Alexa Serra  ·  March 17, 2021 




5 HIPAA Compliance Pitfalls to Avoid in Healthcare Apps


Healthcare app developers are the gatekeepers responsible for setting in place the safeguards that guarantee health-data protection.

Healthcare app developers are the gatekeepers responsible for setting in place the safeguards that guarantee health-data protection. Securing your users’ personal information is non-negotiable in healthcare apps.

With the birth of mobile apps and modern technologies weaving their way into our lives, data has become the new gold. As you realize just how vital this information is, you must also recognize how at risk it is when it falls into the wrong hands. As users of these technologies, we want–and need–convenient apps that provide connectivity and solve our daily problems while also keeping our information safe.

However, the exponential growth of mobile solutions that give us the connectivity we so crave has also led to the rise of cybercrime. It doesn’t help ease our minds that all our data is floating around out there when we know a hacker attack occurs every 39 seconds. As a result, this expanding use of networks and devices that collect our personal information must be met with growing concern to keep all that information safe, especially in high-stakes industries such as healthcare.

The COVID pandemic undeniably accelerated healthcare’s fast track into the mobile world. Unfortunately, this urgency for mobile healthcare solutions hasn’t met the safety and security measures to protect patient data. And while most people may wonder why a hacker would want anyone’s health history, it’s important to note that healthcare information is indeed valuable. A study by IBM highlights this fact by stating that the healthcare sector has the highest average breach costs of any industry, at $7.13 million, a 10.5% increase over the 2019 study. This phenomenon happens because Electronic Health Records (EHRs) and other personal health data have a host of specific sensitive information that can be used for identity theft and sometimes can even have financial information.

While developers are racing towards rapidly creating mobile healthcare solutions, most safeguards are set aside in the name of efficiency. After all, wouldn’t it be easier to build a medical app and send it flying into patient homes, no question asked? Luckily it doesn’t work like that. The Health Insurance Portability and Accountability Act (HIPAA) was created to keep personal medical information confidential while also standardizing billing and other electronic healthcare needs. Unfortunately, many developers still fail to implement HIPAA requirements properly.

Woman checks HIPAA compliance

What is HIPAA Compliance?

The HIPAA privacy act was first implemented in 1996 by the U.S. Department of Health and Human Services. It sets industry-wide standards that protect physical and electronic medical records, personal health information, and billing information. In terms of healthcare apps and software, HIPAA compliance means that the application meets all the technical and physical safeguards to protect its users against data theft. Technical safeguards refer to data security when it is transferred, stored, or shared. Physical safeguards refer to physical measures, policies, and procedures to protect electronic information systems and equipment from unauthorized intrusion.

The four HIPAA safeguards for ensuring the security of electronically stored PHI (Protected Health Information) that app developers must comply with are:

  1. Privacy
  2. Security
  3. Enforcement
  4. Breach Notification

For any app developer that deals with medical data, keeping patients’ health information private is critical. HIPAA violations can be costly and can range from $100 up to $50,000 per violation. For this reason, and your users’ peace of mind, meeting HIPAA compliance is critical for successful healthcare app development practices.

Our experience of over ten years developing healthcare solutions has made us very aware of what goes into HIPAA compliance. Let’s take a look at some of the HIPAA compliance violations and how to avoid them.

Mistake 1: Not Having Proper Access and Authentication

Not Having Proper Access and Authentication Controls in Place

Controlling access to the app sounds like an obvious measure to take, but the amount of data that gets stolen yearly due to lack of access control is astonishing. One study found that 58% of the total breaches to mobile healthcare in 2019 resulted from hacking incidents, impacting 36.9 million patient records. Thus, not restricting or controlling access to your app and the information within has catastrophic consequences, not only for your company but for your users. Lagging on the first layer of security of your app will jeopardize HIPAA compliance, endanger PHI protection, and damage your company’s reputation, which can be costly and damaging to you and your employees.

HIPAA standards demand that any system that stores PHI has to limit who can access, use, and modify the sensitive medical data. High-level authentication and authorization measures are not optional and are the first and most fundamental barrier to protect your app from hackers. Authentication-wise, enforcing complex passwords, credentials, tokens, or other personal ways of identifying users is an easy way to establish some blockades.

Nonetheless, 81% of data breaches are due to compromised, weak, or reused passwords, which is why you should always enforce two-factor or multi-factor authentication. Such systems combine a complex password with a second or third method of verification which can be biometric, an OTP, an email, or a call, to name a few. These methods can be independently coded and programmed into your app. You can use IAM tools like Okta and Azure Ad, which we often use and provide authentication and authorization services while also being HIPAA compliant.

Furthermore, these IAM tools also help authorization-wise by managing access to ensure the right users access the correct data for the right reasons. Additionally, it would help to establish roles within your app to grant access based on those roles. Depending on the user access level, they will be allowed–or not–to access and modify specific information. This measure is fundamental for healthcare apps because it sets accessibility boundaries on a need-to-know basis. Sensitive patient data is only accessible to doctors, for instance, instead of nurses or the patient’s family in shared-device scenarios.

Again, you can program and implement these methods in-house, or you can use the same IAM tools listed above. The benefit of employing said tools is that they are already HIPAA compliant, easy to use, and can save your company time and money.

Mistake 2: Failure to Use Encryption

Failure to Use Encryption

Healthcare apps need to make sure that all the stored and shared information within the app is encrypted. Cryptographic methods are paramount for HIPAA compliance, and failing to implement them can lead to easy data interception, leakage, and theft. Moreover, because healthcare apps sensitive information is often transmitted through wifi or insecure networks, encryption is your best bet for hackers to stay away.

These measures also apply to stored data, which is also vulnerable to attacks and needs to be encrypted even when it’s not transmitted back and forth. Thus, encryption prevents the information from being read by intruders, and even if they manage to steal it, it will be unreadable and ultimately useless. Moreover, HIPAA standards dictate that when PHI leaves the internal server, its transmission automatically falls under the high-risk area; hence it is open to interception. As a result, not using cryptographic measures not only jeopardizes your HIPAA compliance but leaves your users’ data open for theft.

As per our experience, we recommend using encryption methods such as JSON Web Tokens (JWT)–which also work as an authentication/authorization method–PKI, or SSL certificates, to name a few. JWTs, for instance, work wonders for safe information transmission because programmers can digitally sign them to verify the sender’s identity. Additionally, the digital signature also confirms that the content hasn’t been tampered with in transit, ensuring data integrity.

On the other hand, SSL certificates can also help with HIPAA compliance because they provide your app with HTTPS, which establishes site authenticity and enables end-to-end encryption of all communications between the app and the server. You should purchase SSL certificates because they provide data security regardless of the user’s device to access the app.

Regardless of the encryption method you choose, it is crucial to implement cryptographic elements to your apps. It is undeniably one of the best ways to achieve HIPAA compliance and keep your app safe at all times.

Mistake 3: Exceeding the 60-day deadline for breach notifications

Exceeding the 60-day deadline for breach notifications

One of the most critical but often overlooked HIPAA requirements states that HIPAA covered-entities must notify within 60 days following a breach of unsecured PHI. Failure to notify can cost your company a lot in HIPAA fines. Companies have reported they’ve been fined up to $475.000 for not reporting data breaches before the 60-day window. Furthermore, one study found that 52% of European companies have notified a data breach, as opposed to only 22% of US companies doing the same.

Remember, even with all the safeguards in place; breaches can happen. To avoid incurring further penalties–if penalties apply–make sure to notify before the 60-day window. Breach notifications should be performed directly to the affected individuals by their preferred means of contact and should contain a brief description of the breach. This description must include the data that hackers stole, the steps to secure further data leakage, and the company’s measures to mitigate the damage and prevent future breaches. If more than 500 individuals are affected, your company should also notify the media and the government.

Mistake 4: Not Disposing of Records Properly

Not Disposing of Records Properly

A crucial part of maintaining your users’ privacy, aside from the methods stated above, is how you dispose of their medical records and other personal data. For paper records in hospitals or pharma companies, the measures are obvious. However, it’s a little trickier for healthcare apps because the EHR, PHI, and other electronic data can’t be placed in a shredder. Whatever the reason for data deletion, not being careful and making sure the information is permanently erased can cost you your HIPAA compliance.

The HIPAA security rule requires that companies have strict policies to dispose of PHI and other user data when it is no longer needed or the user requests its deletion. These deletion policies must cover the hardware or electronic media on which the data is stored. Some methods of data disposal recommend by the HIPAA for destroying all the electronic information on your app are:

  • Clearing: Using software or hardware programs that overwrite patient data with other non-sensitive data.
  • Purging: Exposing the media to a strong magnetic field to disrupt the recorded domains.
  • In case of physical media: Disintegrate, pulverize, melt, incinerate, or shred.

In the US, HIPAA compliance also applies to apps that work in states where retention periods for data storage apply, so it’s essential to familiarize yourself with the state laws that apply to your product.

Mistake 5: Failure to Perform Audit Logs

Failure to Perform Audit Logs

Audit logs are a critical–and required–part of meeting HIPAA compliance. They help identify security problems and keep records of who accesses the information and which actions they take within the system. They are also a crucial part of any risk management assessment. Failure to keep them will blur the visibility you have of the actions taken within your app’s system and jeopardize the safety of the information it contains. Not to mention, your HIPAA compliance will take a big hit if you fail to keep and review audit logs.

HIPAA standards mandate that event logs contain the following:

  • User logins/Login attempts.
  • Changes made to databases.
  • Addition of new users.
  • New users’ level of access.
  • Files accessed by users.
  • Operating system and software update logs
  • Firewall logs
  • Anti-malware logs

Since audit logs’ primary purpose is to maintain a record of your app’s system’s activity, they are significant to your overall security scheme. Not only are they a requirement, but they can help you monitor and identify markers indicative of breach or attempted breach activity. They might also generate alerts or notifications to let your security personnel know when someone is illegally accessing, changing, or using information. These alerts can lead to timely actions and measures that can prevent hackers from breaching your app’s ramparts.

The Takeaway

HIPAA Compliance Pitfalls: The Takeaway

HIPAA compliance is a necessary starting point for any healthcare app that deals with sensitive medical data. These standards are a way of guarding the mobile healthcare market against the wave of unregulated, flawed, and harmful apps currently making their way into users’ hands. HIPAA may seem too complicated to keep up with, but the implementation of its standards and requirements is a direct pathway to standing out in the industry.

While many of these implementations are basic and should be set in place by any app developer, the more complicated ones will ensure that your healthcare app runs smoothly and is a safe place for your users. Especially now with the pandemic driving the healthcare sector into a phase where its digital transformation is unavoidable. HIPAA compliance can determine whether patients will reap all the benefits from your app and ultimately make their lives better. Hence, shifting to a focus on compliance adherence is the gateway to developing innovative, high-quality, trustful apps.

With more than ten years of experience in the healthcare arena, we understand HIPAA compliance’s nuances and benefits. We never falter in adhering to them and implementing them in our medical apps and software products, which is why we are one of the most awarded development partners.

If you have any questions about HIPAA compliance or want to kickstart your journey into the mobile healthcare realm, don’t hesitate to contact us!

Let's do something great