HIPAA Compliance Checklist for Mobile Health App Development

Does Your App Need HIPAA Compliance?

HIPAA applies to your app if it meets these conditions:

You are a Covered Entity (healthcare provider, health plan, or clearinghouse) or a Business Associate working with one
Your app creates, receives, maintains, or transmits Protected Health Information (PHI)

PHI includes: names, addresses, dates (except year), phone numbers, email addresses, SSNs, medical record numbers, health plan beneficiary numbers, account numbers, biometric identifiers, full-face photographs, and any health/treatment data linked to an individual.

Common Mistake: Many developers assume their wellness app doesn't need HIPAA compliance because it's "just fitness data." If your app shares data with a healthcare provider, insurer, or clinical system, you likely qualify as a Business Associate and must comply.

The Complete HIPAA Technical Safeguards Checklist

✅ Encryption

All PHI encrypted at rest using AES-256
All PHI encrypted in transit using TLS 1.2 minimum (TLS 1.3 recommended)
Mobile device storage encrypted (iOS Data Protection, Android Keystore)
Database-level encryption enabled
Encryption keys stored separately from encrypted data (AWS KMS, Azure Key Vault)
End-to-end encryption for messaging features containing PHI

✅ Access Controls

Role-Based Access Control (RBAC) implemented — users see only what they need
Multi-factor authentication (MFA) required for all privileged users
Automatic session timeout after 15 minutes of inactivity (configurable)
Strong password policies enforced (12+ chars, complexity requirements)
Unique user IDs — no shared logins
Emergency access procedure documented and tested
API authentication using OAuth 2.0 or equivalent

✅ Audit Controls

All PHI access events logged (user ID, timestamp, record accessed, action taken)
Logs stored securely and tamper-proof (separate log storage, WORM storage preferred)
Log retention minimum 6 years (HIPAA requirement)
Automated anomaly detection and alerting for unusual access patterns
Regular log review process defined and executed
Failed login attempt logging and automated lockout

✅ Integrity Controls

Data integrity verification for PHI at rest (checksums, digital signatures)
PHI modification requires authorization and is logged
Data validation on all API inputs to prevent injection and corruption
Database backups encrypted and integrity-checked

✅ Transmission Security

Certificate pinning implemented in mobile apps
No PHI in URL query parameters (use POST body or headers)
No PHI in application logs or crash reports
Secure push notifications — don't include PHI in notification payload
VPN required for admin/internal access to PHI systems

Business Associate Agreements (BAAs)

A BAA is a legally binding contract required between a Covered Entity and any vendor that handles PHI on their behalf. You need BAAs with every third-party service that may process, store, or transmit PHI:

Cloud providers (AWS HIPAA BAA, Google Cloud BAA, Azure BAA)
Video conferencing (Twilio HIPAA, Daily.co, Zoom Healthcare)
Email providers (Amazon SES Healthcare, SendGrid BAA)
Analytics platforms (only HIPAA-compliant options; many standard analytics tools are NOT HIPAA eligible)
Customer support tools (Zendesk, Intercom — verify BAA availability)
Push notification services (Firebase Cloud Messaging may require special configuration)

Critical: Using Google Analytics, Mixpanel, Amplitude, or similar analytics tools with PHI-linked events likely violates HIPAA. Use HIPAA-eligible analytics alternatives or anonymize all data before sending to these platforms.

Mobile-Specific HIPAA Requirements

iOS

Enable Data Protection API (complete protection class for sensitive files)
Disable app screenshots in the app switcher when PHI is visible
Clear clipboard after app background/terminate
No PHI in app debug logs (NSLog, os_log)
Keychain for sensitive credential storage
Face ID / Touch ID optional but must not be sole authentication factor

Android

Android Keystore for credential and key storage
FLAG_SECURE to prevent screenshots in task switcher
Clear clipboard on app lifecycle events
ProGuard/R8 obfuscation to prevent reverse engineering
Certificate pinning to prevent MITM attacks
No PHI in Android logs (Log.d, Log.e)

Breach Notification Requirements

Despite best efforts, breaches happen. HIPAA requires:

Individual notification: Notify affected patients within 60 days of discovering a breach
HHS notification: Report to HHS Office for Civil Rights within 60 days (or annually for smaller breaches)
Media notification: If 500+ individuals in a state are affected, notify prominent media outlets
Breach documentation: Document every breach regardless of size, including those determined to be low-risk

HIPAA Compliance Documentation

HIPAA requires you to document all compliance activities. Essential documents:

Security Risk Assessment (SRA) — required annually
Security policies and procedures
BAA register
Employee training records
Incident response plan and breach notification procedures
Disaster recovery and business continuity plan
Penetration testing reports

Need a HIPAA-Compliant App Built?

TodayInTech builds HIPAA-compliant health applications with end-to-end security architecture, documentation, and BAA support. We've helped 50+ healthcare organizations achieve and maintain compliance.

Get a Free Security Review

Conclusion

HIPAA compliance for mobile health apps is a multi-layered challenge touching encryption, access control, audit logging, vendor management, and organizational policy. The good news: most of these requirements are achievable with modern cloud infrastructure and a security-first development mindset. The key is starting with compliance in mind — not retrofitting it after launch. Use this checklist as your baseline, invest in regular security assessments, and partner with experienced healthcare developers who understand the regulatory landscape.