If you are in the healthcare domain and looking to build a mobile application that deals with protected health information, then chances are, you would have to be HIPAA compliant. The Health Insurance Portability and Accountability Act (HIPAA), along with health insurance portability, this law also put into place regulations that protect patient privacy, usually referred to as PHI (Protected Health Information), IIHI (Individually Identifiable Health Information) or ePHI (Electronic Protected Health Information). Protected Health Information includes any Individually Identifiable Health Information that is maintained in electronic media, transmitted by electronic media, transmitted or maintained in any other medium or form. To effectively protect this information in electronic format, IT professionals must understand what and who HIPAA pertains to.
As security concerns continue to plague firms, especially health tech businesses, HIPAA compliance has become a growing need for companies. But HIPAA compliance is expensive because it increases costs at every step of development as well as ongoing operational costs. At its core, HIPAA is just a checklist that your developers have to follow, but completing each item adds a lot of development hours, which will increase costs. Each vendor you work with needs to sign a Business Associate Agreement (BAA) with you, which assigns liability to them if there is a data breach caused because of something they failed to do. You’ll need to get a BAA signed by your host, software development service provider, and any other service you integrate into your app.
Take for instance you’re looking to build a telemedicine app with video conferencing capabilities, we’d need to find a video chat SDK that will sign a BAA, host your backend on a HIPAA compliant server from AWS or some other vendor willing to sign a BAA with you, and sign a BAA with you as your software development company. We can’t honor our BAA and push your product to production if you don’t acquire HIPAA compliant services from your hosting and video chat providers. There are no workarounds or shortcuts.
Let’s put this into perspective, so you know what you’re signing up for.
When you have to follow HIPAA Guidelines during development, vendors estimate this effort separately.
For HIPAA Hosting, there are several options, but everyone charges a premium.
AWS You need to get a reserved instance from AWS to get them to agree to sign a BAA. A single server (reserved instance) costs around $2,000/month when you sign a BAA with them. Typically, an AWS instance costs from $50-200 per month upwards.
Aptible - will sign a BAA with you starting at $1,000 per month. But you’ll likely need the Deploy option once you go to production.
Coming to HIPAA Security Audit, you’ll need to get an audit from a third-party to confirm that your vendors have followed all HIPAA guidelines. Even with experienced developers, having a third-party audit the product the vendors build, you will ensure that they’ve been compliant.
Third-Party Security Software: Based on the audit, your vendors may be asked to add third-party security software to monitor the application. Third-party security software can range from $500 to several thousand dollars per month.
When it comes to Live Video Chat Service, keep in mind that not every live chat service will sign a BAA with you. A service like TokBox will sign a BAA, but it can add up to several thousand dollars per year. We've built video chat telemedicine products for companies like Nova Telehealth.
You may not need the Live Video Chat service, but there could be some other third-party service that you’d like to integrate into your product and your vendors will have to search for a service that’s willing to sign a BAA with you. If they can’t find one, they’ll have to build a custom feature, which will further increase the development time and cost.
Compliance is basically documentation and maintaining that documentation. But documentation is a beast. You have to document what you’re going to do, document what you’re doing and document what you did. When you choose your path, make sure you the path you choose is one where you’re all in or get out. HIPAA should not be taken lightly, and the fines and penalties are severe.
HIPAA is not a one-and-done checklist, although it may appear that way. Being HIPAA compliant isn’t merely about satisfying the elements of the Security Rule or even documenting everything and keeping this documentation, it means you’re committing to build and sustain a culture of compliance within your business. HIPAA is a way of conducting business with those who are also bound by HIPAA compliance, and this is not a journey to be entered lightly into, ask us, we know.