What will it take for health app developers to achieve HIPAA compliance and protect your personal health data? Medable’s CEO Dr. Michelle Longmire explains.
What happens when personal data pervades healthcare to the point that it requires HIPAA-compliant protections? That was the question asked ‘round the healthcare world when Apple released its HealthKit platform in September. While Apple is striving to connect its consumer products within the clinical world, app developers are both rejoicing and recoiling. Why? Because even Apple can’t hurdle HIPAA in a single bound, so how are app developers going to take such an advantageous leap?
This isn’t a new question for health-app developers, but Apple’s ambitions with HealthKit have pushed the importance of answering it to the forefront. Without HIPAA compliance, comprehensive clinical integration isn’t possible. Apple’s mindset is that HealthKit will piece together what is now considered the fragmented patient profile by enabling the amalgamation of clinical and personal data; the virtual glue coming from health and wellness related apps.
However, the key to HealthKit’s success could be the crux of demise for hasty app developers who are eager to participate—because achieving HIPAA compliance isn’t as easy as it sounds.
“The single biggest mistake developers and companies make is thinking HIPAA compliance can be reduced to a storage or deployment issue,” said Medable’s Michelle Longmire, CEO of the medical-app development service provider based in Palo Alto, Calif., and dermatologist at Stanford University.
Michelle Longmire, CEO of Medable
“Some companies believe that by using a secure deployment environment or a HIPAA compliant storage solution, that this makes their application HIPAA compliant. It does not. HIPAA compliance is achieved at the application level, meaning that the application data is secure and only the right people can see the data at the right time.”
Longmire continued: “Compliance at the application level entails many considerations. Push messages cannot contain patient information; the application must time out. All of the data must be secured on the device (in transit and in storage), a user must choose where the data goes, and the list goes on and on. The other factor is that HIPAA is constantly evolving, posing additional challenges for developers so the platform must be in tune with the evolution of HIPAA.”
Certification Won’t Spell Out HIPAA Compliance
Of course, Apple hasn’t been completely absent from the data-protection conversation. In fact, it’s considering developing a HealthKit Certification for third-party developers to stipulate how data must be stored securely on devices and has also has updated its developer guidelines pertinent to data sharing rules and health apps. While Longmire commends Apple’s efforts, she cautions that this does not mean Apple will be lending a hand when it comes to achieving HIPAA Compliance.
“Although HealthKit helps Apple’s customers aggregate certain data across health apps into a single place, the data still dies there because it is unable to be used in any clinical setting,” said Longmire. “Apple limited HealthKit’s reach for strategic reasons. If HealthKit was to do more, it might invite regulatory scrutiny of iPhones. Apple is making far too much money selling devices and doesn’t want to slow down its development schedule. So it’s highly unlikely Apple will play a role in connecting HealthKit data to the healthcare system.”
Longmire continued: “No one company can do everything. But right now, most companies in digital health can’t do much of anything because of the barriers created by HIPAA compliance.” Therein lays the problem: The potential for app developers (especially in the wake of platforms like HealthKit) is great, but the risks associated with independently creating and deploying HIPAA compliant application are even greater. So what’s an ambitious app-developer to do?
That’s the question that crossed Longmire’s mind when she set out to create her own application Dermtap; it took an entire year to build the proper HIPAA-compliant architecture and analytics to develop the app. It was an experience that would yield more than frustration for Longmire. “During the process we realized that it is simply ludicrous for every company to start from the ground up—wasting valuable development time and resources—to build a HIPAA compliant framework. We asked ourselves, ‘What if companies could start with building the application and not lose a year and a lot of money on HIPAA and data architecture?’”
That question pivoted Longmire’s path from app development to building a scalable HIPAA-compliant, mobile platform that would enable app developers to readily achieve HIPAA compliance, which she did with the help of Tim Smith, CTO. Data sharing is the most powerful aspect of the platform, allowing developers to build apps that enable sharing of any type of data, including device data, text, images, videos, and even custom data classes. Additionally, the backend provides a very powerful analytics framework; using the data structured in the application, the backend collects and aggregates this data for powerful analytics, as well as for HIPAA auditing.
“Instead of building our own apps, we are helping people build their apps,” said Longmire. “This allows us to have far greater product reach, allow many more healthcare problems to be solved more quickly, and ultimately, will allow us to build a more impactful business.”
Five HIPAA Hurdles to Consider
But what about the app developers that want to take the DIY approach to HIPAA compliance? Longmire says there are five major hurdles to consider before taking such a leap:
1. Technical Prowess and Procedural Familiarity: Becoming HIPAA compliant requires a combination of technical infrastructure and administrative protocols and procedures. Longmire says if you don’t have both, it’s not going to be an easy road and you’re bound to make a few mistakes along the way.
2. Costly and Evasive Sources of Expertise: Finding developers who know the technical and administrative side of HIPAA can be a challenge. The knowledge is very niche, and there aren’t many people who have the skill set to advise companies properly. Due to the scarcity of people with such skills, there is a premium in the market for this type of guidance.
3. Prolonged and Expensive Production Schedule: Even with the right people in place, there is substantial work that goes into building a HIPAA-compliant application. Generally, it requires anywhere from 16 to 24 man-months of work.
4. Missing the Mark: HIPAA compliance can be approached in a number of ways, but for it to be valuable it must scale effectively. There aren’t many engineers who truly understand HIPAA and security technologies. Without those skills, it is difficult to reach true HIPAA compliance, thus your effort may be great, but your results may not be good enough.
5. Finding the Benefit: This one may seem obvious, but even if you have the resources to achieve independent HIPAA compliance can you say it will be an effort that will benefit you in the long run? That’s a hurdle to consider, perhaps, before entertaining any of the others.
“If a developer or company tried to develop the requisite HIPAA compliant technical and administrative infrastructure, it would cost $200,000 to $300,000, take months, or even years, to complete, and carry significant execution risk,” Said Longmire. “HIPAA breaches can also bring significant financial risk because of extensive penalties that can reach into the seven figures. Companies would be better served to focus on the core aspects of their product or service–and outsourcing the HIPAA compliance component.”
With that in mind, Longmire hopes that as HealthKit inspires others to partake in app development, they will also think about an approach that will make the process of HIPAA compliance easier. “This so-called last mile is exactly what Medable empowers,” she said. “We see HealthKit as something that allows Medable’s value to be more evident and our relationships with our customers even stronger.”