Blog » Developing a HIPAA Compliant App in 2021: How Much Does It Cost?
Table of Contents
The mobile health app market is expected to hit $28 billion by 2023. Over 60% of Americans have downloaded an mHealth app, and two-thirds of the world’s largest hospitals offer mobile apps to their patients.
We are now in the midst of a mobile health boom. Marrying the digital and physical components of health brings tangible value to patients, providers, and consumers. With such large volumes of patient data being exchanged over the internet, patient data security has become a huge issue.
If you’re thinking about the costs involved in developing a mobile health app, you need to understand how HIPAA requirements can influence the app development process.
For many health providers, entrepreneurs, and businesses, the idea of a health app is tempting. It’s a rapidly-growing market stuffed with opportunities.
So, what’s stopping you from putting one out? Cost, right? You need to know how much money you have to pay to develop one. Unfortunately, there’s not a straightforward answer. Apps come in all shapes and sizes, and the development cycle, scope, scale, and features of your app all play a role in the overall cost.
To help answer this question in some detail, let’s look at what goes into building a HIPAA-compliant app.
Understanding HIPAA and Applications
The Health Insurance Portability and Accountability Act (HIPAA) requires you to pay special attention to compliance during your app build. A violation fine can reach upwards of $1.5 million, and failure to comply can lead to reputation damage and inspections that can quickly permeate every layer of your business.
Unfortunately, these guidelines can be confusing and redundant for developers. To help clarify HIPAA compliance, let’s look at the four key rules that govern digital solutions:
- The Privacy Rule: This rule establishes standards to protect electronic Protected Health Information (ePHI). These include setting up the appropriate safeguards for ePHI, establishing the limits and conditions on use, and giving the patients’ rights to access and view their ePHI (usually via a copy of their health records).
- The Security Rule: This rule sets three broad standards of safeguards that must be followed:
- Administrative Safeguards: This establishes standards such as security management practices (i.e., risk analysis and risk management), assigned security responsibilities, workforce security, security awareness and training, and information access control.
- Technical Safeguards: This establishes standards such as security access control (i.e., automatic logoff, encryption, etc.), audit controls, data integrity, entity authorization, and transmission security.
- Physical Safeguards: This establishes standards (these are on the back-end) for facility access control, workstation use, workstation security, and device and media controls.
- The Enforcement Rule: This rule regards compliance to investigations into breaches or other issues regarding enforcement of HIPAA standards.
- The Breach Notification Rule: HIPAA Breach Notification Rule regards how to react when a breach occurs with your application.
These regulations apply to both the front-end (i.e., the app) and back-end (i.e., the servers and databases), as well as infrastructure and data transport mechanisms.
For most businesses, the back-end is taken care of by your cloud service provider. Remember, you should pick a service provider with built-in HIPAA compliance, and most major cloud providers like Amazon AWS, Google, Microsoft, or Rackspace have these.
Cost is Partially Determined by Your HIPAA Compliance Needs
Needless to say, there’s plenty that goes into creating a compliant app. To start, you want to consider the following features to comply with the Security Rule:
- Data Encryption and Security while data is cached, in-transit and rest
- Audit logging and usage history
- User access controls
- Automatic logoff
- Secure authentication
- Minimum data collection
- Emergency backups
- Server scalability, elasticity, and emergency controls
- Remote data wipe
There are more. But we can’t give you any absolutes. It highly depends on the nature of your application. Every HIPAA-compliant app needs to have some features, but some apps need additional features based on their capabilities. Each new security feature takes time, resources, and work to develop, and you can expect to pay extra for every added layer of security.
On the application hosting front, you want to be hands-free or have as little involvement as possible. There are plenty of solutions with baked-in HIPAA compliance, and using them reduces your threat surface and your overall costs of putting in place these safeguards. You have a few options. You can use a backend-as-a-service like Salesforce to build out your web or mobile application.
You can use AWS, Microsoft Azure, Google Cloud to host your apps on one of the cloud providers. Alternatively, you can consider on-premise or other dedicated hosting options and develop them from scratch. All options work, and the option you choose will depend on your specific needs.
On the application development, front-end or back-end you’ll have plenty of work to do. You need to create a robust architecture, as HIPAA rules implementation requires efforts on multiple components of the application. Something as simple as logging, which is a key tenant of HIPAA, can cause you serious headaches if you’re under-prepared.
How are you going to view and review those logs? You may need a dedicated interface. You may also need technical personnel to extract those reports. Mobile devices add additional risks so mobile apps require additional considerations such as special authentication mechanisms as well as remote data wipe. All of these are things you should consider during your development process, and each new addition adds costs.
Cost is Also Determined by Your Application Features
Finally, your app itself adds cost. What features do you want to include? The more advanced your application is, the more it’s going to cost you in development resources — which directly translates into money. There’s a fine balance here. You want a customer-centric, holistic, and value-driven application, but you don’t want to over-engineer and lose liquidity for meaningless additions.
The bulk of the cost for an app isn’t necessarily the technical, administrative, and physical safeguards imposed by HIPAA; it’s the application itself. Every new rich feature (e.g., forms, calling, teleconferencing, portals, etc.) will increase the amount of dev time at every stage in the application lifecycle.
Average Cost of Building a HIPAA Compliant App
So what will this cost you? It depends. A Kinvey CIO study suggested that the average cost to develop an app for an organization is $270,000. VDC research puts that number closer to $140,000. The real answer is that it entirely depends. We’ve built amazing HIPAA apps for $25,000, and we’ve built them for over $200,000. The scope of the project determines the cost. Just remember, that’s the cost of the initial version of the app, which excludes the maintenance. An old Forrester survey showcased the cost of maintenance. While the average cost to build an app back in 2012 was between $50,000 and $100,000, that cost was only a third of the overall cost. Maintenance, updates, upgrades, and future iterations are all added to the bucket.
Partner with Experienced HIPAA App Developers
If you’re interested in building a HIPAA-compliant application while optimizing for cost, partnering with an experienced app development agency can help ensure your vision reaches its full potential. At Technology Rivers, we specialize in building custom applications that adhere to HIPAA and other health compliance standards. Contact us today to schedule a consultation with one of our development representatives.