HIPAA compliance when using mobile apps with your patients

Using mobile apps to communicate with patients, whether patient portal facilitation software or chat tools, will necessarily include protected health information (PHI). Therefore, healthcare providers must be sure these mobile apps are HIPAA compliant.

When is HIPAA compliance required for mobile apps?

When mobile apps handle or have access to PHI, HIPAA compliance is required, and they would be considered a business associate under HIPAA regulations. A business associate is any entity that performs certain functions or activities on behalf of a Covered Entity and involves the use or disclosure of PHI.

If an app meets the definition of a business associate by performing functions or services relating to PHI on behalf of your practice, it must comply with HIPAA regulations. It's important to note that not all apps or app developers are considered Business Associates. Some apps may be developed for general health and wellness purposes. If they don't involve the use or disclosure of PHI on behalf of a covered entity, they may not fall under the scope of HIPAA regulations.

Related: Meta claims hospitals are to blame for Meta Pixel HIPAA violations

What to look for in a HIPAA compliant app

• Business associate agreement (BAA): A business associate agreement (BAA) must be signed between you as the healthcare provider and any mobile app. The BAA outlines the responsibilities and obligations of the Business Associate in protecting the privacy and security of PHI.
• Privacy policies and terms of service: Review the app's privacy policies and terms of service to understand how PHI is handled, stored, and shared. Ensure they align with HIPAA requirements and respect patient privacy.
• Data encryption: Verify that the app uses strong encryption methods like Transport Layer Security (TLS) to secure data transmission between the app and any servers or databases involved. Encryption helps protect PHI from unauthorized access during transmission.
• Access controls: The app should provide robust access controls, including user authentication and authorization mechanisms. This ensures that only authorized individuals can access PHI with appropriate user roles and permissions.
• Data storage and backup: Check if the app securely stores data in HIPAA compliant hosting environments or data centers. Regular data backups should also be performed to prevent data loss.
• Risk assessment and management: Ensure that any app you use continuously assesses risk to ensure that the PHI you entrust them with is not compromised. They should also have protocols to respond to security incidents or breaches.
• HIPAA compliance documentation: Request documentation or evidence of the app's HIPAA compliance efforts, such as policies, procedures, and employee training programs related to PHI protection. This demonstrates the app developer's commitment to maintaining compliance.

Related: Understanding and implementing HIPAA rules

Examples of the kinds of apps that require compliance 

• Messaging platforms: Messaging platforms like Google's Chat, Whatsapp, Telegram, Signal, or Facebook Messenger must be HIPAA compliant if discussing patient treatment or other PHI.
• Video platforms: Video products are frequently used in telemedicine. Providers must be sure any video platform is HIPAA compliant. 
• Electronic health record (EHR) apps: Software applications used by healthcare providers to digitally manage patient health information, such as Epic Systems
• Patient portals: These are secure online platforms or apps that enable patients to access their personal health information and interact with healthcare providers such as MyChart.
• Health and wellness apps: These mobile applications or digital platforms promote health and well-being, including Fitbit Plus or Premom. 
• Prescription management apps: Mobile applications designed to help individuals manage their medications effectively, like Medisafe
• Medical research apps: Software applications designed to facilitate medical research studies, such as ResearchKit (developed by Apple)
• Health insurance apps: Mobile applications provided by health insurance companies or organizations such as Anthem Anywhere

Benefits of using healthcare apps

By using the capabilities of healthcare apps as a healthcare provider, you can save valuable time and reduce costs associated with traditional healthcare visits. These apps empower users to actively manage their health by tracking fitness goals, managing chronic conditions, and receiving personalized recommendations tailored to their needs. 

While HIPAA compliance in mobile apps allows many benefits, whether necessary for your practice or organization is a different decision in each case. 

Related: HIPAA Compliant Email: The Definitive Guide