than black and white, it’s generally best to treat all data collected, stored, transmitted, or shared on a person’s health as HIPAA-protected information. This covers you in case you add new features down the line, such as the ability to push data from the device to the user’s doctor’s office. HIPAA guidelines require that you:
• Notify the user of your data policies (a click-to-accept step in the installation process is ideal for this). • Protect the health-related data with a password or other acceptable authentication method. • Encrypt the data where it is stored (on the device or in your cloud storage facility), as well as during transmission. • Provide a way to wipe sensitive health information if the device is lost or stolen. • Enable firewall protection. • Protect the data with anti-malware software and update the software regularly. • Develop a plan to notify users and the U.S. Department of Health and Human Services if a breach of HIPAA-protected information (or potentially HIPAA-protected information) becomes compromised due to a data breach.
With some wise planning and a few basic security measures, your health-related app can be a huge success. Get started on your next hit development project at Glance today!