What Is HIPAA and How Does It Affect Your Mobile Health App?
While Europe has GDPR to protect its citizens’ digital data from 3rd-party tracking, the United States approaches personal identifying information (PII) differently. There are two nationwide regulations that protect your data, depending on whether you are younger than 13 (COPPA), or whether the data in question has to do with your health or medical status (HIPAA).
In 1996, US President Bill Clinton signed into law the Health Insurance Portability and Accountability Act, making it illegal to transfer patients’ private health information (PHI) to 3rd-party vendors or systems without receiving the patient’s consent. However, our understanding of personal data, and its potential for misuse, has radically changed since then. As a result, HIPAA has undergone updates in the years since. For medical or health-related apps with a user base in the United States, how can you ensure you’re compliant with the most up-to-date version of HIPAA, that you’re treating your users’ information securely and ethically?
Download our Data Security Whitepaper to learn more about OpenBack’s innovative approach to data privacy:
HIPAA: How It Began in 1996
What many people don’t realize is that HIPAA has a much wider purview than simply data privacy. This includes modernizing the flow of healthcare information and protecting health insurance coverage for workers who lose or change their job, as well as their families. Title II of the law is what covers data privacy in the interest of protecting patients from fraud and abuse within the healthcare system.
According to the CDC website, the purpose of the “Privacy Rule” section of HIPAA is
“to ensure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being. The Privacy Rule strikes a balance that permits important uses of information while protecting the privacy of people who seek care and healing.”
HIPAA requires doctors to provide patients with an account of whatever 3rd-party entity receives their sensitive health data. At the time, this meant insurers or administrators, who would require patient information for billing purposes. Entities who have to comply with HIPAA include:
- Healthcare providers: doctors, clinics, psychologists, chiropractors, dentists, etc.
- Health plans: including health insurance companies, HMOs, company health plans, government healthcare programs
- Healthcare clearinghouses: including billing services and community healthcare systems
- Business associates: any entity that uses PHI to perform a function or activity or provide a service
“Personal health information” is an intentionally broad term, covering all aspects of a patient’s physical and mental health. However, in the years since 1996 the healthcare industry has migrated virtually entirely online. What’s more, the dawn of mobile healthcare management – where patients can consult with their doctors, be reminded of their daily medications, and keep track of their health records all on their smart devices – has necessitated a new understanding of what type of data needs to be protected, as well as a new understanding of the risks of data breaches.
Omnibus Rule and HITECH Act
The HIPAA Omnibus Rule, passed in 2003, stands as the most up-to-date change to the legislation thus far. Essentially, it brings HIPAA into the 21st century, by updating data privacy and security strategies for the electronic health record era (EHR). It modernizes the scope of what qualifies as PHI under HIPAA, while solidifying standards for healthcare provider liability as well as penalties for violations.
The HIPAA Omnibus Rule also attempted to address the new ways digital data was being used and sold, by setting limits on how PHI can be used for marketing or fundraising purpose, prohibiting the sale of a patient’s PHI without their consent, and increasing the penalties for noncompliance (with different tiers, taking into account whether it was a willing violation, and with a maximum penalty of $1.5 million). At the same time, the Omnibus Rule makes it easier for patients to control what happens to their own data: for example, if parents/guardians want to give permission for their child’s proof of immunization to be shared with the school, or a patient wants to give permission for their PHI to be used for research purposes.
Then in 2009, the HITECH Act extended HIPAA’s Privacy Rule to more directly cover Business Associates and their subcontractors, holding them to the same standards as the other 3 healthcare categories listed above.
Does Your App Fall Under HIPAA?
Any mobile app based in the United States – or that has users who live in the United States – has to comply with HIPAA if it processes or generates health or biometric data. And that covers a lot more than you might think.
Any device that tracks users’ fitness, mental health, weight management, etc. qualifies as a Personal Health Record (PHR) device. So think of Fitbits that track steps and heartrate, daily mindfulness apps, period trackers, exercise apps, and more – all of these generate PHI data that could potentially fall under HIPAA. If this data is solely used for the consumer’s personal use, there is no violation of HIPAA. However, it’s when the app connects users with healthcare organizations or plans that the app is at risk of liability.
Under HIPAA, your app must then be able to demonstrate that it:
- Has safeguards in place to minimize risk to user PHI
- Only shares the minimum amount of PHI necessary for the app to function
- Has procedures in place to limit which employees can access app users’ PHI
- Has data security agreements with service providers who access the PHI through the app
OpenBack’s Default HIPAA/COPPA/GDPR-Compliant Mode
HIPAA’s proscription of sharing user data illicitly the traditional method of sending push notifications problematic. The industry standard of sending notifications involves sending user data in the form of a push token to a 3rd-party cloud server – APNS or Firebase – for processing.
However, OpenBack uses mobile edge computing to process all user data directly on the device. Sensitive PHI never has to leave the user’s possession, meaning you can send timely, personalized push notifications while treating their health data in a HIPAA-compliant, responsible way.