Building a mobile application that will communicate personal health data between the user and a cloud service, what regulatory measures need to be taken?<p>The data is "protected health information" (PHI), so the app + cloud service definitely need to be HIPAA compliant. What all needs to be done to make sure the system I build passes the grade, and how would I get the system officially certified? What about FDA approval (if the PHI includes medication info)?<p>I've seen a few helpful sources of info like [1, 2], but is there a comprehensive checklist of requirements and best practices that I haven't come across? Given what's at stake and the repercussions I don't want to leave any stone unturned!<p>[1] https://aws.amazon.com/quickstart/architecture/compliance-hipaa/
[2] https://www.peerbits.com/blog/hipaa-compliance-mobile-app-development.html
One baseline to think about is SOC-II compliance. You'll also need training for your organization and certain designated people that are responsible for security. You'll want a third party to audit your architecture / pentest your systems. Finally, a lot of pressure will be from whoever you may be working with (hospitals, clinics, data brokers, etc) with respect to proving your security. They'll put you through their own IT and securitya audits. In terms of FDA clearance, you'll want to look into the 510(k) fast track, and look for similar systems to yours. I've worked at an algorithm oriented HIPAA complaint startup and don't know a ton, but would be happy to discuss my experience with you. email hn at funk.dog
I recently went through setting up a HIPAA compliant web app. The team is small and has no dedicated DevOps so I went looking for a PaaS solution. After extensive researching and trialing, I went with Healthcare Blocks. They provide a great experience and were the only company that offered a sane price point for an early stage startup. Honorable mention to Aptible, especially their Gridiron product that we will eventually use.<p>I think another viable route is hiring a contractor to build out your environment for you. We got a quote from an AWS contractor and it was reasonable for our setup, but ultimately we really wanted a PaaS. Unless you’re an expert in HIPAA and the cloud platform you’re looking at, it’s not something I would recommend tackling on your own.<p>Remember that there are a lot of non-tech parts of compliance to consider as well such as training, physical security, security assessments, etc.
FWIW, Amazon's quickstart doesn't reference its WorkDocs product, which is now "HIPAA eligible."[0] I'm not sure about any over-and-above pricing, but the core service pricing is reasonable, if it fits into your workflow.<p>[0] <a href="https://aws.amazon.com/about-aws/whats-new/2017/07/amazon-workdocs-achieves-hipaa-eligibility-and-pci-dss-compliance/" rel="nofollow">https://aws.amazon.com/about-aws/whats-new/2017/07/amazon-wo...</a>
I was looking at developing a HIPAA compliant app a few years ago I was going to use <a href="https://www.truevault.com/" rel="nofollow">https://www.truevault.com/</a>.<p>Ultimately I decided against doing anything that requires HIPAA compliance.