With an increasing number of mHealth apps hitting the market, many tech companies are being forced to think about how they secure the data that’s transmitted via their software.

If you’re in the process of building a mHealth app, you may have heard the term HIPAA compliance. What you may not know is whether it applies to your app. You see, not every health app has to be HIPAA compliant. There are specific factors that determine if your app will be held to those standards.

In today’s post, we’re going to share everything you need to know to understand, once and for all, whether your app should be HIPAA compliant.

Let’s get to it.

When Does HIPAA Come Into Play?

HIPAA, aka the Health Insurance Portability Accountability Act, regulates how healthcare professionals and other businesses record, manage, store and share a US citizen’s protected health information (PHI) electronically. 

This is the key. 

If you are building a mHealth app, you need to know what is considered protected health information under HIPAA.

PHI is health information—health records, lab results, medical bills—that is linked to individual identifiers. Identifiers include patient names and prescription information as well as identification numbers (e.g., account numbers) and demographic information (e.g., gender).

To be PHI, this information must also be used or transmitted by a “covered entity” or “business associate.” A covered entity is either 1) a healthcare provider, 2) a health plan or 3) a healthcare clearinghouse that handles protected health information. Business associates can include lawyers, IT professionals, accountants, billing providers, email encryption services, etc.—anyone who works on behalf of a CE and therefore also handles PHI.

Understanding how to keep private and personal medical information secure can be a big task for mobile developers unfamiliar with HIPAA, but it’s mandatory if this is a planned part of your app’s activities, so you want to make sure you’re thorough in your research and preparation.

Why Do Some Health Apps Need To Be HIPAA Compliant And Others Not?

Simply put, if your medical app records, stores, manages or shares personal information (e.g., date of birth), it must be HIPAA compliant. If your app only collects info that is not personally identifiable (e.g., resting heartbeat), it doesn’t need to be compliant.

For example, the app Figure1 has to comply with HIPAA because it permits healthcare providers to view and discuss medical cases with other healthcare professionals. On the other hand, Nike Fuelband, which collects info like body stats and calorie count but no personal identifiers, does not fall under HIPAA.

So Does My Mobile App Need To Be HIPAA Compliant?

If your app stores or transmits PHI on behalf of a covered entity, then that makes you a business associate, and your app has to comply with HIPAA. For example, insurance provider Medavie Blue Cross has an app for consumers that includes their coverage information and the ability to submit claims. Since the app deals with PHI on behalf of a health plan, the developer has to follow HIPAA.

Apps that rely on users to supply their own health information may not have to be HIPAA compliant. Take a fitness tracking app, such as DailyYoga, that asks users to input weight or other health information. If the app isn’t getting that information from or sending it to a covered entity, then the app developer does not need to comply with HIPAA.

What If Our Company Decides We Won’t Collect PHI?

Some advice: Don’t avoid PHI solely to bypass HIPAA compliance procedures. Changing your entire business plan could cost you more than just sucking it up and going through the process to become compliant.

It’s more important to understand the value you’ll get from collecting PHI. Revisit your business goals and gauge whether collecting PHI will help you accomplish what you’re setting out to achieve, and make your decision based on that too.

Wrapping Up

Building a HIPAA-compliant app doesn’t have to be a daunting experience. There are some easy methods to get there, like data de-identification. This involves storing PHI in a separate, HIPAA-compliant location so that your app’s primary database doesn’t store any info that triggers HIPAA.

But if you choose to go this route, you should first have a discussion with an experienced development team who knows how to build HIPAA-compliant mobile apps. With some strategic planning and guidance, your health app can be a huge success.