mHealth and HIPAA

HIPAA is a widely misunderstood piece of legislation. The HIPAA Privacy Rule establishes standards to deal with Protected Health Information (PHI). The HIPAA Security Rule, which is a subset of the Privacy Rule, deals with electronic PHI and requires the implementation of administrative, physical, and technical safeguards of electronic PHI. 

HIPAA applies to health plans, health care clearinghouses, and health care providers. It does not explicitly apply to patients and the data that they generate on their own. That said, when mHealth tools are given to patients by providers, we enter a middle ground. 

Here are the HIPAA Security Rule Standards that are most relevant to mHealth:


Think like a Bank

No one wants to have their bank accounts hacked. For some, this would be much worse than having their medical records leaked. Banks understand just how high the stakes are and have responded appropriately. Users can perform almost any consumer financial transaction on their phones with a reasonable assurance of privacy and security.  Further, banks can't control user workflows and behaviors, but they can control how the app behaves. Here are a few of the techniques:

Don't put the entire app behind an authentication wall 

Allow users to get some value out of the app without having to log-in. In healthcare, this could be general health tips, reference materials, and other items that don't contain PHI. Authentication is only required for the user to access the portion of the app that contains PHI.

Don't store PHI locally on the device

PHI should only be stored on your secure cloud environment. The transmission to and from devices and the cloud environment should be encrypted. If the mobile device falls into the wrong hands, the PHI will not be available locally. This provides the added benefit of keeping data securely backed up for users.

Require Strong Passwords 

This goes without saying, but the best encryption and most thoughtful authentication system is no match for weak passwords. Until retina, fingerprint, or palm scans are widely deployed, we must focus on password strength. That means a minimum of 8 characters, an upper case letter, a number, and a special character.

Implement Auto-Logoff

How many times have you misplaced your phone? Maybe even in a public place? It happens to the best of us. Auto logoff helps prevent leaked PHI in the event that a user loses their phone.


Bottom Line

HIPAA was designed to provide safeguards for patient information when it is handled by third parties that play a role in providing or paying for care. HIPAA does not govern what patients do with their own personal health information. That said, health systems can use the HIPAA framework as a guide for developing security and privacy policies that govern mHealth apps. Finally, the banking industry has set a compelling precedent when it comes to offering users a combination of convenience and security.