Application Security & Online Fraud , DevSecOps , HIPAA/HITECH
Safeguarding PHI in Healthcare Apps: Critical StepsPrivacy Attorney Adam Greene on Ensuring HIPAA Compliance
If a healthcare provider develops its own applications that handle patient data, it must take critical steps to safeguard protected health information and ensure HIPAA compliance, says privacy attorney Adam Greene.
"The covered entity is going to want to comply with the HIPAA Security Rule, so include the protected health information related to the app in [the organization's] risk analysis and risk management plan," Greene says in an interview with Information Security Media Group.
The organization must implement appropriate safeguards for PHI and ensure that "general information security best practices" are in place for software development, he adds.
"Make sure that security is baked into the app from the start, that the coding is properly checked for security vulnerabilities, and after the app is developed, that it is properly maintained and patched as new vulnerabilities become identified," he says.
"If the covered entity develops the app, and maintains the information ... and is handling PHI through the app, then that's certainly going to fall under HIPAA."
In the interview (see audio link below photo), Greene also discusses:
- The Department of Health and Human Services' Office for Civil Rights' recently issued guidance related to the transmission of patient's PHI via health apps, and the various scenarios for when a covered entity or an app vendor bears liability under HIPAA for breaches;
- Who is potentially liable for breaches involving open source application programming interfaces, such as the Fast Healthcare Interoperability Resource, also known as the FHIR API;
- Privacy and security considerations for patients when they receive or transmit their own health data via an app.
As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at OCR, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.