HIPAA Compliant Web or Mobile Applications Checklist for 2022

By Xano | December 10, 2021

HIPAA Compliant Web or Mobile Applications Checklist for 2022

If you are building a mobile application for the healthcare industry, HIPAA compliance is absolutely vital. HIPAA violations can land you in legal trouble, damage your company's reputation, and cause stress to patients whose information was leaked.

Passed in 1996, the The Health Insurance Portability Accountability Act (HIPAA) strives to keep sensitive medical information private. In recent years, as more and more health records have become completely or partially electronic, HIPAA has expanded to include many regulations regarding cybersecurity.

Below, we will provide a brief checklist of how to make sure your application is in compliance with current laws and regulations.

Educate Yourself

To ensure you are HIPAA compliant, you first need to get some background information on what HIPAA entails. To get you started, let's go over a few important terms you should know.

Covered Entities & Business Associates

Covered entities are any entities that must legally comply with HIPAA and include health plans, health clearinghouses, and healthcare providers who electronically submit health information. Anyone who stores, maintains, collects, or transmits information on behalf of covered entities is considered a business associate and must therefore comply with HIPAA and provide a business associate agreement (BAA).

In other words, if your application is handling any kind of medical records, you are almost certainly subject to HIPAA regulations.

The Federal Trade Commission (FTC) provides a useful tool (which you can access here) that specifies which regulations apply to your business and application. Always use this tool to confirm HIPAA compliance. HIPAA is legally complicated and the below checklist is not definitive. Rules vary greatly depending on factors like your industry, the information you're handling, and so on.


PHI stands for protected health information. In short, this is basically any information regarding healthcare or payment for healthcare services. However, this includes more types of information than you might realize.

There are 18 identifiers of PHI:

  • Names
  • Dates
  • Telephone numbers
  • Geographic data
  • FAX numbers
  • Social Security numbers
  • Email addresses
  • Medical record numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers
  • Web URLs
  • Device identifiers and serial numbers
  • Internet protocol addresses
  • Full face photos and/or comparable images
  • Biometric identifiers (i.e., fingerprints)
  • Any unique identifying numbers or codes (For example, if a hospital requires patients to have PINs to check in and out, this would qualify as PHI)

Ensure All Required Safeguards Are In Place

First proposed in 1998, the HIPAA Security Rule became mandatory in 2006 and applies to any entity or individual with access to PHI. This includes IT and software vendors. If your mobile application stores PHI, HIPAA requires you have technical, administrative and physical safeguards in place to protect unauthorized access.

Technical Safeguards

For technical safeguards, HIPAA requires:

  • Access Control: Not only do you need to have centrally-controlled user names and PINs for each authorized user, you need a procedure in place regarding the disclosure of PHI during a health emergency.
  • Activity Logs And Audit Controls: These put technical safeguards in place when someone attempts to access electronic health records containing PHI.

It is also recommended that you introduce a mechanism to authenticate PHI that confirms whether health records have been accessed, tampered with, or destroyed by unauthorized users.

Administrative Safeguards

For administrative safeguards, HIPAA requires:

  • Regular Risk Assessment: Your security officer should regularly do a risk assessment to identify any potential weak spots where PHI is being accessed and stored and determine ways to improve security.
  • Risk Management Policy: This policy would set protocol in place for when and how to perform a risk assessment and have measures in place to report and correct risks. There should also be sanction policies for employees who fail to comply with HIPAA.
  • A Contingency Plan: This ensures that you can still perform critical business prophecies in an emergency and requires that you have a protocol in place for keeping PHI secure during emergency mode.
  • Restricting Third-Party Access: PHI cannot be accessed by unauthorized parent organizations, employees, or contractors. You should also have any business partners with access to PHI sign Business Associate Agreements.

In addition to having the required administrative safeguards in place, you should also regularly test your contingency plan and have strict protocols for reporting security incidents.

Physical Safeguards

For physical safeguards, HIPAA requires:

  • Policies For The Use And Positioning Of Work Stations: You need to have strict policies in place that restrict use of any workstations with access to PHI. Specify what physical protections are in place at these workstations and how these workstations can and cannot be used.
  • Policies And Procedures For Mobile Devices: If employees access PHI from mobile devices, there must be policies in place regarding how PHI is accessed and how that information will be removed from a device if it is sold, re-used, and so on.

Facility Access Controls are also recommended. These control who has physical access to locations where PHI is stored and includes everyone from software engineers to janitorial staff.

Encrypt & Use HIPAA Compliant Web Forms

Any information-collecting form that is filled out by a patient or client (e.g., medical insurance forms, patient information forms) must be encrypted to be HIPAA compliant. You also need to make sure your website is hosted by a company with knowledge of HIPAA compliance so that such forms are only transferred to HIPAA-compliant servers.

Remember, any information that contains one of the 18 qualifications of PHI must be encrypted. Always err on the side of caution. Even if a patient is filling out something as simple as a form regarding on-site parking, this could potentially include PHI identifiers and should therefore be HIPAA compliant.

Secure Your Application

We have touched on this a bit above while discussing proper safeguards. In short, you want to be 100% certain that your application is secure and unauthorized users or cybercriminals cannot access PHI.

We recommend:

  • Local Session Timeout: This means your application will force re-authentication after set periods of inactivity. This safeguard ensures that, should a user accidentally leave themselves signed in, an unauthorized user cannot access the information in your application.
  • No PHI-Containing Push Notifications: Push notifications regarding PHI can easily be seen by unauthorized users and individuals other than the patient. If you do use push notifications for your application, they should only inform your patient about updates to the application or tell them they have a message in their patient portal.
  • A Robust SSL Certificate: Security Sockets Layer (SSL) is considered the industry standard for transferring data between servers and web browsers. SSL ensures that data is encrypted from end-to-end, preventing third-parties from accessing PHI and other sensitive patient information.

Validate Your Security

Both dynamic and static testing are necessary before rolling out your application to ensure there are no vulnerabilities. You should also run these tests after every single update. It is highly recommended you hire a third party to do a penetration test as well.

Validating your security regularly is vital to HIPAA compliance. If there is a security breach due to an overlooked vulnerability, your company could face legal ramifications.

Get The Final Greenlight From An Expert

You've done your due diligence and think you've been careful in following every single HIPAA protocol. Congratulations. However, you should always get confirmation from an experienced third-party expert and/or an attorney that your application meets all the legal requirements for HIPAA compliance.

As we touched on earlier, HIPAA is complicated and what constitutes compliance varies greatly from application to application. Even the most conscientious developers may inadvertently miss a step or overlook a security vulnerability. This is why evaluation from an objective third party is vital to ensuring compliance.

HIPAA Compliant Web Or Mobile Application Checklist: The Bottom Line

Ensuring HIPAA compliance takes a lot of work, but it is a vital part of creating any application that handles medical information. Not only does compliance protect your company from legal penalties, it is simply the right thing to do. Everyone has a right to privacy when it comes to their medical history and HIPAA was designed to keep sensitive information safe and secure.

Looking for solutions for your company? Xano is the fastest No Code Backend development platform on the market. We give you a scalable server, a flexible database, and a No code API builder that can transform, filter, and integrate with data from anywhere. Sign up here to get started.

The post HIPAA Compliant Web or Mobile Applications Checklist for 2022 appeared first on Xano.

Sign up for XanoSign up for Xano

Build without limits on a secure, scalable backend.

Unblock your team’s progress and create a
backend that will scale for free.

Start building for free