Researchkit: The Challenges of HIPAA Compliance with Appsby Priya Menon
Bake your own Mobile Research App. No coding. No upfront cost.Register Now
HIPAA (Health Insurance Portability and Accountability Act) compliance is a key concern when developing healthcare information systems. Whether an organization employs a secure messaging application to connect patients to doctors, or invests in cloud storage, security and privacy issues continue to be of prime consideration (and often unease and some cases, hefty fines).
The recent news about Apple looking for an attorney who has expertise in the health field and HIPAA compliance brings to fore the seriousness of researchkit privacy and security issues.
Understanding HIPAA in the ResearchKit App Context
HIPAA laws include a strict set of standards for managing the privacy and security of all protected health-related information. Whether a company/organization/individual building an Apple ResearchKit or HealthKit App needs to meet HIPAA compliance, comes down to what the App intends to do with data being collected.
With regards to protecting the privacy of individuals information, ResearchKit’s Technical Overview states that ResearchKit does not comply with ‘international research regulations and HIPAA guidelines’. It further states ‘these are the researcher’s responsibility’, essentially putting the onus of ensuring privacy and security on the app builders and researchers.
A ResearchKit study app may collect a person’s name, age, and medical conditions. In the context of privacy protection, this information becomes Protected Health Information (PHI) and thus invokes HIPAA’s stipulation to ensure safeguards are in place to protect such information. Furthermore, if an app enables a patient to provide information which is shared with a healthcare organization/provider; the shared information would come under HIPAA protection, once the organization conducting the research receives it.
5 Most Frequently encountered HIPAA Hurdles and their Solutions
Let us look at some of the key considerations with regard to data privacy and security that developers may encounter with researchkit app studies.
- Establishing legitimacy with your app users: It is extremely important that your study app participants have no doubt that the app is indeed developed by you and that the data collected will be submitted to you and not some malicious developer. One of the safeguards in this regard is the Apple Approval process – they make sure the app is indeed being submitted by the person/organization claimed, as they require developer sign up plus request an IRB approval for the study. App developers should also use https connections for any data transfers and have digital certificates that recognize and match their identity as claimed in the App
- Ensuring study participants are clear about data gathering and use: It is critical that potential study participants understand what data will be collected and how it will be used and this is usually handled in the consent process. Research kit consent module specifically has sections to describe data use, data gathering and ensuring privacy of this information ( see samples from our America Walks Study app of Data use and access considerations).
- Access to data: It is important to make it clear to users what data the app will have access to and for how long, particularly if the data is to be read passively from Apple’s HealthKit or phone sensors. ResearchKit interfaces with apps Apple’s HealthKit framework making it possible for the research App to get an enormous amount of health-related data, as other Apps may write to HealthKit. To safeguard privacy, Apple ensures that any access to Healthkit data is only made upon explicit approval by the user for each data element. There’s also the possibility that a user may forget that they’re taking part in the study, so it is important that Apps only access data as long as needed for the study and provide users notifications once the study participation duration is over (in America Walks users are notified once 30 days of participation being completed and all passive data collection stops)
It is also very important that access to the collected data be controlled so that unauthorized and unintended uses are prevented. Usually, this is achieved by controlling access to the study database to select individuals and implementing audit trails on the database servers.
- Providing withdrawal options: All app studies should clearly state withdrawal options that are available for the participants. Participants can use this to opt out of the study. This is part of the informed consent process. In AWS, withdrawal options appears as in the screen below.
- How to ensure that minors participate with parental consent: One of the challenges with research study apps is that once they are made available in the App store they can be downloaded by anyone. In case of research study apps, what if a minor downloads the app? How can the researchers truly verify that if one is a minor then consent is obtained from a legal guardian. Or alternatively if the study requires participation from 18 or older, how to ascertain that the person is indeed above 18. One mechanism for this is to simply ask patients to self-report if they are above 18 or not (we have used this in America Walks) and this can work for some kind of studies but not all. For those studies in which it is required that parental consent is verified, it is possible for study teams to enroll such patients offline and then issue them a study identifier or pin that they can use to identify themselves as the consented participant when using the App.
App based data collection does have its advantages when compared to data collection in a patient treatment setting wherein chronically ill people find it difficult to share their health data to researchers for clinical studies they find are important and may help them! However, all researchkit app developers have to bear in mind that HIPAA compliance is their responsibility and they have to ensure that transmitted and stored data is encrypted and secure.
Privacy and security issues are top priority even as new technologies are implemented. Regular risk assessments and training of employees will be useful as healthcare ecosystem becomes more data-centric and technical options become more intricate.