HIPAA compliance for mobile application
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) sets the standard for protecting sensitive patient data. HIPAA ensures the protection of patient information, provides electronic and physical security of patient information, limits disclosure of information to the minimum necessary, and specify patient rights to the information, minimize fraud/abuse, simplify bill and other transactions. Any company that deal with PHI (protected health information) must ensure that all the required physical, network and process security measures are in place and followed.
Does Your Mobile App Need to be HIPAA Compliant?
If you are a healthcare application vendor, then you must look at its functionality. If your application is only storing PHI of patient then HIPAA is not mandatory but if it is also sending data to doctor, hospital or other covered then HIPAA compliance becomes mandatory.
What are the issues faced by healthcare mobile application?
Mobile is becoming a core platform for healthcare communications and services because of its portability and easy to access features. As information access expands to more people and more devices, mobile creates new systems and processes that are subject to HIPAA compliance. There are many healthcare application in android and iOS but most of them do not comply with HIPAA as they don’t have any specific standard to follow as HIPAA do not have specific standard for mobile applications.
There are certain requirements which a merchant and client should make sure its application has:
• To process it only in ways compatible with the purposes for which it was given initially
• To make sure that PHI of patient is only shared with those who really need it for any useful purpose.
• To keep personal data safe and secure
• To keep data accurate, complete and up-to-date
• To ensure that it is adequate, relevant and not excessive
• To retain it no longer than is necessary for the specified purpose or purposes.
HIPAA checklist for mobile application
HIPAA checklist is divided into three types of controls and not all the controls map to mobile applications so we will have separate checklist for mobile applications as their need is different.
1) ADMINISTRATIVE SAFEGUARD
In general administrative controls deal with administrative actions, policies and procedures to manage the security measures to protect EPHI and the purpose of this standard is to establish the administrative processes and procedures that a covered entity will use to implement the security program in its environment. There are some administrative controls which are under privacy rule while some are under security rule.
Some controls which fall under rules like Security Incident Procedures, Contingency Plan, Evaluation, Information Access Management, and Evaluation are to be followed by mobile application while some rules like Assigned Security Responsibility, Workforce Security and Security Awareness and Training are not useful for mobile application
2) PHYSICAL CONTROL
Physical controls measures, policies, and procedures to protect a covered entity’s electronic information Systems and related buildings and equipment, from natural and environmental hazards, and unauthorized Intrusion. Some controls related to mobile application are facility controls, device and media control and the once not related to mobile application are workstation use and Workstation security.
3) TECHNICAL CONTROLS
Technical safeguards are defined as the technology and the policy and procedures for its use that protect electronic protected health information. Technical safeguards are becoming increasingly more important due to technology advancements in the health care industry. As technology improves, new security challenges emerge. Healthcare organizations are faced with the challenge of protectingelectronic protected health information (EPHI).All the technical safeguards are compliant to mobile applications some of them are like managing access control, audit controls, Integrity, person or entity authentication, transmission security.