Blog Post

4 points when building a healthcare app

By Oscar Gallo

In this short guide, you will learn a few points you need to consider when building a healthcare app, so let's start!

1 - Identify the Protected Health Information

Protected health information (PHI) is any demographic information used to identify a HIPAA-beholden entity patient or client. Common examples of PHI include names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos, to name a few.

PHI is transmitted, stored, or accessed electronically and falls under HIPAA regulatory standards and is known as "electronic" protected health information or ePHI.

2 - HIPAA compliance.

What is HIPAA?. HIPAA is a series of regulatory standards that outline the lawful use and disclosure of protected health information.

HIPAA has several regulations that we need to consider to build an app or web app in the healthcare industry.

These are the HIPAA rules you need to be compliant with.

HIPAA Privacy Rule

The HIPAA Privacy Rule sets national standards for patient's rights to protected health information.

The HIPAA Privacy Rule only applies to covered entities, not business associates. Some of the standards described by the HIPAA Privacy Rule cover:

  • Patient's rights to access protected health information. 

  • Health care providers' rights to deny access to protected health information, the contents of Use and Disclosure forms, and Notices of Privacy Practices.

  • And more. 

Your business should document the standards in the organization's HIPAA Policies and Procedures. All employees must be trained on these Policies and Procedures annually, with written attestation.

HIPAA Breach Notification Rule

 The HIPAA Breach Notification Rule is a set of standards that covered entities, and business associates must follow in the event of a data breach containing PHI or ePHI.

The Rule differentiates between two kinds of security braches depending on the scope and size, called "Minor Breaches" and "Meaningful Breaches." 

Organizations are required to report all breaches, regardless of size, to HHS OCR, but the specific protocols for reporting change depending on the type of security breach.

HIPAA Security Rule

The HIPAA Security Rule is the national standard for the secure maintenance, transmission, and handling of "ePHI". 

The HIPAA Security Rule applies to both covered entities and business associates because of the potential sharing of "ePHI". The Security Rule outlines standards for the integrity and safety of ePHI, including physical, administrative, and technical safeguards that must be in place in any health care organization.

HIPAA Omnibus Rule

The HIPAA Omnibus Rule is a supplement to apply HIPAA to business associates. 

The HIPAA Omnibus Rule mandates that business associates must be HIPAA compliant and outline the rules surrounding Business Associate Agreements (BAAs). Business Associate Agreements are contracts that must be executed between a covered entity and business associate–or between two business associates–before ANY PHI or ePHI can be transferred or shared. 

3 - HIPAA compliant server.

Suppose you're building an app that uses personal health data, and you're doing business in the US. In that case, you must use servers that are fully compliant with HIPAA.

Not all servers are created equal. When it comes to storing data in the cloud, we need to be careful. Services like Google Cloud and AWS are not HIPAA compliant, which can cause legal problems.

A few cloud service we recommend:

  • AWS HIPAA Hosting (this is not the regular AWS).

  • RackSpace.

  • Armor.

  • Truevalt.

4 - Do not share important data.

Sometimes after working on a healthcare project for some time, we tend to relax a little bit, thinking that since we have a HIPAA compliant server and we are taking all the considerations, everything will be fine.

Sending data via email is viable but not recommended. While there are robust email services like Proton Mail, most of your users use Google Email, with a password like "HelloHello123". So if you're going to send a document, try not to reveal essential data protected by HIPAA.

If your software connects to a hospital database, don't send any data via FTP. The security on FTPs connection is non-existent and will give you problems and data leaks.