alex_aldo - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Should mobile fitness apps be HIPAA-compliant?

Mobile fitness apps can contain personal data, so should they be HIPAA-compliant? Expert Mike Chapple explains why that's not the right approach.

My enterprise recently developed a mobile fitness application. While it's not legally required for app developers to be HIPAA-compliant, do you think it's worth the money and effort to become compliant?

Generally speaking, no -- making mobile fitness apps and fitness bands HIPAA-compliant isn't worth it. Unless there is a reason to believe the app may process protected health information in the near future, you probably shouldn't incur the expense of becoming HIPAA-compliant. HIPAA compliance is simply too onerous a burden to place on an organization unless mandated by law, and the benefits gained are marginal at best.

That is not to say, of course, that security should not be important to the makers of a mobile fitness app or fitness band. While the organization might not be subject to HIPAA fines, the brand will suffer in the event of what the public views as a preventable security breach. Instead of investing in the bureaucratic controls required to become HIPAA-compliant, invest in a robust information security program custom-tailored to prevent the risk of a security breach at your organization. One component of that program should focus on the security of the mobile application and any underlying data stores. Conduct penetration testing against the application and ensure it properly implements the desired security controls.

This program may include many of the controls found in a HIPAA compliance program, but without the administrative burden imposed by government regulation. For example, a security program might incorporate the use of encryption, intrusion detection, application security controls, Web application firewalls and other sound security practices that are commonly used in the industry. Taking steps now to protect yourself may pay great dividends down the road.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Mike Chapple explains changes to HIPAA business associate agreements under the Omnibus Rule

This was last published in January 2015

Dig Deeper on HIPAA