HIPAA Compliance for Healthcare Apps

What Application Developers Need to Know About HIPAA Compliance

Photo by Alexander Sinn on Unsplash

Increasingly, patients want to access their healthcare information using mobile applications or web applications. Instead of calling a doctor’s office, they want instant access to their records. According to the Office of the National Health Coordinator for Health Information Technology (ONC), 1 in 8 Americans tracked a health metric using some form of technology in 2013. As healthcare providers increased their use of technology during the COVID pandemic, securing health applications is more important than ever. As more health-focused applications go to market, application developers need to know how Health Insurance Portability and Accountability Act (HIPAA) compliance fits into their coding practices.

What are HIPAA and the HITECH Act?

Health technologies fall under two interrelated compliance requirements: HIPAA and HITECH.


Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to set requirements for the protection and confidentiality of protected health information (PHI). HIPAA has four goals:

  • Give people a way to transfer health insurance coverage when they change or lose their jobs
  • Reduce healthcare fraud and abuse
  • Establish industry-wide standards for managing health care information
  • Establish PHI security and confidentiality standards

HIPAA Security Rule

HIPAA Security Rule is broken down into three categories of safeguards:

  • Administrative: policies and procedures for putting security and privacy measures in place to protect electronic PHI (ePHI)
  • Physical: measures protecting electronic information systems and the buildings where they reside from natural disasters, environmental hazards, and unauthorized intrusion
  • Technical: risk-based technology, policy, and procedures for reasinably setting security controls to protect ePHI and control access to it

HIPAA Violations

HIPAA sets fines for violations using a four-tiered system across a spectrum of actions, including:

  • Awareness of the violation
  • Ability to avoid the violation
  • Reasonable care taken to follow HIPAA’s rules

At Tier 1, the lowest tier, fines start with a minimum fine of $100 per violation for activities that could not have been reasonably avoided as long as the covered entity proves it took reasonable care. The fines escalate up to Tier 4’s $50,000 per violation for violations arising from willful neglect where the covered entity made no attempt to correct the violation. In 2020, the HHS Office for Civil Rights (OCR) levied a total of $13,554,900 in fines ranging from a minimum of $3,500 up to a maximum of $6.85 million.

Additionally, HIPAA also includes three tiers of criminal penalties for violations, with up to a year in jail at the lowest tier and up to ten years in jail for the highest tier.


In 1996, most PHI practices focused on physical records, since electronic records were not yet widely adopted. As the healthcare industry began to embrace digitization, so did HIPAA.

In 2008, the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law. The HITECH Act sought to drive electronic health record (EHR) technology adoption to make care coordination across multiple healthcare practitioners more efficient.

Further HITECH applied the HIPAA Security and Privacy Rules to business associates, culminating in the consolidated Omnibus Rule in 2013. Under the Omnibus Rule, the department of Health and Human Services (HHS), the agency responsible for HIPAA, strengthened the privacy and security protections and officially incorporated HITECH as part of the long-standing regulation.

What four entities are covered by HIPAA?

HIPAA outlines three categories of covered entities and an additional business associate category.

Covered Entities

Covered entities generally include the traditional types of providers and services associated with health care.

The three covered entities are:

  • Health care providers like doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies
  • Health plans like health insurance companies, HMOs, company health plans, government programs that pay for health care (Medicaid, Medicare)
  • Health care clearinghouses that process onstandard health information recieved from one entity into a standard (like electronic format) or vice versa

Business Associates

Business associates are defined people or entities performing functions or activities that use or disclose PHI on behalf of or when providing services to a covered entity.

Examples of business associate functions include:

  • Claims processing or administration
  • Data analysis, processing, or administration
  • Utilization review
  • Quality assurance
  • Billing
  • Benefit management
  • Practice management
  • Repricing

Examples of business associate services include:

  • Legal
  • Actuarial
  • Accounting
  • Consulting
  • Data aggregation
  • Management
  • Administrative
  • Accredditation
  • Financial

Are software applications subject to HIPAA compliance?

In 2016, HHS published “Health App use Scenarios & HIPPA.” HSS notes that any applications developed for covered entities must meet HIPAA compliance. Additionally, anyone creating or offering applications on behalf of a covered entity might be considered a business associate.

The publication applies HIPAA requirements to an app developer in the following cases:

  • Apps that patients download at the direction of their providers when the provider has contracted with the app developer
  • Mobile Protected Health Record (PHR) application offered by health plans

App developers need to consider the following when trying to determine whether they are considered a covered entity or business associate:

  • Whether the health app creates, receives, maintains, or transmits identifiable information
  • Whether the direct client is a covered entity
  • Whether hiring or payment is done by a covered entity
  • Whether a covered entity directs the developer t create, receive, maintain, or disclose information related to a patient or health plan member

HIPAA Compliance for Healthcare Apps

Developers working for HIPAA covered entities need to make sure that any internally developed application meets HIPAA compliance. However, all software developers need to consider potential HIPAA compliance as part of their coding practices. While the initial roadmap and use case for an application may not include use by HIPAA covered entities, HIPAA compliance may be something that needs to be considered as a software company grows.

To learn more about securing web facing applications, visit the ShiftLeft secure coding training site for free courses.

HIPAA Compliance for Healthcare Apps was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by The ShiftLeft Team. Read the original post at: