Health Data Startup Addresses HIPAA Issues Apple Hasn’t
Health and fitness-tracking apps and devices are set to take off. The growth of the area, further propelled by platforms developed by Apple (NASDAQ:AAPL) and Samsung (SSNLF.PK), will propel the adoption of these apps and services both by consumers and by healthcare systems and providers. As VentureBeat’s Mark Sullivan reports, these health apps and services will come under the jurisdiction of the Health Insurance Portability and Accountability Act (HIPAA) regulations over the privacy of personal health data.
Those regulations were widened last year to safeguard users’ “protected health information” not only at clinics, hospitals, and insurance companies, but also in computer systems that manage health data, and as apps blur the distinction between services created for consumers and services created for the healthcare industry, developers will need to consider how to make their apps’ handling of data HIPAA-compliant.
Medable, a Palo Alto startup co-founded by Stanford physician Michelle Longmire, is prepared for that challenge. It offers a platform that enables the easy development of apps that comply with HIPAA’s security and privacy regulations. Apps built on Medable’s platform will be able to safely and legally share users’ data with healthcare providers, making it possible for developers to build apps where users will be able to communicate with doctors, nurses, and caregivers, plus track, visualize, and share the health-related data that they collect with their smartphone and any connected devices. Medable offers developers a variety of options, including its platform as a service, cloud services, an assortment of APIs, and an integrator partner program. Though Medable is a mobile-first service, the platform enables developers to build desktop, tablet, and web apps as well.
In a post on Medable’s blog, Trevor Goss writes that the company’s mission is “to make health data universally accessible and connected.” Goss refers to Medable as “the world’s first medical-grade platform-as-a-service,” which will enable developers, doctors, hospitals, medical device manufacturers, and others to quickly and “easily build HIPAA-compliant applications and services.” Medable says “medical-grade” refers to the platform’s ability to support both clinical applications — with features such as communication between healthcare providers and patients, collaboration among patients and multiple providers or providers and multiple patients or other providers, and patient-controlled data sharing — plus personal health information — compliant with HIPAA and compatible with wearables, implantables, and in-home devices.
Sullivan reports that developers will be able to use Medable to build new apps, or integrate its features into existing apps. Longmire told VentureBeat that Medable offers features like patient and provider profiles, two-factor authentication, and security-conscious push messaging. They’re all available in Medable’s software development kit and API. Medable uses the HL7 clinical data format, also used by the majority of health record systems, so that it can integrate with or exchange data with any record system that uses the format. The platform can also anonymize large amounts of data for clinical study, and enables both HIPAA auditing and clinical data reporting.
As Sullivan puts it, the Medable platform “gets app developers out of the privacy and compliance business, at least where it concerns sharing data with hospitals or medical groups.” Longmire tells him that, “Medable allows developers to focus on the content of their apps, instead of on data security.”
Sullivan noted in June that what determines whether HIPAA requirements apply to a given app is “who is handling the data.” In the past, consumer apps have been clearly separated from apps intended for doctors and other healthcare providers. But with the growing prevalence of cloud services that enable the uploading and sharing of data, those lines blur. Apps that enable consumers to transmit their data to the cloud, where healthcare providers access it and can provide feedback, will likely need to be HIPAA-compliant because the widening regulations can be interpreted to include app developers whose apps “manage and transmit” protected health information.
Both Apple and Samsung will have HIPAA regulations to contend with as they develop HealthKit and SAMI, as both platforms are clearly intended to collect and send patient health data. That’s especially clear given that both companies are reportedly working with Epic, an electronic health record software provider. But neither company has yet unveiled detailed plans for data security in those platforms.
Since Apple’s HealthKit allows for apps to share data with each other, HIPAA compliance should become especially important for apps integrated with the platform. But just as app developers are unlikely to want to get into the privacy compliance business, Apple and Samsung aren’t likely to want to actively enforce HIPAA compliance as a requirement for apps to be accepted into their app stores. That’s partially because HIPAA was written well before the development of the iPhone, and even with last year’s amendments, the terminology it uses leaves some room for interpretation.
Following Apple’s announcement of HealthKit and the corresponding Health app at the Worldwide Developers Conference, several websites have posted guides for developers who are researching the daunting task of complying with HIPAA’s regulations without much guidance from Apple. Most developers simply don’t know much about the regulations, and how they relate to the apps and services that new technologies and platforms make possible. But HIPAA places responsibility on the shoulders of developers, who will need to make sure that apps that deal with protected health information account for privacy and security in communications, notifications, data sharing, and data storage.
Developers have a few options, like Medable, to remove the burden of compliance from their shoulders. TrueVault provides a secure and HIPAA-compliant API for the storage of health data, and Accountable offers HIPAA compliance management as a service. Medable’s Longmire told Stephanie Baum of MedCity News last year that she wanted Medable to be “one of the key utilities for clinical health.” At the time, Longmire estimated that HIPAA compliance represented as much as 80 percent of app development costs, and said that the process could delay an app’s release for up to a year. Longmire told Baum that she envisions Medable as solution to save developers both time and money:
“She sees plenty of scope for Medable’s platform to be used by small developers to health systems and companies across the health ecosystem. Longmire likens the company’s business model to Dropbox –- there’s a freemium, but it scales with data utilization.”
Though the development of the health app sphere is largely still in its infancy, it seems inevitable that many, if not most, of the health-related apps that consumers will use in the future will share data with doctors, clinics, or hospitals. That makes HIPAA regulation of apps and services not only inevitable but truly necessary, and Medable seems to have hit on an idea that could turn out to be a smart and far-reaching solution for developers building for Apple, Samsung, and a variety of other platforms.
The introduction of platforms like HealthKit and SAMI should represent a turning point in discussions about privacy and security compliance, so that it will be more clear what apps and services need to do to be compliant and secure while delivering innovation to consumers and healthcare professionals. But for individual app developers, a service like Medable may be all they need.
If several — or even one — health apps are built on Medable’s platform, that could set a precedent and get more developers on board, both with HIPAA and with Medable. HIPAA-compliant apps that collect patient data, enable better communication between doctor and patient, and are compatible with the records systems that most healthcare providers already use are a benefit for patients, healthcare providers, and regulators. These apps and services, intended for both consumers and providers, will very likely represent the future of health apps.