HIPAA Compliance for Mobile Marketers

Health and wellness apps are making it easier for consumers to access medical information using their mobile apps. From tracking and monitoring general health information to keeping important medical records, mobile apps are playing a critical role in the healthcare industry.
From a provider perspective, efficient use of mobile apps provides real-time care that helps both patients and doctors make faster decisions. However, keeping consumer information secure and in compliance with the Health Insurance Portability and Accountability Act (HIPAA) can be daunting.
In this post, we give an overview of HIPAA rules as they apply to mobile app publishers and the measures you can take to be compliant.
HIPAA has several facets, and it’s important to identify the list of applicable rules for your business. CleverTap recommends app publishers familiarize themselves with HIPAA laws and build their applications in a manner that remains compliant.

What is HIPAA? And What’s Considered Private Health Information (PHI)?

Health Insurance Portability and Accountability Act (HIPAA) is a U.S. national standard for electronic health care transactions and lays down rules for collecting, storing, and processing unique health identifiers. It protects private health information (PHI) and affects how it is accessed, stored, and shared to give patients rights to their health information.
PHI is any information that can be used to identify an individual seeking health care. It includes identity information, medical records, conversations with doctors and other healthcare professionals, and billing information with patient identifiable information on it. Examples of PHI include patient name, address, dates (birth, admittance, discharge) medical record numbers, account numbers, and email addresses.

Who Needs to be HIPAA Compliant?

Covered Entities:
Any organization that falls under the definition of covered entity under HIPAA has to comply. Covered entities include health care providers, health plans, and health care clearinghouses that electronically store and transmit any health information. If these entities create their own mobile applications that collect, store, or use PHI, then these mobile apps must be HIPAA compliant.
Business Associates:
A business associate is anyone who collects, stores, maintains, or transmits any PHI on behalf of a covered entity. Most businesses that provide services that manage or use PHI for covered entities are included in this category. These are contractors, subcontractors, and other companies that are not employed by a covered entity but still need to access health information when offering their services to a covered entity. You can find more information on this on the official US Department of Health & Human Services website.
Within the purview of the HIPAA privacy rule, CleverTap is neither a covered entity nor a business associate.

How Does HIPAA Apply to Mobile App Publishers?

If a mobile app is created by a covered entity, or if a mobile app developer offers an app that handles PHI for a covered entity, then that makes the app publisher a business associate.
For example, a health app where information is automatically entered into the healthcare provider’s electronic health record (EHR) needs to be HIPAA compliant.
On the other hand, a mobile app that requires users to input their own health information may not be required to be HIPAA compliant. For example, an app used by patients to voluntarily input and monitor their diabetes information without any involvement of a healthcare provider is likely not required to be HIPAA compliant.
If you are a covered entity that entrusts PHI to a third party vendor or service provider, then you are required to have a Business Associate Agreement (BAA) in place. The BAA is a contract that ensures that the business associates will take the necessary measures to safeguard PHI, and regulates the use of PHI by the business associate.

How CleverTap Customers Address HIPAA Compliance Within their Marketing Organizations

Several healthcare companies leverage user behavior data in their marketing campaigns to acquire and engage users via email, push notifications, and social media. When users sign up for a healthcare service, they expect personalized communications, such as appointment confirmations and service notifications.
While companies use certain data to make their marketing campaigns more effective, the use of private patient data is not allowed. HIPAA mandates that healthcare companies restrict the use of private patient information to promote their products or services without written permission from the patient and that this permission may be revoked by the user at their discretion. Performing due diligence while developing your app can help ensure that your app stays HIPAA compliant.

1. Avoid sending or storing PHI: CleverTap has seen customers build HIPAA compliant use cases by ensuring that there is no sensitive information, specifically PHI, being processed, stored, or transmitted to CleverTap. That is the easiest way to adhere to the HIPAA privacy rule. Companies can still store behavioral data such as app launched, appointment scheduled, and payment submitted on a platform like CleverTap to make their marketing campaigns more relevant.
2. Do not use PHI for marketing campaigns: A good rule of thumb is to make sure marketing messages do not use any PHI to identify or disclose sensitive information across channels that are non-HIPAA complaint. For example, do not send health conditions in your appointment confirmation text message. Simply send a reminder of the time and place. Or avoid specifying prescriptions used or physician names in your push notifications or in-app messages.
3. Use separate systems for marketing and patient data: Another best practice for companies is to make sure marketing teams are well-versed in compliance and are taking measures to keep online marketing data separate from patient data. One option is to use different systems to collect marketing data such as name, email, and phone number from customers so that the information is strictly marketing oriented.
4. Use encrypted channels to store and transmit PHI data: As an industry best practice, mobile app publishers must make sure that PHI data is not stored or transmitted over unencrypted channels.
5. Ensure cloud storage compliance: If an app has its data stored in the cloud, app publishers should verify that the hosting provider meets HIPAA requirements. For example, if you are using Amazon Web Services (AWS) as your cloud service provider, ensure that all the AWS services that are used are HIPAA eligible.

Amazon provides a AWS Business Associate Addendum (AWS BAA), which is available on a self-service portal on AWS to run HIPAA sensitive workloads. Once a service is covered by the AWS BAA, they can process and transmit PHI on their mobile app.

6. Use Two-factor Authentication (2FA): Two-factor Authentication (2FA) requires customers to go through an additional layer of security to enter information that only they will possess. 2FA helps you verify that user information is not misused and that there is a strong authentication process in place.

Building a Secure, HIPAA-Compliant Healthcare Experience

HIPAA compliance is an opportunity for marketing and compliance functions to come together and build a positive brand experience for patients.
Data-driven marketers can strengthen relationships with their customers while ensuring that they incorporate the appropriate regulations in their workflows.
CleverTap recommends that customers seek legal guidance for any compliance related questions that apply to their applications. CleverTap does not offer legal advice and it is up to the customer to identify applicable laws and its nuances to determine how best to architect their application to comply with the HIPAA regulation.