Categories: Business / Mobile Apps


HIPAA compliance is a must for anyone sharing and storing medical records. As of 1996, the Health Insurance Portability and Accountability Act (HIPAA) has had consequences for any technology platforms that store and share protected health information (PHI). This includes apps.

What counts as PHI? Under the law, PHI is defined as information about health status, provision of healthcare or payment for healthcare collected by a healthcare entity and that can be linked back to an individual.

When is HIPAA compliance required?

HIPAA compliance is a must for mhealth apps.

Whether your app or platform needs to comply with HIPAA can be complex. This is because what counts as PHI can be a bit ambiguous.

But in general, it depends on the type of information that an app is collecting or sharing. Simple consumer apps such as calorie trackers and weight loss apps aren’t typically collecting protected information. HIPAA compliance may not be necessary in those cases.

However, if medical professionals are using your app or platform to upload or record patient information or consultations, HIPAA almost certainly applies.

The Privacy and the Security Rules

To comply, an mhealth (mobile health) platform or app needs to meet the requirements of two rules. These are the Privacy Rule and the Security Rule.

The Privacy Rule covers what counts as PHI, as well as who is responsible for keeping PHI private. The Security Rule offers guidelines for securing PHI administratively, physically and technically.

Meeting the requirements for both rules can require extensive resources, as building HIPAA-compliant safeguards from scratch adds significant complexity to a project. However, while ensuring that a mobile app or platform is HIPAA compliant can be costly, breaching HIPAA is far more so: fines can be up to $50,000 per violation.

From the ground up or aaS?

Getting HIPAA compliance right matters.

Getting HIPAA compliance right matters.

There are two options for ensuring HIPAA compliance. They are: building in compliance from the ground up, or using pre-certified as-a-service (aaS) tools. By choosing a HIPAA-certified vendor(s) and having them sign Business Associate Agreement (BAA), you can outsource some of the challenge of HIPAA compliance.

Some common tools include Paubox or Virtru for HIPAA-compliant email and Heroku’s HIPAA-compliant hosting. Amazon AWS, Google Cloud Drive and Box are also popular choices.

Ensuring your app is HIPAA compliant

If you’re building an app or platform that requires HIPAA compliance, we recommend hiring a mobile app development company with HIPAA experience – not a freelancer. They’ll know to mitigate risks by storing and sharing only the essentials as well as to encrypt both stored data and data in transit. They’ll also ensure that the app is fortified. This means blocking push notifications, ensuring session timeouts and not storing app data. Plus they’ll be able to undertake security and penetration testing – including a third-party audit.

Building an mhealth app or platform? We have experience building HIPAA-compliant products, so get in touch!



If you enjoyed this post, please consider sharing it using the buttons below.

Touchtap is a digital agency specializing in mobile-first development.We can build your mobile app for you.

Back to Posts