With the increased use of mobile health apps to improve health outcomes, protecting private health data is becoming increasingly important. Researchers estimate there are over 300,000 mHealth apps in existence, and some relate to HIPAA covered entities or their business associates.
With patients’ increasing desire for data accessibility and app data sharing, it is critical to ensure that patients transmit their Protected Health Information (PHI) to apps that are compliant with HIPAA privacy and security rules. About 25% of healthcare providers suffer from data breaches violating HIPAA policies, caused by using mobile devices that come preloaded with mHealth apps. This results in lawsuits, and loss of confidence among health providers and patients. Earlier research has focused on security of mobile devices, but not checking further how apps store or transfer data securely before being used by remote health care providers or users.
Most mobile app developers including mHealth apps are not aware of HIPAA security and privacy regulations. This creates the market opportunity to develop static and dynamic code analysis tools for mHealth app developers so their developed products meet HIPAA security and privacy guidelines.
Currently, there is a lack of an analysis framework to check mHealth apps’ security and privacy risks following the applicable HIPAA technical security and privacy guidelines.
We propose to develop a framework to analyze mHealth apps for HIPAA security and privacy compliance. The framework will be allow users who have no knowledge of HIPAA or app security to receive an assessment of security and privacy risks per HIPAA guidelines. It will be based on Android Studio to to test the source code of mHealth applications for potential data security breaches related to HIPAA before posting for the market place. The tool will further address API level checking for secure data communication mandated by recent CMS guidelines between third party mobile health apps and EHR systems.
The analysis framework will also address heterogeneous health data and enable providers to remain compliant with HIPAA administrative and operational guidelines. We propose to perform two acceptance tests on the prototype based on partnering with HIPAA experts and medical doctors and for-profit EHR vendors along with the effectiveness of tools for detecting health data security breaches. The proposed tool will further enable the development of data breach checking for iOS mHealth apps and adoption and integration by large scale EHR vendors in the future.