Smartphone and tablet users are increasingly using health-related apps, whether that’s a fitness tracker or an app to communicate with their provider. But privacy policies can be difficult to understand and many mobile health apps don’t adequately protect patient data.

It’s impossible to say exactly how many of the now 350,000 available mHealth apps are secure, but we can get a sense from published research. A study from last year reviewed 125 iPhone health apps for dementia and found that just 33 had privacy policies available. Similarly, a 2016 review of 271 diabetes apps found that 81 percent did not have a privacy policy.

As the authors of the diabetes review note, “Patients might mistakenly believe that health information entered into an app is private (particularly if the app has a privacy policy), but that generally is not the case. Medical professionals should consider privacy implications prior to encouraging patients to use health apps.” 

The proliferation of medical apps reflects the new and innovative ways technology is improving health and health care delivery. But whether you’re a patient or provider, it’s important to know which health apps have protections in place to secure sensitive data.

How do you know if your medical apps are secure? Here are three things to look for in your health app’s description or FAQ page.

1. Is the app HIPAA compliant?

HIPAA, or the Health Insurance Portability and Accountability Act, is the legislation passed in 1996 that provides data privacy and security provisions to safeguard medical information. Any software that handles protected health information (PHI) must comply with HIPAA, meaning they’ve satisfied four main requirements:

  1. They’ve put safeguards in place to protect PHI.
  2. They’ve limited use and sharing of PHI to the minimum necessary to accomplish the apps function.
  3. They’ve set up data security agreements with connected service providers that interact with PHI through the app.
  4. They’ve established procedures to limit who can access PHI and trained their employees about how to protect PHI.

As a provider or patient, all you need to know is that the app you are using states clearly that they are HIPAA compliant. Check the app description or FAQ for a statement like this:

Our apps exceed the standards specified by HIPAA and HITECH, the major medical legislation governing data security in the U.S. healthcare industry.”

2. Have they conducted external audits?

Many people are surprised to learn that there is no certification process for HIPAA. That means it is up to the software developer to ensure that their administrative, technical and physical safeguards meet HIPAA compliance requirements.

This is why app developers who take data security seriously will often hire an independent third party to conduct an audit. You know your PHI is well protected by apps that have taken the extra step to work with an auditor and confirm their compliance with HIPAA.

3. Bonus: “beyond HIPAA compliant”

You will notice that some apps claim to be “Beyond HIPAA Compliant,” meaning they’ve deployed additional security measures to protect sensitive health information. This may include mechanisms like a secondary passcode for access, separating data from other apps on the same mobile device, or requiring users to re-enter their password each time they access the app, even in the same session.

While HIPAA compliance should be your baseline standard for any medical app that handles PHI, external audits and beyond HIPAA security measures indicate a developer that takes privacy concerns seriously.

If you have questions about a medical app’s security status consider contacting the app developer with questions. There are lots of resources available for developers to ensure their mobile health applications are HIPAA compliant.

Comments are closed.