HIPAA compliance for mobile healthcare applications and software can be a complicated issue to understand. Stakeholders can have a hard time understanding when healthcare apps are subject to HIPAA regulations and must ensure compliance. This misunderstanding can cause non-compliance issues and expensive fines.
The demand for faster and more efficient medical services and care delivery has snowballed for some years now. Fortunately, this growth in demand has been met with a proliferation of mobile health solutions. This has help increase the size of the mobile healthcare market and provide better and faster on-demand, remote medical care. In fact, the mobile healthcare market accounted for $35.1 billion in 2020 and is expected to reach a staggering value of $145.7 billion by 2027. That growth means a Compound Annual Growth Rate (CAGR) of 22.5% in seven years. Thanks to this growth, modern mobile healthcare solutions have helped healthcare systems and stakeholders across the globe alleviate the pressure of the increasing demand for medical care. However, as we become more accustomed to the benefits of remote healthcare and the use of healthcare apps and devices becomes commonplace, more significant amounts of highly sensitive data begin to flow through these apps.
These data include a variety of personal information that is germane to medical care but can also be valuable to hackers. Therefore, healthcare app developers must guarantee the privacy and protection of said sensitive patient data at all costs by complying with government data protection laws. Collecting and storing these health data falls under the umbrella of a federal regulatory law known as the Health Insurance Portability and Accountability Act (HIPAA).
While it’s unavoidable for healthcare apps to collect and store patient data, developers can’t neglect the safeguarding of this information and must make its protection a priority. We must keep an eye on which patient data is stored, collected, and shared by our apps and for what purposes, to ensure HIPAA compliance, if applicable. Failure to do so will result in costly fines and penalties that can significantly hit our development companies and jeopardize our reputations as competitive healthcare app developers. So, let’s look at what regulatory non-compliance looks like and the cost of violating HIPAA rules for healthcare app developers.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 is a law enacted by the United States government that applies to healthcare organizations and healthcare employees. It was created to protect sensitive health information from leaks and hacking, guarantee healthcare coverage, and ensure industry-wide standards for electronic processes and systems related to healthcare management. The HIPAA act contains five sections that break down all compliance requirements, from insurance coverage and taxing processes to pre-existing conditions and citizenship issues. However, since our main focus in this article pertains to mobile healthcare regulations, we’ll only touch on the HIPAA sections that handle compliance for healthcare apps and developers.
The HIPAA act requires that healthcare organizations develop policies that protect their patient’s privacy and implement the necessary safeguards to ensure the confidentiality, integrity, and availability of all protected health information (PHI) and electronic health information (ePHI). In the HIPAA context, ePHI is any identifiable health-related information of a patient that is collected, stored, or transmitted by a HIPAA-covered entity. A HIPAA-covered entity can be a healthcare provider, health insurer, healthcare clearinghouse, or a business associate–or third-party–of any of the aforementioned entities that require access to PHI to perform their contractual duties. ePHI also includes electronic medical records, medical patient histories, lab test results, and medical bills. Demographic information such as social security and driver’s license numbers, address, phone number, age, financial information, insurance details, and even birth dates are also considered PHI. Calories burned, food diaries, steps taken, or distance covered, for instance, are not regarded as ePHI.
HIPAA rules place restrictions on the uses of health-related data, limit who can access copies of said information, and give patients the right to obtain copies of their medical information. Also, HIPAA compliance means that a particular app meets all technical and physical safeguards of the HIPAA privacy and security rules concerning medical software and healthcare applications. These rules stipulate that a healthcare app or software has all the administrative, physical, and technical safeguards to ensure the integrity and protection of the ePHI that the entity–in this case, the app–creates, receives, maintains, maintains, and transmits.
HIPAA compliance for medical software and healthcare applications can be a complicated issue to understand. Some healthcare apps are subject to HIPAA rules, while others are not. So, to understand the costs and penalties of non-compliance and how they apply to our industry, we want to establish when a healthcare app is subject to HIPAA compliance.
When Does HIPAA Compliance Apply to Healthcare Apps?
How do healthcare apps come into play in the conversation of HIPAA compliance for medical software? This question is crucial for healthcare developers and providers when determining what type of app they want to develop. Its answer lies in the purpose of data collection and its source. If a healthcare app contains, handles, stores, and shares ePHI and falls under the umbrella of covered entities, or business associates, it needs to be HIPAA compliant. However, if a healthcare app requires its users to enter their personal information but that information isn’t shared with a covered entity, the app does not have to be HIPAA compliant. In the first scenario, the healthcare app developer becomes a business associate because their activities involve using and disclosing ePHI with a covered entity; therefore, the app they develop must be HIPAA compliant.
In a nutshell, determining when HIPAA applies to a healthcare app depends on understanding how the data is collected, stored, and managed from a business associate and shared to a covered entity. To illustrate this point better, let’s take a look at a couple of scenarios:
- Scenario One: Physician App
A hospital hires you to create an app that provides patient management services. These services include food and exercise monitoring, blood pressure, blood sugar, and other general vital sign information. The app also has messaging services between the patient and the healthcare provider. Additionally, the patient’s personal information is stored in the app and is shared between the healthcare provider’s system and the patient.
In this scenario, HIPAA compliance applies to you, the developer. By HIPAA standards, you are considered a business associate of the healthcare provider because you’re responsible for receiving, transmitting, and maintaining ePHI on behalf of the healthcare provider, who, in this case, is a covered entity. Therefore, it falls on you to ensure the safeguarding of the information that your app stores and shares.
- Scenario Two: Fitness App
You develop a fitness healthcare app that a user downloads to their smartphone. The user enters their personal information, such as height, weight, age, eating habits, and blood pressure readings, into the app. The app records the user’s daily activity and connects with the user’s home-health equipment and devices for personal use. The data isn’t shared with anyone else.
In this case, HIPAA would not be applicable as you, the developer, are not receiving, maintaining, or transmitting ePHI. Instead, the user simply uses the app to record their daily information and track their fitness progress.
Suppose you determine that HIPAA applies to you and your healthcare app. In that case, you must ensure that your security protocols and safeguards are set in place through your entire development process to secure HIPAA compliance and keep your users’ data safe. We’re sure this goes without saying, but you need to implement authentication and authorization protocols to limit access to your app, encrypt the transferred and stored data, notify users about breaches, perform audit logs, and adequately dispose of records. Additionally, you need to ensure that the agreements and contracts you signed with covered entities are updated and address each party’s responsibilities and liabilities concerning ePHI management.
So, now that we’ve established a contextual framework for what HIPAA compliance entails, let’s dive into non-compliance fines.
How much do HIPAA violations cost?
Failure to meet HIPAA compliance can cost healthcare organizations billions every year, and the financial impacts continue to rise. On average, a healthcare data breach comes with a price tag of about $7.13 million, a part of which comes from HIPAA fines and sanctions that can add up to $1.5 million per non-compliance event per year. However, that is just the tip of the iceberg. Aside from HIPAA fines, most of those $7 million derives from the cost of business disruption, reputation, damage control, and loss of productivity.
In addition to these financial penalties, developers who violate HIPAA regulations are also required to adopt a corrective action plan to ensure their development policies and procedures meet the standards demanded by HIPAA rules. On top of that, the penalties for willful non-compliance can also carry criminal charges along with the aforementioned costly fines. These penalties and fines for healthcare app HIPAA violations are issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and the state attorney general.
Financial penalties for HIPAA act as a deterrent to ensure covered entities and business associates are held accountable for non-compliance. These penalties protect the patient’s privacy and the confidentiality of health and personal data. They also have a tiered penalty structure for violations based on the knowledge a covered entity or business associate had at the moment of the breach. HIPAA fines and penalties are enforced per violation category and consider the number of exposed records in a single breach event. They also consider onsideration the level of risk to patients that stems from the breach, the severity of the violation, the level of knowledge of the breach, and finally, the financial means of the covered entity to pay the imposed fine.
The categories, or tiers, used for HIPAA’s penalty structure are as follows:
- Tier 1: The covered entity was unaware of the HIPAA violation and could not have realistically avoided it. The covered entity also put a reasonable amount of effort into abiding by HIPAA Rules. Penalties range from $100 to $50,000 per violation with a maximum of $25,000 per year.
- Tier 2: The entity should have been aware of the violation. However, the entity could not have avoided it. Penalties range from $1,000 to $50,000 per violation with a maximum of $100,000 per year.
- Tier 3: The violation was a result of willful neglect of the HIPAA Rules. However, the covered entity attempted to correct the violation. Penalties range from $10,000 to $150,000 per violation with a maximum of $250,000 per year.
- Tier 4: The entity incurred in a violation that resulted from willful neglect, and the covered entity did not attempt to correct the violation. The penalty is $50,000 per violation with a maximum of $1.5 million per year.
A data breach resulting from a HIPAA violation could end fines issued for different aspects of the violation. The OCR may also apply it daily for the amount of time that the covered entity has violated the law. Fines will also increase depending on the number of patients affected and the severity of the damage the breach caused the patients.
As you can see, non-compliance can be very costly. However, aside from the expensive fines, your development company can suffer reputational damage and business disruptions that can impact the future of your enterprise. For this reason, you must educate yourself and your employees on HIPAA compliance and ensure your development processes are always up to regulatory standards. Now, let’s take a look at some of the most significant cases where companies failed to comply with HIPAA so you can witness the actual consequences of non-compliance.
Biggest HIPAA Violation Cases
1. Anthem Inc.
Anthem Inc. is an Indiana-based health insurance company that suffered a massive cyberattack in 2014. Hackers silently penetrated the company’s system with phishing emails that an employee opened. Hackers spent several months exploring their network, escalating privileges, and finally stealing patient data from their data warehouse. These stolen data included patient and employee names and personal information, health insurance IDs, ePHI, and Social Security numbers. Anthem announced the breach in February of 2015 and, due to its massive nature, it was immediately investigated by the OCR. As a result of the investigation, multiple HIPAA violations were discovered, and the company settled the case with the OCR for $16 million in October 2018.
Aside from the settlement cost, the company spent more than $260 million settling lawsuits and enforcing security-related measures as part of the agreement to take corrective actions. These actions included implementing an information security program based on zero trust architecture principles, multi-factor authentication, access controls, network segmentation, and data encryption. They are now also monitoring system activity, performing regular penetration tests, and sending regular security reports to the board of directors. Additionally, they had to undergo third-party security audits for three years and deliver the results of those audits to a third-party assessor.
The Anthem Inc. violation penalty is the most significant financial penalty imposed on a covered entity in the history of the HIPAA law, and it affected 78.8 million individuals. The company never admitted their fault in the incident and issued a statement saying they didn’t break any laws regarding data security and privacy. The investigation is still ongoing.
2. Premera Blue Cross
Premera Blue Cross is the largest health insurer in the US Pacific Northwest. It operates in Washington and Alaska and serves as a healthcare plan provider for more than 2 million people. Premera suffered a cyberattack discovered by the company on January 29 of 2015, one year after the attack. Hackers could access Premera’s systems and accessed employee and patient personal data, including contact and personal information, Social Security numbers, ePHI, and claims information. The hack not only affected Premera, but it also hit some of its affiliates, including Alaska’s Premera Blue Cross Blue Shield and Vivacity and Connexion Insurance Solutions.
After the breach was announced, the OCR launched an investigation that found multiple HIPAA violations. These violations impacted 10.4 million patients and included:
- Failure to implement robust security measures to protect patient data.
- Lack of HIPAA-required hardware implementation.
- Failure to conduct an enterprise-wide risk analysis of potential risks and vulnerabilities.
The OCR settled the case with Premera Blue Cross for $6.85 million, making it the second-largest settlement in HIPAA history. The insurer also had to spend over $78 million on lawsuit settlements and implement a corrective action plan that required them to conduct a thorough risk analysis to ensure the availability, integrity, and confidentiality of all its ePHI. Additionally, they had to implement an enterprise-wide risk analysis plan and immediately address any security risks identified in that analysis.
Prior to the breach, the state of Washington stated that cybersecurity experts and the company’s auditors repeatedly warned the company about serious vulnerabilities within its system. However, the company failed to address the problems.
3. Excellus Health Plan
Excellus Health Plan is a New York-based non-profit, independent licensee of the Blue Cross Blue Shield Association that provides health insurance services in the US. In 2013, the company suffered a cyberattack where hackers installed malware on its systems and conducted reconnaissance activities for almost two years. The attack resulted in the illegal disclosure of the ePHI of more than 9.3 million patients. The leaked data included names, personal information, email addresses, Social Security numbers, bank account information, insurance claims, and treatment information. The attack was discovered after the company hired cybersecurity firm FireEye Mandiant to conduct an assessment of its IT systems. Excellus notified the OCR about the cyberattack on September 9 of 2015, and paid a $5.1 million penalty for its HIPAA violations.
The OCR’s investigation concluded that the company violated several HIPAA rules, including the following:
- Failure to conduct a company-wide risk analysis that ensured the confidentiality, integrity, and availability of all ePHI.
- Failure to implement efficient security measures sufficient to reduce or avoid safety risks.
- Failure to implement system activity monitoring.
- Failure to implement access management protocols.
In addition to paying the $5.1 million financial penalties, Excellus was required to adopt a corrective action plan that addresses all the non-compliance issues identified by the OCR. The company was monitored closely for two years to ensure HIPAA Rules compliance.
4. CHS/Community Health Systems, Inc.
CHS/Community Health Systems, Inc. is a Tennessee-based company that provides IT and health information management services to hospitals and other healthcare companies. On April 10, 2014, hackers used compromised admin credentials to submerge the company in a cyberattack that leaked the ePHI and personal data of more than six million patients. Hackers accessed the company’s health information management system via their virtual private network (VPN). CHS/Community Health Systems failed to detect the attack and was notified of it by the FBI. However, despite being told of the incident in April 2014, the company didn’t take reactive measures, and the hackers remained active for four months.
The OCR’s investigation uncovered systemic non-compliance with the HIPAA Security Rule and determined the company knew about the attack but neglected to take action on time. The company accepted the penalty and liabilities and settled the case for $5.1 million. As part of the settlement, the company had to adopt a robust corrective action plan to address non-compliance areas. The OCR closely monitored them for two years.
5. New York-Presbyterian Hospital and Columbia University
The New York-Presbyterian Hospital and Columbia University were involved in a joint incident involving a physician who had developed apps for both facilities. The breach happened when the physician attempted to deactivate a personally-owned computer server on the network that contained the NYP hospital’s patients’ ePHI. Due to a lack of technical safeguards, the server’s deactivation resulted in the ePHI being accessible via search engines. Both entities learned of the breach after an individual complained about finding information on Google regarding a deceased friend who had been a patient at NYP hospital. The entities submitted a joint breach report on September 27, 2010, explaining the breach resulting in 6,800 ePHIs containing patient status, Social Security numbers, vital signs, personal data, medications, and lab test results.
The OCR’s investigation found that, prior to the breach, neither institution made efforts to make sure the server was secure and had the appropriate safety protocols. Furthermore, the OCR determined that neither entity conducted thoughtful risk analysis on their systems nor took the necessary protective measures to secure their patients’ ePHIs. Additionally, the NYP hospital had consistently failed to implement robust policies and procedures for controlling access to its databases and could not comply with information access management policies. Failure to enforce these HIPAA requirements resulted in the lack of protection for patients’ ePHI and subsequent leaks. The violations resulted in NYP paying $3.3 million and CU paying $1.5 million. Both entities agreed to enforce the corrective measures that ensure the development of a risk management plan and protection of patient data.
HIPAA Fines: Final Thoughts
Although being HIPAA compliant, or hiring a HIPAA-savvy developer, may sound expensive, the truth is, there are considerable cost advantages to HIPAA compliance. Sure, HIPAA compliance may involve substantial initial costs. However, those costs pale compared to the costs associated with fines that stem from data breaches and regulatory violations. Additionally, HIPAA non-compliance means that you are not protecting your users’ personal and medical information, which could be truly damaging for healthcare developers. On top of that, you’re risking your company’s reputation, your business stability, and your employee retention, which can add up to significant expenses that go beyond regulatory fines.