Engineering

Things to consider when building HIPAA-compliant applications

Building mobile or web apps for the healthcare industry means software developers must heed HIPPA regulations. Here, we detail key considerations for HIPAA-compliant apps and server-side logic, including encryption, disclaimers, certifications, TLS/SSL, and more. 

Ensuring apps are compliant with HIPAA (Health Insurance Portability and Accountability Act) changes the rules of the development game—for mobile apps and server-side logic. We recently built a secure mobile messaging platform for Schumacher Clinical Partners (SCP), a privately held, physician-driven company dedicated to helping hospitals and providers deliver high-quality patient care. Read on to discover some key lessons and strategies we developed from working on this project.  

Questions to answer in the workshop phase 

The answers to the following questions will impact the basic design of an application: 

  • Will the app need offline support (to work without the internet)? 
  • Will the app require a passcode, fingerprint, and face ID support to unlock 
  • Is there a need for third-party integrations (such as OAuth, Okta, Tangier, Salesforce, Twitter, Facebook)? 

Considerations when building mobile or web apps 

Encryption: Information stored on devices and browsers (encompassing cookies and local and session storage) needs to be encrypted. It’s best to store as little data as possible on devices and the web, making queries to the API service and keeping data in active memory. Unfortunately, this strategy is not ideal when apps must support off-line capabilities. Alternatively, consider encrypting the data on rest and decrypting when putting it into active memory. Admittedly, this is a bit challenging, since secure keys for decryption must be stored (which is more difficult on browsers). 

Disclaimer: If the app allows you to send/receive files, you must add a disclaimer for these actions. After all, the app is no longer in charge of keeping those files safe, and the user is responsible for any leaks (if their phone is hacked or they transfer files to the cloud).  

Reauthenticate idle sessions: With the app for SCP, we implemented an idle timer, which requires users to re-authenticate via their PIN, fingerprint, or face, after a set interval. If not, the app logs out, erasing all active data in memory.  

TLS/SSL: All HTTP or WS requests should be secured with TLS/SSL, which is now the de facto standard.   

Considerations when creating server-side logic 

HIPPA-compliant storage services: All storage services (database, file storage, etc.) should be HIPAA-compliant. Instead of maintaining local storage centers or servers, we recommend AWS; most of its main services (such as EC2, S3, RDS, EB) are HIPAA-certified. 

Private secure network: Communication between microservices should take place over a private secure network. 

Encryption: Private health information stored on remote servers must be encrypted. 

For more information on the secure mobile messaging platform, we built for SCP, read the case study

Get the white paper.