Health and wellness apps are making it easier for consumers to access medical information using their mobile apps. From tracking and monitoring general health information to keeping important medical records, mobile apps are playing a critical role in the healthcare industry.
From a provider perspective, efficient use of mobile apps provides real-time care that helps both patients and doctors make faster decisions. However, keeping consumer information secure and in compliance with the Health Insurance Portability and Accountability Act (HIPAA) can be daunting.
In this post, we give an overview of HIPAA rules as they apply to mobile app publishers and the measures you can take to be compliant.
HIPAA has several facets, and it’s important to identify the list of applicable rules for your business. CleverTap recommends app publishers familiarize themselves with HIPAA laws and build their applications in a manner that remains compliant.
Health Insurance Portability and Accountability Act (HIPAA) is a U.S. national standard for electronic health care transactions and lays down rules for collecting, storing, and processing unique health identifiers. It protects private health information (PHI) and affects how it is accessed, stored, and shared to give patients rights to their health information.
PHI is any information that can be used to identify an individual seeking health care. It includes identity information, medical records, conversations with doctors and other healthcare professionals, and billing information with patient identifiable information on it. Examples of PHI include patient name, address, dates (birth, admittance, discharge) medical record numbers, account numbers, and email addresses.
Any organization that falls under the definition of covered entity under HIPAA has to comply. Covered entities include health care providers, health plans, and health care clearinghouses that electronically store and transmit any health information. If these entities create their own mobile applications that collect, store, or use PHI, then these mobile apps must be HIPAA compliant.
A business associate is anyone who collects, stores, maintains, or transmits any PHI on behalf of a covered entity. Most businesses that provide services that manage or use PHI for covered entities are included in this category. These are contractors, subcontractors, and other companies that are not employed by a covered entity but still need to access health information when offering their services to a covered entity. You can find more information on this on the official US Department of Health & Human Services website.
Within the purview of the HIPAA privacy rule, CleverTap is neither a covered entity nor a business associate.
If a mobile app is created by a covered entity, or if a mobile app developer offers an app that handles PHI for a covered entity, then that makes the app publisher a business associate.
For example, a health app where information is automatically entered into the healthcare provider’s electronic health record (EHR) needs to be HIPAA compliant.
On the other hand, a mobile app that requires users to input their own health information may not be required to be HIPAA compliant. For example, an app used by patients to voluntarily input and monitor their diabetes information without any involvement of a healthcare provider is likely not required to be HIPAA compliant.
If you are a covered entity that entrusts PHI to a third party vendor or service provider, then you are required to have a Business Associate Agreement (BAA) in place. The BAA is a contract that ensures that the business associates will take the necessary measures to safeguard PHI, and regulates the use of PHI by the business associate.
Several healthcare companies leverage user behavior data in their marketing campaigns to acquire and engage users via email, push notifications, and social media. When users sign up for a healthcare service, they expect personalized communications, such as appointment confirmations and service notifications.
While companies use certain data to make their marketing campaigns more effective, the use of private patient data is not allowed. HIPAA mandates that healthcare companies restrict the use of private patient information to promote their products or services without written permission from the patient and that this permission may be revoked by the user at their discretion. Performing due diligence while developing your app can help ensure that your app stays HIPAA compliant.
Amazon provides a AWS Business Associate Addendum (AWS BAA), which is available on a self-service portal on AWS to run HIPAA sensitive workloads. Once a service is covered by the AWS BAA, they can process and transmit PHI on their mobile app.
HIPAA compliance is an opportunity for marketing and compliance functions to come together and build a positive brand experience for patients.
Data-driven marketers can strengthen relationships with their customers while ensuring that they incorporate the appropriate regulations in their workflows.
CleverTap recommends that customers seek legal guidance for any compliance related questions that apply to their applications. CleverTap does not offer legal advice and it is up to the customer to identify applicable laws and its nuances to determine how best to architect their application to comply with the HIPAA regulation.
The Intelligent Mobile Marketing Platform