alex_aldo - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Should mobile fitness apps be HIPAA-compliant?

Mobile fitness apps can contain personal data, so should they be HIPAA-compliant? Expert Mike Chapple explains why that's not the right approach.

My enterprise recently developed a mobile fitness application. While it's not legally required for app developers to be HIPAA-compliant, do you think it's worth the money and effort to become compliant?

Generally speaking, no -- making mobile fitness apps and fitness bands HIPAA-compliant isn't worth it. Unless there is a reason to believe the app may process protected health information in the near future, you probably shouldn't incur the expense of becoming HIPAA-compliant. HIPAA compliance is simply too onerous a burden to place on an organization unless mandated by law, and the benefits gained are marginal at best.

That is not to say, of course, that security should not be important to the makers of a mobile fitness app or fitness band. While the organization might not be subject to HIPAA fines, the brand will suffer in the event of what the public views as a preventable security breach. Instead of investing in the bureaucratic controls required to become HIPAA-compliant, invest in a robust information security program custom-tailored to prevent the risk of a security breach at your organization. One component of that program should focus on the security of the mobile application and any underlying data stores. Conduct penetration testing against the application and ensure it properly implements the desired security controls.

This program may include many of the controls found in a HIPAA compliance program, but without the administrative burden imposed by government regulation. For example, a security program might incorporate the use of encryption, intrusion detection, application security controls, Web application firewalls and other sound security practices that are commonly used in the industry. Taking steps now to protect yourself may pay great dividends down the road.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Mike Chapple explains changes to HIPAA business associate agreements under the Omnibus Rule

This was last published in January 2015

Dig Deeper on HIPAA

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I like the approach taken of prioritize being secure first and not take on the huge process of being HIPPA-compliant as a standard for a secure app. Patients today expect to find gluten-free menu options during a hospital stay and they might soon expect mobile fitness tracking will be part of their treatment plan. App designers should still start by designing for a target end user with essential security practices described in this article. When a huge order comes in from a medical practice to transport patients' fitness data, that's the time to undertake HIPPA and charge more for it than the base app.
I agree that it opens a whole can of worms if you're going to require app developers and companies that might fall outside of HIPAA traditionally, to be held to the same requirements as hospitals and health providers. Do you want every sneaker manufacturer - if they create a smart sneaker - to be responsible? Do you need smart watch folks like Apple and Fitbit to do so? Where would the line stop?