HIPAA, The Health Insurance Portability and Accountability Act, was created to protect patients’ privacy and security by governing access and regulating acceptable use of their health data. It’s essential to take HIPAA compliance into consideration when building a healthcare app. An organization must comply with HIPAA during app development and throughout the app’s lifetime. 

It’s important to note that ADA and GDPR compliance are two other considerations that may also require your attention, but we aren’t going to be covering these in this article.

Restrict PHI Storage on Phones

Protected Health Information (PHI) is always an important first step of consideration when building a healthcare app that is HIPAA-compliant. The 18 PHI identifiers* cover all the bases of patients’ identifiable information and healthcare apps need to handle this data in a safe and secure manner.

 A healthcare app should never allow users to store PHI on their mobile device. If a healthcare app were to ever accidentally send sensitive information to the incorrect patient, there would be no way to recall that data if it were saved to the user’s phone. As a best practice, data should always be pulled for the user from the source PM or EMR system in real-time and not ever saved on the device. 

Even if you’re not worried about errors like this, keep in mind that  99% of the US population’s mobile devices would not meet HIPAA’s requirements for storing PHI, which makes it a high-security risk to give patients the option to save PHI to their phone. 

Keep Notifications Secure and Private

Healthcare apps use notifications to alert patients when they are sending vital information to their mobile device. An app can notify patients via email, push notification, or SMS; regardless, it is crucial that these notifications are structured with strict ramifications. A notification can never give out specific or identifiable information surrounding the health organization or patient. This could lead to a major breach of a patient’s privacy if violated. 

When a patient receives a notification to their phone, anyone has the ability to read it, so they should contain as little information as possible. A good example of a proper notification is, “You have a new secure message!”. On the contrary, a notification should never read, “Good morning Ann, your eye exam with Dr. Anderson is next Wednesday.”

Always Use a Hosting Service that is HIPAA-Compliant

Once again HIPAA must be considered when exploring hosting for your healthcare app. Private patient information needs to always be hosted in a HIPAA-compliant cloud service. As an example, Medical Web Experts, a leading medical web design company, uses Amazon’s HIPAA-compliant cloud as the foundation of their HIPAA-compliant cloud hosting service – the MWE Cloud.

For more information about the development of a healthcare app by expert developers that understand HIPAA compliance, please contact Medical Web Experts today.

*18 PHI Identifiers

1. Names 
2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes. 
3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and more.
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses 
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)