How to Build a Web App That Properly Secures Customer PHI

By Joshua Gross, 28 January, 2023

If you're planning on creating a healthcare web app, it's absolutely essential that it properly secures customer PHI. The cost of noncompliance with HIPAA can be completely crippling to a company, with penalties ranging from a mere $100 to $50,000 per individual violation. The maximum penalty per calendar year is $1.5 million.

Beyond that, the individual that is responsible for the violation can even face jail time. The penalties for HIPAA noncompliance are based on the perceived level of negligence.

Even if you aren't disturbed by the numbers in play here, HIPAA violations also put your customers' personal and private data at risk. For this reason alone, anyone considering building a mHealth web or mobile app should ensure that they can fully comply with the HIPAA rules and guidelines.

What Is PHI?

PHI stands for protected health information. This refers to any information about medical status, health care, or payment information for any type of health services created, transferred, or stored by a Business Associate or Covered Entity that can be connected to somebody who received or sought medical services.

Ok, that's obviously quite the mouthful.

In short, protected health information is individually identifiable health information that is maintained or transmitted in any form. Individually identifiable health information can be defined as any data that relates to the physical or mental health of a person– including demographic data– or information about their payment that identifies the person that sought care.

Anything from a patient's home address to their medical records falls under protected health information. Anyone who comes into contact with this information has a responsibility to safeguard the privacy of the individual and follow very specific rules about how the information is used and disclosed.

Here is a list of identifiers that are considered pieces of personal health information:

  • Names
  • Telephone numbers
  • Dates, except the year
  • Fax numbers
  • Geographic data
  • Email addresses
  • Account numbers
  • Medical record numbers
  • Social security numbers
  • Vehicle identifiers (including license plates) and serial numbers
  • Certificate/license numbers
  • Health plan beneficiary numbers
  • Internet protocol addresses
  • Web URLs
  • Device serial numbers and identifiers
  • Biometric identifiers (such as fingerprints or retinal scans)
  • Full-face photos or other comparable images
  • Unique identifying codes or numbers of any kind

When we say "anyone who comes into contact with this information," we really mean that. We're not just talking about doctors or nurses here; bill collectors, medical practice administrators, and even a hospital's cleaning and maintenance staff are bound by these rules. Any medical or healthcare-related app you create must properly secure customer PHI.

The term "covered entities" refers to anyone who provides health plans, anyone who provides healthcare and uses medical software to manage and transfer PHI, and healthcare institutes.

The term "business associates" refers to anyone who gathers, stores, or transmits personal health information for one of the above-covered entities.

All that being said, it's worth busting a common myth about PHI before we continue on. There is a notion that any and all health information is considered personal health information, which simply isn't the case.

For example, let's say you are making a fitness tracker app that records the heart rate of individuals during their workouts. This isn't considered PHI because the information wasn't acquired by a healthcare provider or one of their business associates.

The market value of the mHealth industry experienced a massive surge after the outbreak of the coronavirus pandemic, and many IT startups have thrown their hat in the ring to create healthcare apps. If you're looking for a full primer on developing a mobile healthcare app, this guide goes over the cost, tips, compliance issues, and more.

What Is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. This federal law came into being to protect patients' sensitive health information and ensure that private info wasn't disclosed without the individual knowing or having the opportunity to consent.

There are four main purposes that HIPAA aims to fulfill, which are:

  • Security of electronic health records
  • Privacy of individual health information
  • Insurance portability
  • Administrative simplification

When your goal is to create a healthcare web app, you'll need to become very familiar with the first two points.

Understanding the Four HIPAA Rules

Regulation of HIPAA compliance can be broken down into four primary rules: privacy, security, breach notification, and enforcement rules. By far, the most well-known are the first two of these rules, but it's important to understand all four of them when developing a healthcare app.

The Privacy Rule

This rule outlines a patient's rights regarding personal health information while also setting national standards for when PHI can legally be used and disclosed. This is a rule that applies to both covered entities and their business associates.

The Security Rule

The security rule outlines the security measures that must be taken by both covered entities and business associates to protect patients' electronic personal health information.

The solutions used by entities and associates must ensure the integrity, confidentiality, and availability of ePHI while also keeping it safe from any outside threats.

The Breach Notification Rule

This rule refers to instances when a data leak or security break has occurred. There are specific rules that guide how and when to inform the affected individuals and the HHS (the U.S. Department of Health and Human Services.) In some cases, the media also must be notified.

The Enforcement Rule

Finally, this rule outlines what the penalties are if covered entities and business associates don't comply with HIPAA. Additionally, it covers the process for investigations related to such cases.

Are you new to the world of building apps and software? If so, check out this article about the stages and processes of the Software Development Lifecycle.

How to Build a HIPAA-Compliant App That Properly Secures Customer PHI

There are several features that a HIPAA-compliant app will need to have in order to protect the private health information of patients that use the app or receive medical care from someone who does.

User Authentication

Your app needs to use methods to authenticate users when they sign in. Examples include passwords, biometrics, a Smart key or card, and PIN codes.

You don't want users to be signing in just with their emails– this isn't the safest way to identify users.

Proper Access Control

The access control for the app needs to be properly defined. This is the case for both users and admins.

You will need to use the HIPAA privacy rules as a guideline in order to determine which data needs to be restricted to which users and admins.

Access During Emergencies

There can be a disruption to essential services and utilities during emergencies of various kinds. For this reason, it's essential to ensure that there is access to your app's data, no matter the circumstance.

For example, if a natural disaster has occurred or there is no electricity, you'll want to ensure that your app is still fully functioning. While this isn't a specific requirement for creating a HIPAA-compliant app, it's necessary for a successful piece of healthcare software.

Secure Data Backup

Secure data backup is essential regardless of the type of app you're creating.

That being said, when dealing with sensitive customer PHI, it's essential to ensure that you have secure data backups in case of database corruption, server crash, or even natural disasters.

Transmission Security

In order to comply with HIPAA when creating an app, transmission security is another concern.

If PHI is going to be transferred over a network, the data needs to be encrypted with SSL/TLS.

PHI Disposal

Another feature your app will need to have to maintain HIPAA compliance is the proper disposal of personal health information.

Ensuring that there isn't any private information being stored that is no longer useful helps to protect the privacy of patients, as this information won't be available to hackers or bad actors.

Build an Automatic Sign Off Feature

The risks of having personal information in a web app or other software aren't something everyone fully understands. If a person doesn't log off from the app after they are done with use, the data can be compromised by anyone that has access to the device.

For this reason, you will want to build a feature in your web app that automatically logs users out after a certain period of inactivity.

Device Security

Device security is another important consideration when creating a healthcare app.

There are a number of features you might consider adding in order to meet this end, such as remote data erasure and full device encryption.

Responsible Audit Control

It's essential to always know how PHI is being accessed and where it is being accessed, as well as how it is being used by the people that are accessing it.

While this might sound difficult, one of the simpler ways to deal with this need is to have a log file in the database that keeps track of everyone's PHI and which specific data they are accessing.

Deploy Regular Security and App Updates

Keeping devices protected from suspicious attacks, viruses, or other means through which personal health information can be compromised can be tricky. This is particularly true when users stay connected to unsecured networks.

It's, therefore, important to release regular updates for your web app to deal with any bugs or make security fixes that help promote health data security.

Does My Web App Need to Be HIPAA-Compliant?

There are three questions that you'll need to ask yourself in order to determine whether HIPAA compliance is a requirement for your web app.

These are:

  • Am I going to be collecting PHI?
  • Is my web app going to be communicating PHI?
  • Is PHI going to be stored on a server?

Your web app will need to be HIPAA compliant if you answered yes to any of these questions.

Why Does HIPAA Compliance Matter For Web Apps?

In the intro, we went over some of the negative consequences of violating HIPAA. Needless to say, hefty fines and potential jail time aren't anything that your startup likely wants to get caught up in.

It's also important to understand, though, that HIPAA is a government regulatory body that exists in order to ensure that people's personal health information is protected against cyber-attacks and other threats and not a body that will protect you if your app is breached or attacked in any way. HIPAA is there to protect patients, not your company or piece of software.

Under HIPAA, it is your legal obligation to properly secure customer PHI if you create, store, maintain, or transmit PHI in any way. Beyond that, though, the last thing you want as a business is for sensitive personal data that your customers have entrusted you with to end up in the hands of bad actors.

Additional Tips For Building a Web App That Secures Customer PHI Properly

Finally, let's take a look at a few additional tips to make sure that your web app keeps your customer PHI safe and secure:

  • Only collect necessary data.
  • Always sign a Business Associate Agreement when third-party vendors are involved.
  • Set a clear privacy policy that covers all grounds before users sign up.
  • Strike a balance between user accessibility and data protection.

Get Help Building Your Web App From Pros

As you can see, building a web app that properly secures customer PHI isn't the easiest task in the world. Not only is it something that has many moving parts, but the consequences of failing to comply are high.

While simple apps that don't deal with private information about people's medical history or social security numbers might be good candidates for a DIY approach, healthcare apps really should be built by professionals with experience in the industry. When you're launching a healthcare startup and building a web app to serve your customers, you want to get it right the first time.

At Planetary, we specialize in helping companies of all sizes create unique digital products that are precisely suited to their business needs and their target audience. If you're looking for the right team to work with, drop us a line and tell us a bit about your project.