- Xcertia has released a new draft of proposed privacy and security guidelines for mHealth apps.
The non-profit organization launched in 2016 by the Healthcare Information and Management Systems Society, American Medical Association, American Heart Association and the DHX Group is seeking public comment on the guidelines until early December and plans to release final standards at the HIMSS19 conference next February in Orlando.
“As the industry continues to deal with breaches of personal data and information, we made a decision to accelerate the release of this part of the guidelines in an attempt to address these issues,” Chuck Parker, Xcertia’s managing director, said in a press release.
The collaboration is the largest and most notable effort in the mHealth and telehealth community to create a framework for testing and certifying the more than 318,000 apps now on the market. The group’s goal is to “advance the body of knowledge around clinical content, usability, privacy and security, interoperability and evidence of efficacy.”
The new document outlines six mHealth app guidelines related to privacy: notice of use and disclosure; data retention; access mechanisms; Health Insurance Portability and Accountability Act (HIPAA) Entity and Business Associate considerations; Children’s Online Privacy Protection Act (COPPA) requirements; and conformity with the European Union’s General Data Protection Regulation (GDPR).
Suggested privacy guidelines would require the app to:
- Disclose to the user how data is collected, used and retained and who has access to it.
- Explain how long data is kept and the business case for doing so.
- Require the user’s consent to access information from address books, credit cards, location services, photos or social media platforms.
- Disclose whether a user’s protected health information is handled by a third-party business associate.
- Require compliance with HIPAA privacy and security provisions.
- Take steps to protect children and app use by children under 13.
- Comply with the EU’s GDPR if the app processes information about individuals selling goods or services with citizens of the European Union.
Nine guidelines are related to mHealth app security: security operations; vulnerability management; systems and communication protection; compliance; access control and authentication; asset management; physical and environmental security; incident response; and disaster recovery and business continuity.
Among the suggested guidelines for security, the app must:
- Create administrative, physical and technical safeguards to protect user information.
- Prohibit malicious code or software in any advertising on the app.
- Use encryption to protect user names and passwords.
- Use industry-accepted measures to prevent identity theft.
- Set out a methodology for documenting any personal information that is collected, stored or transmitted.
- Have a physical security program, an incident-reporting system and a disaster-recovery and business-continuity plan.