HIPAA Compliance vs. User Experience for mHealth Apps

How to design user accessible apps while maintaining required security measures. Learn more and see how to approach these design opportunities.

Design an mHealth App That's User Accessible and Secure

One of the most common challenges we have experienced when developing mHealth apps for our clients is implementing administrative, physical and technical safeguards without compromising patient accessibility. While complying with HIPAA guidelines is a must, additional security can sometimes lead to user frustration. In this blog, we want to share some quick tips for data and mobile security practices, along with some methods for protecting the user experience that your UX/UI team has worked so hard to design.

When developing an mHealth app, it is crucial that you understand which types of information fall under the Health Insurance Portability and Accountability Act (HIPAA) and implement the necessary security measures. This blog will not feature a summary of HIPAA terms or regulations, so for those who are unfamiliar with HIPAA or need a refresher, here’s a link to the HIPAA Journal website.

Best Practices for HIPAA Compliant mHealth Apps

  1. Our first tip is quite simple – make sure your app actually needs to abide by HIPAA regulations. Most mHealth apps are only collecting Consumer Health Information (CHI) and don’t require nearly as much security.
  2. Only leverage the Patient Health Information (PHI) that you absolutely need in your application. Collecting PHI that you don’t need exposes you to unnecessary risk and requirements.  For example, certain applications would require a birthdate or a name in order to provide a meaningful and relevant user experience (ie; pulling up your patient profile so you can have a personalized user experience).  Other times, it may only be necessary to ask for gender and age range in order to sort which appointment options are relevant and available. The first example would require HIPAA security whereas the second would not.
  3. Anytime your project involves third-party vendors, it is crucial that Business Associate Agreements (BAA) are signed and all parties comply with the defined administrative, physical and technical protocols. Your team might be buckled down, but a slip up by a vendor can put the whole project on hold.
  4. Double check the FDA definition of a medical device. The FDA classifies an app as a medical device if it records, stores, processes or derives patient-specific information. If your app falls under the FDA definition of a medical device, it will need to comply with additional regulations.
  5. As a general rule of thumb, it is always a great idea to encrypt the data used within your app.
  6. Think twice about caching data. Any data that is accessed, transmitted or stored within your mHealth app must adhere to all safeguards, so caching data can lead to more headaches that it alleviates.
  7. As for mobile security, implementing some common practices like two-factor authentication and session timeout will add extra physical security to your platform on top of the technical ones listed above.
  8. Common features that are often inadvertently left unprotected are push notifications and messaging. Do not forget to scope the appropriate safeguards for this functionality, as it can lead to a costly violation.
  9. Finally, make sure the development team you’re working with has experience building and designing the necessary security architecture required for HIPAA compliance. The learning curve for HIPAA compliance is steep, and working with an inexperienced team could elongate your project timeline.

Balance Accessibility by Anticipating User Frustration

The popularity of mHealth apps is increasing, but that does not guarantee that your patients will begin using yours right away. While adhering to HIPAA regulations is critical, it is also important to remember that your mHealth app must improve the patient experience or they simply will not adopt it as part of their patient journey. In our experience working on mHealth apps, physical security safeguards like two-factor authentication and session timeout are typically what cause the most frustration amongst users. We believe this occurs because of a lack of explanation. Take into consideration the target audience of your application – most are probably unfamiliar with HIPAA in the first place and uninformed on the rationale behind certain security features. Additionally, a large majority of your users may be older and less technologically savvy. In past projects, we have encouraged our clients to prepare for these challenges by including brief instructional overlays and onboarding pages into the user interface.

Research shows that implementing a solid onboarding process can significantly increase user retention rates. That being said, educating your users must be done the right way in order to be effective. In some cases, it may be best to display a clear, succinct privacy policy for all users when they first download the app. For instructional overlays, it is important to keep the content very short and focused. We recommend that any displayed text is easily scannable since it is usually dismissed quickly and not read in its entirety. If you choose to incorporate onboarding screens into your application, it is best to keep it to a maximum of three slides and incorporate pictures wherever possible.

Design Your App With Security in Mind

Designing and developing a successful mHealth app can be extremely difficult due to the stringent regulations placed on the healthcare industry; however, the dividends can make it more than worthwhile as an increasing percentage of the population begins to leverage their mobile smart devices in new ways. Developing custom software applications can be a large investment, so don’t let security shortcomings undermine your project. Find a development partner with experience building HIPAA-compliant apps, and take extra time to determine which safeguards are necessary to both protect patient information and improve the overall patient experience. If you have any questions or are interested in speaking with a custom software and application developer today, click here to schedule a quick 30-min meeting to discuss your project.

Talk to our team to scope your next project.