When you’re working with HIPAA regulations around electronic protected health information (ePHI), developing an app that collects and transmits this data is delicate. In a recent article, Samsung provided an excellent summary of the eight best practices for mHealth application that have been set forth by the Federal Trade Commission. These cover a few key areas:
Data Collection & Handling
While it’s become commonplace for an app to request permission to access other phone features and applications like your contacts, photos, and calendar and applications. In mHealth, however, the best practice is to scrutinize what is really essential. For example, an appointment booking app may need to access your calendar and a telemedicine app where you need to send images to a doctor may need to access your camera — but not the other way around. To comply with the HIPAA Security Rule, the app should ensure secure storage, transmission, and deletion of the data it collects
Authentication & Privacy
Because an mHealth app usually stores ePHI, it’s very important to ensure that only authorized users gain access and be provided with a clear explanation of the app’s privacy policy. Mobile health applications should always have a login, and a multi-step process for initial authentication to ensure that the correct user is accessing the app. Because mobile phones are often used in crowded places and can change hands easily, a short automatic timeout period is advisable. While it may be less convenient for a patient to enter a password every time he or she wants to view test results in a patient portal app, it’s important that someone else who picks up the patient’s phone for any reason doesn’t also have access to that data.
Compliant Development
Mobile health application development needs to be a compliant process from the start, with consideration for information privacy and security built in to every functionality — from the login and automatic logoff elements, to how medical history and real-time biometric data are collected and stored, to how data and messages are transmitted to healthcare providers. Healthcare organizations should work with development teams specialized in HIPAA compliant IT to ensure legal adherence throughout the process.