Mobile Apps , Healthcare ,

HIPAA compliance, PHI, mobile app development and everything in-between

HIPAA compliance, PHI, mobile app development and everything in-between

  • Last Updated on June 06, 2022
  • 8 min read

The internet has exposed us to threats and risks previously unheard of. Google knows more about me than my mom does.

Apps installed on my smartphone don’t work unless I enter my personal information.


I can count hundred or so apps and websites that have my phone number, name and email address stored on their database.

Of course, I trust those websites and apps. This is the reason I trust them with my personal information.

What concerns me is this that is my personal information is in safe hands? What if somebody could breach their server and get access to my personal information?

He can sell it on dark web to make some money. Are they taking enough measures to keep their database from intruder? What is the answer to ignorance?

I want to ask this question. Who is responsible if something like that happens? The government, the company, the cloud vendor, who??? Who is under legal obligation to answer me?


What happens in case my personal health information is at risk?

So, it goes like this. I trusted a mobile application with my personal information. It has my name, phone, number, and address.

If, at any point in the future, their server gets breached and the hacker has the access to the database. Regardless of his intention.

I can always change my phone number and email, which is again not something I will pleased with.

At least, this makes sure the intruder can’t personally identify and make me his victim.

However, this isn’t possible every time. How about when he has unauthorized access to my health information. It has everything from my allergies, conditions, past ailments, medical reports, etc.


This isn’t the sort of information I can go back to and alter. The only line of defense is prevention. Cure is out of question in this scenario. HIPAA is a nice step in this direction.

Health insurance portability and accountability act (HIPAA)

HIPAA came around when the internet was still in its nascent stage. Java was in version 1.

Google was still building its iconic search engine. Steve Jobs had returned to Apple after many years in exile.

Before we understand HIPAA, let’s take a look at what Protected Health Information (PHI) is?

Protected health information (PHI)

Protected health information (PHI) under US law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity), and can be linked to a specific individual.

Covered entities

Covered entities are (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which the Department of Health and Human Services (HHS) has adopted standards.

Business associate

anyone who stores, collects, maintains, or transmits protected information on behalf of a covered entity.


What accounts for HIPPA compliance?

The Privacy and the Security Rules are the two rules that defines HIPPA compliance for covered entities and business associates.

The Privacy Rule defines what qualifies as PHI, and who is responsible for ensuring that it is not disclosed improperly.

PHI is essentially any individually identifiable medical information transmitted through any medium.

And this is not the only information stored or transmitted by a hospital or other care provider.

Again, any entity that has anything to do with the storage or transmission of this data is liable.

The Security Rule relates specifically to electronic information and sets guidelines for how to secure PHI.

It breaks down protection methods into three categories: administrative, physical, and technical.

The three categories are fairly straightforward: administrative revolves around access control and training, physical safeguards are for actual devices, and technical relates to the data itself.

mhealth apps, app developers and HIPAA compliance

Mobile health apps pose new challenges for adhering to HIPAA requirements for securing electronic Protected Health Information (PHI).

If you’re planning to build an mhealth app that will store, and transmit PHI to a covered entity, you must be HIPAA compliant or will incur the high costs of non-compliance.

HIPAA is costly

HIPAA compliance adds several additional layers of complexity, including defining and implementing Physical Safeguards, Technical Safeguards, Documentation Safeguards, Administrative Safeguards, and Breach Notification Rules.

Read More: How To Leverage Mobile To Reduce Costs?

Developing, documenting, implementing, and certifying all of these requirements takes months and could cost upwards of $100,000. Certification alone can be extremely costly.

The way around: pre-certified ‘aaS’ vendors


One way to lower the app development cost is go to a cloud provider that has configured portions of the stack and pre-certified their services.

The important question is, which type of cloud service will lower the maximum risk?

The first step is, of course, to ensure whichever “*aaS” you choose is HIPAA compliant and the cloud vendor or reseller is ready to sign a Business Associate Agreement (BAA) to back it up.

Is your app exempted?

Consumer mhealth apps that are collecting information, such as calorie count and weight loss information, typically don’t need to be compliant.

For example, the Google Fit and apple health app are not collecting any PHI, so HIPAA compliancy is not necessary in these cases.

Read More: How Mobile Technology Is Revolutionizing Healthcare

Developing HIPAA compliant mHealth applications

Whether they are developing for a covered entity or a BA. I’ve created a five-item checklist to guide developers as they build a mobile app that may fall in-scope for HIPAA.

The nuances of HIPAA can get tricky, so make sure you consult an expert. Taking these items into account will by no means guarantee compliance.

But, if you follow these best practices and run your app through mobile app security testing to validate that you have, you’re at least part of the way there in terms of due diligence.

As you should when developing any app, make sure you conduct a circumspect and thoughtful review at every stage of development. Security should be a strategy, not an afterthought.

1. Hire a specialist

Hire an mobile app development company that has experience with to develop a HIPAA compliant mobile app, freelancers are a strict no-no

2. Mitigate risks involved

  • Store what you need only
  • Write clear privacy Policy
  • HIPAA compliant cloud stack
  • Do not store data on the device

3. Encrypt stored and transmitted data

Use App Transport Security (ATS) to force mobile apps to link back-end servers on HTTPS (SSL Certificate), instead of HTTP, to encrypt data in transit.

Tip: SMS and MMS are not encrypted

4. Fortify app environment

Do not send push notification containing PHI, they are unsecure. The local session of the app must timeout after a certain period of time.

Isolate the app so that it’s virtually invisible to other apps in your smartphone. Storing the app data, even logs is a risk.

On iOS, you should certainly employ the protected enclave to store your encryption keys.

5. Security testing

  • Carry dynamic and static application security tests
  • A third-party security audit of your app is required
  • A HIPAA expert to look into the app documentations
  • Penetration test after every update

Tips to managing PHI storage, transmission, and reception

At rest, on the device

Any PHI in the device must be encrypted without doubt. Android and iOS tend to store data on disk when the network is offline.

This will put you out of compliance and attract hefty fines and penalties.

In transit, from device to server

Use TLS and modern cipher suites. Certificate pinning is critical if the devices will operate in untrusted networks like public Wi-Fi, and is a good practice nonetheless.

To avoid man-in-the-middle attack do hostname validation on your cert.

Server side

Once your data has entered securely in the server storage, there are a complete range of fears around encryption, key management, key rotation, encrypted backup, audit logging, etc. if you’re an inexpert.

Violations and penalties

Business Associates and are subject to HIPAA regulations as much as Covered Entities.

The consequences for HIPAA violations include penalties and obligatory remedial actions.

Civil penalties range from $100 to $50,000 per violation conditional to the intent (carelessness vs. deliberateness).

In a recent case of negligence, a Business Associate’s stolen smartphone leaked 412 individuals’ PHI. He was issued a fine of $650,000.

There’s also a maximum annual amount worth $1.5 million for each type of violation.

However, the real monetary exposure totally depends upon what the regulators find in the violations, the intent behind it, and how regulators determine to assess the violations.

For example, if there’s a case of breach and the regulators find out that there has been a violation of the HIPAA act then those violations could be counted on each of the individual of whose information was breached.

However, if the regulators do an audit and find out about the deficiencies in the policies and the procedures of the company, then they might not impose any penalty but would only suggest a corrective plan of action.


Tej Chalishazar

Tej is an experienced project manager with huge experience in mobile app development. He has worked on a lot of projects for various companies, ranging from startups to large corporations, and has successfully managed multiple projects from inception to launch. With a strong background in software development and project management methodologies, he is able to effectively communicate with cross-functional teams and stakeholders to ensure that projects are delivered successfully.

Related Post