The digital health space is on fire.

According to Accenture’s 2018 Consumer Survey on Digital Health, consumers are increasingly relying on technology to manage their healthcare needs.

Compared to 2016, our reliance on wearable devices, electronic health records and mobile apps has jumped significantly:

In fact, the only area of the digital health space that hasn’t grown is traditional websites. That’s because health apps and other mobile tech are really taking off. More and more startups are partnering with insurance companies, pharmacies and doctors’ offices to give patients convenient access to their personal health information, and to help these healthcare providers save money.

But there’s a catch.

With very sensitive and personal information comes great responsibility—not only to act in the best interests of the consumer (which should be a given regardless) but also to adhere to many strict rules and regulations that are enforceable by law.  

The law governing the healthcare industry and associated third parties is called HIPAA (you’ve probably heard of it), and compliance is mandatory.

So if you’re developing the next big healthtech device, software or mobile app, listen up! Today we’re going to share everything you need to know about HIPAA compliance before you dive into the world of healthcare. Let’s get to it.

What Is HIPAA And Why Should I Care?

HIPAA, short for the Health Insurance Portability and Accountability Act, regulates how healthcare providers and other business entities record, store, manage and share a US citizen’s private and personal medical information.

HIPAA & The Omnibus Rule

When HIPAA was originally passed by Congress in 1996, it applied solely to covered entities (CE)—essentially, anybody involved with the treatment of patients, operating a healthcare facility, or sending/receiving healthcare payments—and it consisted of four primary rules:

  • HIPAA Privacy Rule
    • Addresses the use and disclosure of protected health information (PHI).
  • HIPAA Security Rule
    • Addresses security requirements for the electronic receipt, transmission, storage and transfer of PHI, and training for those who many come into contact with PHI.
  • HIPAA Breach Notification Rule
    • Addresses the requirements for notifying patients whose info has been compromised, lost or stolen. 
  • HIPAA Enforcement Rule
    • Addresses how investigations into compliance are handled.

Since then, several rules have been added, including a 2013 revision called the Omnibus Rule made in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act. This is where HIPAA’s governance over healthtech startups comes in.

In this video, the U.S. Department of Health and Human Services explains more about the rules and parameters in the HIPAA update:

How Does My Startup Fit Into All Of This?

The Omnibus Rule, which brought changes to the privacy and security rules, extended accountability outside of the immediate medical industry to any business that works for or on behalf of CEs (CEs being physicians, dentists, hospitals, pharmacies, insurance companies, etc.) and, consequently, has a hand in dealing with PHI. These folks are called Business Associates.

A Business Associates is any entity (vendor/contractor) that works on behalf of a CE to store or transmit PHI, or a subcontractor hired by said vendor/contractor… This could mean you—a startup looking to develop a mobile app for the healthcare industry.

Now, just because you’re developing a health app does not necessarily mean you need to be HIPAA compliant. An app like Runkeeper, or Fitbit, for example, where you’re inputting data to chart your own health and fitness goals, wouldn’t need to be HIPAA compliant. But if your app records, stores, manages or shares PHI for/with/on behalf of CEs, then HIPAA applies to you.

How Do I Make Sure My Company Is HIPAA Compliant?

While there is no formal regulator overseeing HIPAA, the Office for Civil Rights within the U.S. Department of Health and Human Services is the federal institution that unofficially fills that role.  

There are many online resources that you can look to for guidance on becoming HIPAA compliant, such as this guide by AccountableHQ.

Datica offers a free training course for HIPAA compliance, complete with a self-assessment and quiz.

And then there are third-party tools like TrueVault and Aptible that facilitate compliance by safely storing protected data on your behalf.

The downside to a lack of formal regulation is that anyone can claim to be HIPAA compliant without any kind of certification to back up their claim; however, these resources can put you on the path of proving compliance the right way.

Legal Implications

So what happens if you don’t comply with HIPAA? You will pay—literally.

If you are found in violation of any HIPAA rules, you could face some very hefty fines, regardless of whether the violation was intentional. If the violation is severe, criminal charges could be filed with a possible penalty of 1 to 10 years in prison.

Source: https://training.datica.com/#why-all-the-fuss-about-hipaa

What Compliance Means For You

One good thing about HIPAA is that it does not limit what technologies you can use for your product. It simply requires you be careful with data.

As mentioned, if your product records, stores, manages or shares PHI, then you must be HIPAA compliant. And this applies regardless of whether that’s your product’s intended use. So if you’re reading this and thinking, Oh, I’ll just discourage the transfer of personal health information via my app, think again. If there’s even a chance that your customers will use your product to store or manage data, you have to take the appropriate steps to protect their info.

If you’re a developer running cloud-based software or building a mobile app, HIPAA compliance is simply non-negotiable. That said, not all your app’s data needs to be hosted on HIPAA-compliant servers—just the PHI.

For other specific considerations to keep in mind when building a mobile health app, check out the Mobile Applications and HIPAA Compliance chapter of TrueVault’s HIPAA Compliance Developers’ Guide.  

Wrapping Things Up

If you think about it, everything that keeps society functioning—from banking to shopping to food to transportation—has gone mobile. So it makes perfect sense for healthcare, which affects our lives every single day, to be the next industry in line.

While the complexities of HIPAA may seem overwhelming, those companies that choose to push through are the ones we’ll be talking about for years to come.

This healthtech “trend” is not slowing down—just look at the current market valuation of healthcare startups. Are you going to let HIPAA compliance get in the way of finding success in this market?

And it’s worth noting that this is not an American-only thing. Other countries around the world have different rules that require similar consideration. In Canada, for example, there’s PIPEDA (the Personal Information Protection and Electronic Documents Act), and in the U.K., GDPR (General Data Protection Regulations). And we’re here to help you with them all!

If you want to build your own healthcare app, we’ve got the experience to help you at every stage of your build. Get in touch with one of our mhealth and product strategists today to learn more.