The mobile health app market is expected to hit $28 billion by 2023. Over 60% of Americans have downloaded an mHealth app, and two-thirds of the world’s largest hospitals offer mobile apps to their patients. We’re in the midst of a mobile health boom. Marrying the digital and physical components of health brings tangible value to patients, providers, and consumers. With such large volumes of patient data being exchanged over the internet, patient data security has become a huge issue.
If you’re thinking about the costs involved in developing a mobile health app, you need to understand how HIPAA requirements can influence the app development process.
For many health providers, entrepreneurs, and businesses, the idea of a health app is tempting. It’s a rapidly-growing market stuffed with opportunity. So, what’s stopping you from putting one out? Cost, right? You need to know much money you’re going to have to pay to develop one. Unfortunately, there’s not a straightforward answer. Apps come in all shapes-and-sizes, and the development cycle, scope, scale, and features of your app all play a role in the overall cost.
To help answer this question in some detail, let’s look at what goes into building a HIPAA compliant app.
Understanding HIPAA and Applications
The Health Insurance Portability and Accountability Act (HIPAA) requires you to pay special attention to compliance during your app build. HIPAA fines can reach upwards of $1.5 million, and failure to comply can lead to reputation damage and inspections that can quickly permeate every layer of your business.
Unfortunately, HIPAA guidelines can be confusing and redundant for developers looking to quickly churn out an application. To help clarify HIPAA compliance when building out an application, let’s look at the four key HIPAA rules that govern digital solutions:
- The HIPAA Privacy Rule: The HIPAA Privacy Rule establishes standards to protect electronic Protected Health Information (ePHI). These include setting up the appropriate safeguards for ePHI, establishing the limits and conditions on use, and giving the patients’ rights to access and view their ePHI (usually via a copy of their health records).
- The HIPAA Security Rule: The HIPAA Security Rule sets three broad standards of safeguards that must be followed:
- Administrative Safeguards: This establishes standards such as security management practices (i.e., risk analysis and risk management), assigned security responsibilities, workforce security, security awareness and training, and information access control.
- Technical Safeguards: This establishes standards such as security access control (i.e., automatic logoff, encryption, etc.), audit controls, data integrity, entity authorization, and transmission security.
- Physical Safeguards: This establishes standards (these are on the back-end) for facility access control, workstation use, workstation security, and device and media controls.
- The HIPAA Enforcement Rule: The HIPAA Enforcement Rule regards compliance to investigations into breaches or other issues regarding enforcement of HIPAA standards.
- The HIPAA Breach Notification Rule: The HIPAA Breach Notification Rule regards how to react when a breach occurs with your application.
HIPAA regulations apply to both the front-end (i.e., the app) and back-end (i.e., the servers and databases). For most businesses, the back-end (e.g., HIPAA physical safeguards) are taken care of by your cloud service provider. Remember, you should pick a service provider with built-in HIPAA compliance — like AWS, Google, or Rackspace.
Cost is Partially Determined By Your HIPAA Compliance Needs
Needless to say, there’s plenty that goes into creating a HIPAA-compliant app. To start, you want to consider the following features to comply with the HIPAA Security Rule:
- Data Encryption and Security while data is cached, in-transit and rest
- Audit logging and usage history
- User access controls
- Automatic logoff
- Secure authentication
- Minimum data collection
- Emergency backups
- Server scalability, elasticity, and emergency controls
- Remote data wipe
There are more. But we can’t give you any absolutes. It highly depends on the nature of your application. Every HIPAA-compliant app needs to have some features, but some apps need additional features based on their capabilities. Each new security feature takes time, resources, and work to develop, and you can expect to pay extra for every added layer of security.
On the application hosting front, you want to be hands-free or as little involvement as possible. There are plenty of solutions with baked-in HIPAA compliance, and using them reduces your threat surface and your overall costs of putting in place these safeguards. You have a few options. You can use a backend-as-a-service like Salesforce to build out your web or mobile application.
You can use AWS, Microsoft Azure, Google Cloud to host your apps on one of the cloud providers. Alternatively, you can consider on-premise or other dedicated hosting options and develop them from scratch. All options work, and the option you choose will depend on your specific needs.
On the application development, front-end or back-end you’ll have plenty of work to do. You need to create a robust architecture, as HIPAA rules implementation requires efforts on multiple components of the application. Something as simple as logging, which is a key tenant of HIPAA, can cause you serious headaches if you’re under-prepared.
How are you going to view and review those logs? You may need a dedicated interface. You may also need technical personnel to extract those reports. Mobile devices add additional risks so mobile apps require addditional considerations such as special authentication mechanisms as well as remote data wipe. All of these are things you should consider during your development process, and each new addition adds costs.
Cost is Also Determined by Your Application Features
Finally, your app itself adds cost. What features do you want to include on your application? The more advanced your application is, the more it’s going to cost you in development resources — which directly translates into money. There’s a fine balance here. You want a customer-centric, holistic, and value-driven application, but you don’t want to over-engineer and lose liquidity for meaningless additions.
The bulk of the cost for an app isn’t necessarily the technical, administrative, and physical safeguards imposed by HIPAA; it’s the application itself. Every new rich feature (e.g., forms, calling, teleconferencing, portals, etc.) will increase the amount of dev time at every stage in the application lifecycle.
Average Cost of Building a HIPAA Compliant App
So what will this cost you? It depends. A Kinvey CIO study suggested that the average cost to develop an app for an organization is $270,000. VDC research puts that number closer to $140,000. The real answer is that it entirely depends. We’ve built amazing HIPAA apps for $25,000, and we’ve built them for over $200,000. The scope of the project determines the cost.
Just remember, that’s the cost of the app, not maintenance. An old Forrester survey showcased the cost of maintenance. While the average cost to build an app back in 2012 was between $50,000 and $100,000, that cost was only a third of the overall cost. Maintenance, updates, upgrades, and future iterations all added to the bucket.
Partner with Experienced HIPAA App Developers
If you’re interested in building a HIPAA compliant application while optimizing for cost, partnering with an experienced app development agency can help ensure your vision reaches its full potential. At Technology Rivers, we specialize in building custom applications that adhere to HIPAA and other health compliance standards. Contact us today to schedule a consultation with one our development representatives.