Mobile healthcare (mHealth) is poised to have a huge impact on patient adherence, clinical trials, connected devices, and other B2C, B2B, and B2E apps (see Top 10 Healthcare Mobile Apps in 2017).

mHealth drives increased productivity, lower costs, and improved patient-centric healthcare. But mobile apps pose new challenges for adhering to HIPAA requirements for securing electronic Protected Health Information (PHI). If you plan on building mHealth apps that store, manage, and pass PHI to a covered entity, you will need to be HIPAA compliant. Healthcare organizations that fail to implement the necessary safeguards as required by these laws risk exposing sensitive PHI and may also incur the high costs of non-compliance.

The first approach to building mHealth apps is to Do-it-Yourself (DIY).  But, organizations that are new to mobile application development often don’t comprehend everything that needs to be purchased, installed, built, developed, secured, and maintained to deliver a 5-star app experience. The picture below outlines the stack you need to build an app with a DIY approach – from building the client app to building and managing new mobile services and traditional platform middleware and infrastructure.


HIPAA compliance adds several additional layers of complexity, including defining and implementing Physical Safeguards, Technical Safeguards, Documentation Safeguards, Administrative Safeguards, and Breach Notification Rules. Developing, documenting, implementing, and certifying all of these requirements takes months and could cost upwards of $100,000. Certification alone can be extremely costly.

HIPAA application requirements

HIPAA Compliance Requirements for mHealth apps

One way to reduce your costs is to turn to a cloud provider that has already done the hard work to build portions of the stack and pre-certified their services. The key question is, which type of cloud service is best for you and your apps and which will lower your risk?

There are three versions of cloud “*aaS” offerings. The chart below compares the various levels of coverage by service type: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Backend as a Service (BaaS). The first step is to make sure whichever “*aaS” you choose is HIPAA compliant and the entity will sign a Business Associate Agreement (BAA) to back it up.

Mobile Development Platforms

Four Alternatives for Implementing HIPAA Compliant mHealth app

IaaS: The cloud provider gives you infrastructure services on-demand, including networking, storage, servers, and virtualization. In some cases, the operating system is included as well. You would have to develop, integrate, secure, and maintain the other platform middleware and mobile-specific components of the stack along with building your app. In this model, you would also be responsible for ensuring HIPAA compliance for the components not covered under the cloud IaaS provider’s BAA.

PaaS: The cloud provider gives you all the components of IaaS as well as the platform middleware (and operating system if needed). The provider should be willing to sign a BAA to cover their portion of the stack. You would be responsible for developing, integrating, securing, and maintaining the mobile-specific middleware components in addition to building and maintaining your app. You would also be responsible for ensuring HIPAA compliance for the components not covered under the cloud provider’s BAA.

BaaS: The cloud service provider gives you all of the IaaS and PaaS components as well as the mobile-specific middleware plumbing required to deliver high performing online and offline user experiences. The BaaS provider should be willing to ensure HIPAA compliance for the stack up through their service layers and should sign a BAA, as well as pass through the BAA from the underlying cloud infrastructure provider. WIth BaaS, you would just need to focus on building your mHealth app experience. The BaaS provider has taken care of infrastructure, compliance, security, and all the mobile features you need

BaaS provides the lowest Total Cost of Ownership (TCO) for your app (check out our BaaS savings calculator). You don’t have to build the stack – instead you login and use it from day 1. It’s been estimated that, with BaaS, you can get to market 60-80% faster with significant cost savings for release of the first app and ongoing management and maintenance – not to mention the time and resource savings of not having to do the HIPAA compliance work for the entire stack.

Here are all the components required for HIPAA compliance. It’s quite a list and we are proud to say that Kinvey’s HIPAA Compliant App Cloud successfully meets all of the applicable requirements.