HIPAA compliance for medical data in mobile app

NOVASOLUTIONS.TECHNOLOGY is engaged in the development, support and maintenance of iOS, Android, PWA mobile applications. We have extensive experience and expertise in publishing mobile applications in popular markets like Google Play, App Store, Amazon, AppGallery and others.
8+Years of work900+Completed projects100+In house employees19+Partners
Development and support of all types of mobile applications:
Information and entertainment mobile applications
News apps, games, reference guides, online catalogs, weather apps, fitness and health apps, travel apps, educational apps, social networks and messengers, quizzes, blogs and podcasts, forums, aggregators
E-commerce mobile applications
Online stores, B2B apps, marketplaces, online exchanges, cashback services, exchanges, dropshipping platforms, loyalty programs, food and goods delivery, payment systems.
Business process management mobile applications
CRM systems, ERP systems, project management, sales team tools, financial management, production management, logistics and delivery management, HR management, data monitoring systems
Electronic services mobile applications
Classified ads platforms, online schools, online cinemas, electronic service platforms, cashback platforms, video hosting, thematic portals, online booking and scheduling platforms, online trading platforms

These are just some of the types of mobile applications we work with, and each of them may have its own specific features and functionality, tailored to the specific needs and goals of the client.

Offered services
Showing 1 of 1 servicesAll 1735 services
HIPAA compliance for medical data in mobile app
Complex
from 1 week to 3 months
FAQ
Our competencies:
Development stages
Latest works
  • image_mobile-applications_feedme_467_0.webp
    Development of a mobile application for FEEDME
    761
  • image_mobile-applications_xoomer_471_0.webp
    Development of a mobile application for XOOMER
    649
  • image_mobile-applications_rhl_428_0.webp
    Development of a mobile application for RHL
    1071
  • image_mobile-applications_zippy_411_0.webp
    Development of a mobile application for ZIPPY
    947
  • image_mobile-applications_affhome_429_0.webp
    Development of a mobile application for Affhome
    884
  • image_mobile-applications_flavors_409_0.webp
    Development of a mobile application for the FLAVORS company
    466
Show more works

Ensuring HIPAA Compliance in Mobile Applications

HIPAA in mobile apps is about working with Protected Health Information (PHI). Diagnoses, prescriptions, lab results, medical history — all PHI. If app stores, transmits, or displays even one of 18 HIPAA identifiers (name, DOB, address, phone, email, insurance number linked to medical data), it falls under law as Business Associate or Covered Entity.

Technical Safeguards — Not Optional

HIPAA Security Rule divides protective measures into Administrative, Physical, and Technical safeguards. Mobile development owns Technical. Key requirements:

Encrypting PHI at Rest

On Android, PHI cannot live in plain SharedPreferences or unencrypted SQLite. Minimum — EncryptedSharedPreferences via AndroidX Security:

val masterKey = MasterKey.Builder(context)
    .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
    .setUserAuthenticationRequired(true)  // requires biometry/PIN for access
    .setUserAuthenticationParameters(300, KeyProperties.AUTH_BIOMETRIC_STRONG)
    .build()

val encryptedPrefs = EncryptedSharedPreferences.create(
    context,
    "phi_secure_prefs",
    masterKey,
    EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
    EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)

For database — SQLCipher or Room with encryption via SupportSQLiteOpenHelper. On iOS — Core Data with NSPersistentStoreDescription and NSFileProtectionComplete:

let storeDescription = NSPersistentStoreDescription(url: storeURL)
storeDescription.setOption(FileProtectionType.complete as NSObject,
                           forKey: NSPersistentStoreFileProtectionKey)

FileProtectionType.complete means: data inaccessible while device locked. Even with physical device access.

Encrypting PHI in Transit

TLS 1.2 — absolute minimum. TLS 1.3 recommended. Certificate pinning mandatory for PHI endpoints — traffic interception via corporate proxy or MITM attack must not give medical data access.

// OkHttp certificate pinning
val client = OkHttpClient.Builder()
    .certificatePinner(
        CertificatePinner.Builder()
            .add("api.healthapp.example.com",
                 "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
            .build()
    )
    .build()

Pin updated 30+ days before cert rotation — otherwise all users get SSLPeerUnverifiedException and app stops.

Automatic Session Logoff

HIPAA requires auto-session termination after inactivity. Medical apps typical timeout — 5–15 minutes. Implemented via AppStateMonitor:

class SessionTimeoutManager {
    private var lastActivityTime = Date()
    private let timeoutInterval: TimeInterval = 10 * 60  // 10 minutes

    func recordActivity() {
        lastActivityTime = Date()
    }

    func checkTimeout() {
        if Date().timeIntervalSince(lastActivityTime) > timeoutInterval {
            // Lock app, require re-auth
            authManager.lockSession()
            // PHI must not be visible in App Switcher
            obscureScreenForAppSwitcher()
        }
    }
}

Important iOS note: when going background, screen screenshot is saved for App Switcher. If screen has PHI — replace with placeholder in applicationWillResignActive.

PHI Access Audit

Every PHI access must be logged. Not optional — HIPAA Audit Control requirement. Minimum per event:

  • User ID and role
  • Timestamp to second precision
  • Operation type (view, create, update, delete, export)
  • Patient ID (not name — ID)
  • Resource ID (record, document)
  • IP address or Device ID

Logs retained 6 years (HIPAA retention). Can't delete or modify — append-only storage.

Backup and Recovery

PHI data must be available even after failure. Requirements: backups, recovery testing, documented Recovery Time Objective (RTO) and Recovery Point Objective (RPO). For mobile apps this covers server side, but mobile client must not be sole PHI repository.

Business Associate Agreement

If app uses cloud services for PHI processing — AWS, Google Cloud, Azure, Firebase — each needs BAA (Business Associate Agreement). AWS and Google Cloud provide BAA but only for specific services. Firebase Crashlytics for example not covered by Google Cloud BAA — can't include Crashlytics data that might be PHI (user ID linkable to medical data — already potentially PHI).

Typical Development Mistakes

  • Logging PHI in Crashlytics without anonymization
  • Push notifications with diagnosis text — violation, even if only user's device
  • Syncing via iCloud Drive without encryption
  • Debug build with certificate pinning disabled accidentally in production
  • Missing FLAG_SECURE on PHI screens — data visible in App Switcher

Timeline

Task Time
Audit current app + gap analysis 3–5 days
Encryption at rest + in transit 3–5 days
Session timeout + lock screens 2–3 days
Audit logging with retention 3–4 days
BAA with all subprocessors + docs 3–7 days
Full HIPAA compliance 4–8 weeks

Cost calculated individually after architecture audit and PHI composition.