When you’re working with HIPAA regulations around electronic protected health information (ePHI), developing an app that collects and transmits this data is delicate. In a recent article, Samsung provided an excellent summary of the eight best practices for mHealth application that have been set forth by the Federal Trade Commission. These cover a few key areas:
Data Collection & Handling
While it’s become commonplace for an app to request permission to access other phone features and applications like your contacts, photos, and calendar and applications. In mHealth, however, the best practice is to scrutinize what is really essential. For example, an appointment booking app may need to access your calendar and a telemedicine app where you need to send images to a doctor may need to access your camera — but not the other way around. To comply with the HIPAA Security Rule, the app should ensure secure storage, transmission, and deletion of the data it collects
Authentication & Privacy
Mobile health application development needs to be a compliant process from the start, with consideration for information privacy and security built in to every functionality — from the login and automatic logoff elements, to how medical history and real-time biometric data are collected and stored, to how data and messages are transmitted to healthcare providers. Healthcare organizations should work with development teams specialized in HIPAA compliant IT to ensure legal adherence throughout the process.