Skip links

Ensofia

 EnSofia’s HIPAA compliance requirements:

  •  Entity Scope
    EnSofia handles Protected Health Information (PHI) on behalf of healthcare providers, so it acts as a Business Associate and must fully comply with HIPAA.
  • Three Core Rules
    1. Privacy Rule: Governs when and how PHI can be used or disclosed; gives patients rights to access, amend, and see disclosure logs.
    2. Security Rule: Requires administrative, physical, and technical safeguards for electronic PHI (ePHI).
    3. Breach Notification Rule: Mandates notifying affected individuals and HHS within 60 days of any unsecured PHI breach.
  • Administrative Safeguards
    • Conduct a mobile-specific risk assessment (identify where PHI enters, is processed, and stored).
    • Establish security policies (device use, lost-device procedures, incident response).
    • Train all staff (developers, QA, support) on handling PHI in the app.
    • Sign Business Associate Agreements with any third-party SDKs or services that might touch PHI.
  • Physical Safeguards
    • Enforce device passcodes and automatic lock; support remote wipe for lost/stolen devices.
    • Secure clinic devices (tablets, kiosks) and wipe them between users.
  • Technical Safeguards
    • Access Control: Unique user IDs, strong authentication (OAuth/OpenID Connect, MFA), session timeouts.
    • Encryption: TLS 1.2+ for data in transit; encrypt data at rest via OS keystore (iOS Keychain/Android Keystore).
    • Audit Controls: Log all PHI access events on client and server; forward logs to a central monitoring system.
    • Integrity Controls: Use HMAC or digital signatures to detect tampering.
    • Transmission Security: Certificate pinning; reject self-signed or expired certificates.
  • Secure Coding & Testing
    • Follow OWASP Mobile Top 10 guidelines.
    • Integrate static (SAST) and dynamic (DAST) analysis tools into CI/CD.
    • Strip PHI from crash reports and logs.
  • Ongoing Compliance Lifecycle
    • Continuous vulnerability scans and monitoring of mobile apps and APIs.
    • Annual (or post-release) risk reassessments.
    • Incident response plan detailing containment, assessment, and notification steps.
    • Retain all documentation (policies, risk analyses, training records, BAAs, breach reports) for six years.
  • Key Best Practices
    • Avoid storing long-term PHI on devices—cache only what’s necessary and purge on logout.
    • Use only BAA-covered SDKs (no unapproved analytics or crash-reporting tools).
    • Encrypt any backup or export features and require re-authentication.
    • Provide clear privacy notices in the app and let users request corrections or data exports.