Chances are, if you are in the health care field, you are familiar with HIPAA. The Health Insurance Portability and Accountability Act (HIPAA) is often one of the largest questions facing mobile application development. One of the common questions is not only how to comply but “when does HIPAA apply?“

According to recent research by the HHS Office for Civil Rights and Patient Privacy, there are two key questions to ask when seeking to understand if a piece of software will falls under HIPAA rules:

1. Who will be using the app?
2. What information will be on the application?

To quote the research…

The HIPAA rules only apply to “protected health information,” information that identifies an individual and that relates to an individual’s physical or mental health, health care services to the individual, or payment for such health care services. There are exceptions for employment records and records of educational institutions. The fact that an individual has received services from a covered entity is itself protected health information. Accordingly, the name or address of an individual, although publicly available, is protected health information when residing on a covered entity’s computer if the presence of the information suggests that the individual is or was a patient or enrollee of the covered entity. Protected health information also includes otherwise anonymous information that includes a date of service (anything more detailed than a year). An e-mail referring to “the patient who was in last week” is protected health information, because it includes a date of service that can be used to identify the patient.

This means that HIPAA will only apply with certain types of patient information and not everything just because it is a health care app. For example, MichiganLabs recently developed an iPad application for a large medical organization that does not include patient specific information. Although the iPad app is still within the health care field, the HIPAA act did not apply. If, however, patient specific information was included within the app, HIPAA may have applied even if the information was anonymous. So, knowing this, what are some safeguards that developers can put in place for HIPAA compliance?

Glad you asked.

The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).

In order to meet HIPAA compliance software requirements you need to ensure you’re meeting the four main requirements of the HIPAA law. The four main requirements of the HIPAA Compliance Checklist are:

1. You must put safeguards in place to protect patient health information.
2. Reasonably limit use and sharing of protected health information to the minimum necessary to accomplish your intended purpose.
3. Have agreements in place with service providers that perform covered functions. These agreements, called Business Associate Agreements (BAAs) ensure that service providers (Business Associates) use, safeguard and disclose patient information properly.
4. Procedures to limit who can access patient health information, and training programs about how to protect patient health information.

If that seems like a lot of work, there are several third-party vendors that will work to ensure your application is on the path to HIPAA compliance such as TrueVault or Tapestry Telemed.

In conclusion, there is no one that can “certify” that an organization is HIPAA compliant. The Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body that determines compliance. HHS does not endorse or recognize the “certifications” made by private organizations.

There is an evaluation standard in the Security Rule § 164.308(a)(8), that requires you to perform a periodic technical and non-technical evaluation to make sure that your security policies meet the security requirements outlined in the rule. HHS doesn’t care if the evaluation is performed internally or by an external organization—just as long as it happens.

Legal disclaimer: I am not a lawyer. Please consult your legal professional for specific advice about how your app relates to HIPAA.