alex_aldo - Fotolia
My enterprise recently developed a mobile fitness application. While it's not legally required for app developers to be HIPAA-compliant, do you think it's worth the money and effort to become compliant?
Generally speaking, no -- making mobile fitness apps and fitness bands HIPAA-compliant isn't worth it. Unless there is a reason to believe the app may process protected health information in the near future, you probably shouldn't incur the expense of becoming HIPAA-compliant. HIPAA compliance is simply too onerous a burden to place on an organization unless mandated by law, and the benefits gained are marginal at best.
That is not to say, of course, that security should not be important to the makers of a mobile fitness app or fitness band. While the organization might not be subject to HIPAA fines, the brand will suffer in the event of what the public views as a preventable security breach. Instead of investing in the bureaucratic controls required to become HIPAA-compliant, invest in a robust information security program custom-tailored to prevent the risk of a security breach at your organization. One component of that program should focus on the security of the mobile application and any underlying data stores. Conduct penetration testing against the application and ensure it properly implements the desired security controls.
This program may include many of the controls found in a HIPAA compliance program, but without the administrative burden imposed by government regulation. For example, a security program might incorporate the use of encryption, intrusion detection, application security controls, Web application firewalls and other sound security practices that are commonly used in the industry. Taking steps now to protect yourself may pay great dividends down the road.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Mike Chapple explains changes to HIPAA business associate agreements under the Omnibus Rule
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
Examine the important differences between stateful and stateless firewalls, and learn when each type of firewall should be used in an enterprise ... Continue Reading
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading