Oleksiy Mark - Fotolia

Two pros offer HIPAA compliance plan advice for app developers

App developers working on mHealth apps may be bound by HIPAA. Two experts share their advice on how to build a robust HIPAA compliance plan.

When it comes to HIPAA compliance, patients and providers are not the only ones who should have a vested interest. Now that mobile has become increasingly popular -- and helpful -- in the traditional healthcare setting, application developers working in the healthcare space need to think not only about whether they are bound by HIPAA, but also about a robust HIPAA compliance plan.

Jason Wang, founder and CEO of Truevault, a HIPAA-compliant API and cloud data store for healthcare software applications based in San Jose, Calif., and David Reis, vice president of information services and CISO at Lahey Hospital and Medical Center in Burlington, Mass., offered their advice for application developers navigating HIPAA.

How should app developers approach creating a robust HIPAA compliance plan?

For app developers trying to navigate the complexities of HIPAA -- or trying to figure out if they need to stick to a strict HIPAA compliance plan -- Reis and Wang suggested perusing resources HHS has provided in addition to the guidance for app developers HHS recently released.

"Go to the app portal that HHS has launched," Wang said. "Read all the resources. Understand the different definitions: What's a covered entity? What's a [business associate agreement] BAA?"

Wang also advised that app developers get an official opinion and consult lawyers who are experts in this area.

Don't rush it, he said. Do it right.

"The last thing you want is to do something and build something wonderful and have a lot people find out you're in violation of HIPAA, and you have to start all over again," Wang said. "That's soul crushing."

Even so, having a HIPAA compliance plan may not be enough, Wang warned. Being HIPAA compliant is one thing, but data security is another, and it's "extremely important," he said.

Reis suggested app developers lead with security best practices, and then HIPAA compliance will naturally follow as a byproduct.

"If we build information security into the app that's being developed, then whether HIPAA applies directly or doesn't apply directly becomes more of a secondary concern because all the things that are required to be HIPAA compliant would have been done," Reis said.

He added that other helpful resources for app developers are hosting services like Amazon Web Services (AWS). He explained that underpinning many applications are hosting services, and AWS has published a white paper on how to use AWS to be HIPAA compliant.

Ultimately, however, Reis said, "as long as the app developers are following [industry standards and security frameworks], then demonstrating or developing compliance becomes a much easier thing to do."

Next Steps

Hospital's secure texting fosters HIPAA compliance

Use effective privacy, security controls for HIPAA compliance

2016 will be the year of the OCR HIPAA audits

Dig Deeper on HIPAA (Health Insurance Portability and Accountability Act)