Make Sure Mobile Medical Apps Are HIPAA Compliant

April 10, 2014

Practices must consider the security of more than just mobile devices. Medical apps can jeopardize patient data if they are not encrypted.

While often practices may feel the "price may be right," for medical mobile apps, compliance with security regulations may not be. With the Senate Health, Education, Labor and Pensions ("HELP") Committee members asking for clarification from Food and Drug Administration Commissioner, Margret Hamburg on its mobile device policy, now is a good time for physicians and hospitals to see if their devices and practices are up to standards with the FDA and HIPAA regulations.

Some of the critical questions included:

•The interplay between Congressional initiatives and the FDA oversight of medical mobile apps in relation to potentially establishing categories of medical device software;

•Resources provided by the FDA to start-up companies entering this space; and

•The role statutory definitions can assume in assigning risk to particular medical software.

For those entities engaging in HIPAA risk assessments and risk analyses, the third area is one to highlight in particular. Since guidance has not yet been issued, a good place to start is to have a provision in your practice's required policies and procedures; assess medical apps to make sure that they are encrypted; and evaluate other typical risks. Having a HIPAA compliance officer who keeps up to date on trends, emerging technologies, and risks, can assist physicians and hospitals in maintaining compliance and providing reasonable assurances to their patients.

Another good area to highlight in connection with this initiative is the business associate agreement between the provider and the company. Taking steps now and remaining abreast of changes in both laws and technology can assist providers in determining if "the price is right," both in terms of actual cost and the risk associated with noncompliance.