Meeting the Regulatory Challenges of Mobile Health App Development, According to Samsung

Marina Komarovsky, MS, MPH

Marina Komarovsky, MS, MPH

Posted on January 24, 2017

Mobile Health App Development
Among all the mobile apps out there, mHealth stands out. We often talk about patient-friendly UI/UX, on-the-go features that integrate with patient portals and EMRs, and capabilities for sending messages to medical staff and refilling prescriptions. But another aspect that makes mHealth app development such an interesting challenge is the level of regulation in the healthcare sector.
When you’re working with HIPAA regulations around electronic protected health information (ePHI), developing an app that collects and transmits this data is delicate. In a recent article, Samsung provided an excellent summary of the eight best practices for mHealth application that have been set forth by the Federal Trade Commission. These cover a few key areas:

Data Collection & Handling

While it’s become commonplace for an app to request permission to access other phone features and applications like your contacts, photos, and calendar and applications. In mHealth, however, the best practice is to scrutinize what is really essential. For example, an appointment booking app may need to access your calendar and a telemedicine app where you need to send images to a doctor may need to access your camera — but not the other way around. To comply with the HIPAA Security Rule, the app should ensure secure storage, transmission, and deletion of the data it collects

Authentication & Privacy

Because an mHealth app usually stores ePHI, it’s very important to ensure that only authorized users gain access and be provided with a clear explanation of the app’s privacy policy. Mobile health applications should always have a login, and a multi-step process for initial authentication to ensure that the correct user is accessing the app. Because mobile phones are often used in crowded places and can change hands easily, a short automatic timeout period is advisable. While it may be less convenient for a patient to enter a password every time he or she wants to view test results in a patient portal app, it’s important that someone else who picks up the patient’s phone for any reason doesn’t also have access to that data.

Compliant Development

Mobile health application development needs to be a compliant process from the start, with consideration for information privacy and security built in to every functionality — from the login and automatic logoff elements, to how medical history and real-time biometric data are collected and stored, to how data and messages are transmitted to healthcare providers. Healthcare organizations should work with development teams specialized in HIPAA compliant IT to ensure legal adherence throughout the process.


Marina Komarovsky, MS, MPH

Marina Komarovsky, MS, MPH

Marina is a writer who specializes in healthcare policy, patient engagement, and telemedicine. She has a special interest in creative tech approaches that help provider teams collaborate better, improve patient experience, and reduce health disparities.

Related Posts

Graphic of a large laptop with a shield and padlock in front of it. Smaller images of people on the left and right side of the labtop interact with various mobile devices.

Posted on February 16, 2022 by Pablo Bullian

Welcome back to the Medical Web Experts Security Bulletin. Below are some recent developments that may impact your organization, as well as our recommendations for keeping your systems secure. Mitigating…Read more


Illustration of a boy sittin on top of a computer with security shields floating.

Posted on January 07, 2022 by Pablo Bullian

A Look at 2021’s Most Dangerous Vulnerabilities Found in Windows Patching is a complex task that most companies struggle with or overlook, but keeping systems, and therefore patches, updated is…Read more


Newsletter
Subscribe to Our Newsletter

Get promotions and current business tips. Sign up for our newsletter today.