My enterprise recently developed a mobile fitness application. While it's not legally required for app developers...
to be HIPAA-compliant, do you think it's worth the money and effort to become compliant?
Generally speaking, no -- making mobile fitness apps and fitness bands HIPAA-compliant isn't worth it. Unless there is a reason to believe the app may process protected health information in the near future, you probably shouldn't incur the expense of becoming HIPAA-compliant. HIPAA compliance is simply too onerous a burden to place on an organization unless mandated by law, and the benefits gained are marginal at best.
That is not to say, of course, that security should not be important to the makers of a mobile fitness app or fitness band. While the organization might not be subject to HIPAA fines, the brand will suffer in the event of what the public views as a preventable security breach. Instead of investing in the bureaucratic controls required to become HIPAA-compliant, invest in a robust information security program custom-tailored to prevent the risk of a security breach at your organization. One component of that program should focus on the security of the mobile application and any underlying data stores. Conduct penetration testing against the application and ensure it properly implements the desired security controls.
This program may include many of the controls found in a HIPAA compliance program, but without the administrative burden imposed by government regulation. For example, a security program might incorporate the use of encryption, intrusion detection, application security controls, Web application firewalls and other sound security practices that are commonly used in the industry. Taking steps now to protect yourself may pay great dividends down the road.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Mike Chapple explains changes to HIPAA business associate agreements under the Omnibus Rule
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.