Health-related data is more personal and sensitive than the information used in other mobile apps. It is for this very reason that it is necessary for those handling it to ensure it is well-protected. Protected health information, known commonly as PHI, is an industry term used to describe patient data that is regulated under law. The terms with which governments have determined that the information should be handled and stored are covered under the federal privacy act of each country. The two most common health information regulations are HIPAA in the United States and PIPEDA in Canada.
Table of Contents:
What is Protected Health Information?
Protected health information is health information—health records, lab results, medical bills—that is linked to individual identifiers.
For the HI in PHI to be protected, this information must also be used or transmitted by a “covered entity” or “business associate.” A covered entity is either 1) a healthcare provider, 2) a health plan or 3) a healthcare clearinghouse that handles protected health information. Business associates can include lawyers, IT professionals, accountants, billing providers, email encryption services, etc.—anyone who works on behalf of a CE and therefore also handles PHI.
Taken from the Office of the Privacy Commissioner of Canada, examples of the type of information considered to be PHI include:
- a patient’s name, address, birth date, and Social Security number
- an individual’s physical or mental health condition
- any care provided to an individual
- information concerning the payment for the care provided to the individual that identifies the patient, or information for which there is a reasonable basis to believe that it could be used to identify the patient.
The list above is not comprehensive, but it gives you a good idea of the type of information that requires extra care and attention by providers.
A piece of information must meet two main characteristics to be considered PHI. First, the information must be linked to individual identifiers. Additionally, the piece of information must be used by or disclosed to a covered entity during the course of care.
It is good to also be aware of what information is not considered to be PHI, and therefore isn’t covered, like heart rate, pedometer metrics, and calories burned.
How is PHI Kept Secure?
Regulations like HIPAA and PIPEDA were put in place to protect the interests of patients by holding covered entities and business associates accountable in their handling of sensitive data.
First, let’s clarify the difference between what is covered by HIPAA and PIPEDA. This infographic from Giva Inc. is particularly helpful in breaking it all down:
Data security is not just important when the information comes in. It’s also essential to treat the data with the same care for the entire duration that the information is owned or is accessible.
For instance, app owners are responsible for the security of information during the entire data lifecycle (from creation to destruction). This image demonstrates the cycle:
Once the rules and regulations of your region are understood, the next steps are up to the app owner. App owners are responsible for choosing how the information is stored as well as for keeping it secure. How this is done can vary for different apps. Some owners may outsource and seek professional help with this step, while others may choose to handle it on their own.
Before jumping into that decision, here are some questions/precautions to consider to help ensure data is secure through the duration of its lifecycle:
- What does the app have in place to keep communications and information transmissions safe and secure?
- Where is data being stored? What is put in place to keep this information away from the public and secure from intruders?
- Are there parameters to help users identify the proper rationale for using information? What circumstances give users permission to access information?
- Are there any tools in place to confirm and identify the recipients of the information?
- What is in place to ensure that the data being archived has a purpose for being archived? How long will this data be kept?
- Is the method for destruction safe and definite?
What Does All This Mean for App Developers/Owners?
Being familiar with these regulations and having a clear, thought-out plan for data maintenance is a critical aspect of developing an mHealth app. Not knowing the requirements around PHI could lead to potential legal ramifications.
Conversely, knowing about the specifics of PIPEDA and HIPAA can also save some time when developing with these rules and guidelines in mind. For example, if an app does not collect PHI, it is exempt from the regulations above.
Apps like Google Fit do not collect any PHI and therefore do not need to adhere to HIPAA.
But an app like GSC On the Go would, since it is an app that deals with health insurance plans and claims and stores a digital health card. All of these things fall under PHI, and therefore this app would need to be HIPAA compliant
In this business, data is helpful, and it can be exciting. It is how we learn more about our users and get ideas on how we can improve our product. But with great power comes great responsibility, and it is up to developers and owners alike to know about important regulations, understand what they mean, and follow the guidelines put in place to protect users.