HIPPA Rules & Regulations for Medical Apps

The future looks bright for the health care app market, but before developers forge ahead, it’s vital to become familiar with HIPAA policy police on mobile medical applications.

Consumers are turning to mobile apps to help them manage tasks like banking, shopping, and, increasingly, health care. In fact, by 2017, users could access nearly 320,000 health care apps, according to research conducted by The Iqvia Institute. 

It’s impossible to estimate how many of those apps were HIPAA compliant, but rest assured, developers who pushed out non-compliant apps could have faced fines and the removal of their products from the marketplace. 

This article will explain how HIPAA regulations apply to mobile medical apps and the steps developers can take to ensure their products comply.

What is HIPAA?

The HIPAA acronym is used as shorthand for the Health Insurance Portability and Accountability Act of 1996, a law related to health care data privacy and security. The law primarily focuses on how businesses are allowed to use and store protected health information (PHI). HIPAA standards must be considered, from various angles, throughout the development and evolution of mobile medical apps. 


Here are a few key terms found throughout HIPAA standards:

Protected health information (PHI)

PHI data includes patient care or treatment records, payment data, patient medical information and identifying information like names, dates of birth and geographical information.

Covered entities

These are entities that must adhere to HIPAA guidelines, including health care providers, health plans and health care clearinghouses. Covered Entities are also responsible for ensuring their business associates comply with HIPAA. 

Business associates

Business Associates work with Covered Entities, usually managing data or assisting Covered Entities as they provide care. Even if a business associate itself is not centered on health care, they still need to comply with HIPAA. 

A doctor goes over a form with a patient. Courtesy Adobe.

A doctor goes over a form with a patient. Courtesy Adobe.

Main HIPAA components

HIPAA primarily focuses on five components:

  1. Health care access

  2. Health care fraud prevention

  3. Tax-related health provisions

  4. Oversight of group health insurance requirements

  5. Revenue offset for employees

Medical mobile applications HIPAA checklist

Complying with HIPAA can become challenging for developers working on multi-faceted apps with overlapping compliance challenges or new-to-market ideas that haven’t been vetted by the U.S. Health and Human Services (HHS) agency. A proactive approach might include a checklist of HIPAA-related tasks during the early development stages. For example, a high-level HIPAA checklist might include:

  1. Partner with an experienced HIPAA attorney or consultant.

  2. Consider HIPAA compliance as third party vendors are selected.

  3. Determine how PHI will be encrypted, stored and transmitted.

  4. Start drafting a comprehensive privacy policy. 

  5. Work to incorporate safeguards like automatic time-outs when users stop interacting with the app.

  6. Develop a set of best practices for handling development issues that deal with PHI in any capacity.

HIPAA enforcement

Each developer will have a unique checklist centered on HIPAA compliance. The main goal for any such list is to protect private health data. In some cases, achieving this goal may mean significant reworking of app components, but in the long run, this preliminary work will pay off. Non-compliance can result in eye-popping fines and sanctions enforced by HHS. 

HHS enforces HIPAA compliance by issuing significant penalties for medical app developers who fail to meet the requirements. These can include fines for unauthorized disclosures of PHI (data breaches) or, in some cases, fines for non-compliant HIPAA apps where no breach has occurred. 

Which apps are subject to HIPAA?

Before embarking on a new application development cycle or making significant changes to an existing mobile medical app, developers should assess whether their apps will actually be subject to HIPAA regulations. In many cases, these standards do not apply.

Here are a few questions development teams can use to determine whether HIPAA compliance will be required. These overarching questions can help developers as they make decisions about app functions and features.

What is the nature and purpose of the app? 

Apps that collect PHI that is only accessible by the user may not be subject to HIPAA compliance, so long as collected personal data is accessible only by the user. However, apps that collect PHI and transmit it to Covered Entities are subject to HIPAA regulations.

Will personal data be shared with medical staff or another HIPAA covered entity? 

Apps that connect users to their health care insurance policies would be subject to HIPAA, for example, because health care insurers are always considered Covered Entities. The data collected by health care insurance apps is considered to be PHI and therefore subject to HIPAA. 

Does the app store personal health data in the cloud?

There’s a good chance that an app that collects PHI and sends it to the cloud for storage or database functions is subject to HIPAA. This situation can become complicated for developers who partner with cloud-based, third-party solutions for various functions. Even when the vendors in this scenario are not in the medical field, they must comply with HIPAA requirements. 

Many mobile medical apps are not subject to HIPAA, though protecting user data should always be front and center. Data management compliance exists well beyond this set of standards. 

Users also expect companies to protect their data and that these companies should be held to account when handling personal data — according to a 2020 Consumer Reports study, 96% of Americans agree that more should be done to ensure that companies protect the privacy of consumers. 

What does it mean to be HIPAA compliant?

For mobile medical apps, being HIPAA compliant means meeting the requirements set out in the HIPAA Security Rule. The Security Rule sets standards for app development considerations, including:

  • Administrative functions

  • Physical safeguards like ensuring servers storing PHI are kept in secure areas

  • Organizational safeguards

On the technical side, the Security Rule identifies specific policies and procedures related to protecting ePHI across several security-related categories:

  • Access control

  • Audit controls

  • Authentication

  • Security around data transmission

  • Data integrity

It’s important to keep in mind that apps hosted in HIPAA-compliant environments are not automatically HIPAA compliant. 

HHS provides a helpful list of resources relevant to compliance and mobile medical app development, including specific topics like API usage and cloud-based service providers. 

Staying HIPAA compliant 

Developers who carefully consider HIPAA regulations as they work toward deployment and approach projects with a proactive mindset will be ahead of the game when it comes to staying HIPAA compliant. 

While the regulations can be complex to interpret, many of the requirements laid out in HIPAA can be avoided when developers make adjustments. It’s a smart idea to consult with a HIPAA expert when embarking on any mobile medical app and a necessity when an app’s central function revolves around PHI. 

At a high level, HIPAA is intended to protect private health data. This is a worthy goal for every organization developing health care and wellness apps.

Related articles