“Gartner Listed - mobile application security guide”

April 6, 2016

HIPAA and mobile security

This is the first in a four part series on the Health Insurance Portability and Accountability Act (HIPAA) and mobile app security testing.

HIPAA is now a cause for concern as the insurance and health industries are becoming aware of the potential of using personal health data collected by wearables, phones, and health care professionals devices.

In part one we’ll look at what HIPAA is, what it regulates, and how it relates to health data.

A brief history of HIPAA

The Health Insurance Portability and Accountability Act is a federal law passed in 1996 that protects the privacy and security of health data enforced by the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services.

HIPAA was updated by the HITECH law in 2009 and supplemented with the HHS’ “Omnibus” rule. HIPAA, HITECH, and Omnibus are all considered part of HIPAA regulations. For an in depth look at the history of HIPAA take a look at this academic article.

What is HIPAA?

The HIPAA regulations define the obligations of regulated entities and penalties for non-compliance. Much like the Payment Card Industry Data Security Standard (PCI-DSS) the HIPAA regulations are for organisations as opposed to individual products or features.

As a regulated organisation HIPAA requires that you:

  1. Control the use of regulated data within your organisation and how it is disclosed to external organisations.
  2. Put in place formal policies and internal controls to manage data security and risk, including mobile app security testing.
  3. Identify, mitigate, and respond to security incidents and potential breaches of regulated data.

These are the top-level requirements of HIPAA regulation, it is far more complicated and detailed. There are hundreds of obligations and duties contained in the HSS audit protocol, click here for more information.

Who is regulated by HIPAA?

HIPAA’s regulation is limited to entities that handle data that has been or may be related to health insurance.

There are two categories of regulated entities under HIPAA.

  • Covered Entities: these are defined as health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
  • Business Associates: any organisations that use Protected Health Information(PHI) on behalf of a covered entity or another business associate. Business associate relationships are formalised under a contract known as the “Business Associate Agreement” or BAA.

Examples of business associates might be a third party administrator that assists a health plan with claims processing, a CPA firm that does accounting for a health care provider involving access to PHI or a lawyer whose legal services to a health plan involve access to protected health information.

Anyone in doubt of whether their organisation is regulated ought to consult a lawyer.

What data does HIPAA regulate?

Protected Health Information (PHI) is any information about health status, provision of health care, or payment for health care that is created or collected by a “Covered Entity” (or a Business Associate of a Covered Entity), and can be linked to a specific individual.

Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing in under a minute try out Codified Security.