How To

Is your mHealth app HIPAA compliant?

June 15, 2015 | Uniphy Health

For the first time in 5 years, providers surveyed by the Ponemon Institute cited criminal, malicious cyber-attacks as the root cause of data breaches.  Healthcare organizations, now more than ever, must ensure everyone using mHealth apps that support clinical care coordination, patient engagement or any other apps that handle sensitive patient health data are HIPAA compliant. Texts containing patient specific information, images of medical records, and even appointments are considered patient health information (PHI) that must be digitally protected.

To adequately prevent the event of a data breach due to cyberattack and meet HIPAA compliance standards, mHealth apps should, at a minimum, employ these seven technical safeguards:


1. Access control: This is the frontline risk management. The actions of every user of your mHealth app should be directly tied to unique IDs assigned to each user. Access control consists of programming unique user identification, emergency access procedures, automatic logoffs, auto-lock in case of forgotten username/password and encryption/decryption that excludes uncovered entities. System administrators should also have the ability to remotely wipe the mHealth app from any user’s device.

2. Audit Controls: Administrators should be able to monitor and analyze information system activity to mitigate exposure.

3. Authentication: This makes sure that you are who you claim, by creating a selective layer among covered entities that access PHI.

4. Integrity Controls: Ensure that electronically transmitted PHI is not prematurely altered or corrupted. Robust Integrity Controls facilitate appropriate usage. PHI should be compartmentalized from other information stored on users’ devices. Compared to text messages sent via a user’s native phone messaging app, a HIPAA compliant mHealth app should auto-delete secure texts after 24 hours.

5. Transmission security: Data encryption at rest, in transit, and on independently secured servers protects PHI at each stage of transmission . This applies to text and images sent via secure texting.

6. Third party app integrations: Any third party apps that are integrated into your mHealth app must fully comply with HIPAA safeguards if PHI is shared or stored on their app’s servers. Never assume, verify that third party partners also meet HIPAA requirements, otherwise all of the provisions you’ve made securing your mHealth app will be compromised.

7. Proprietary data encryption: Any proprietary data cached on the device, such as staff directory information, should be encrypted.

mHealth applications transmitting PHI should implement all of the standards enumerated to ensure full HIPAA compliance. These regulations provide a thorough baseline for security that will continue to evolve as cyber-attackers become more sophisticated.



RFP questions CTA banner