2

Building an app to be HIPAA compliant, I wonder how is it possible to store access token to the remote server, and/or have a local SQL encrypted local database (SQLCipher for example).

Considering the nature of HIPAA requirements, I can only conclude the appropriate location of a key can only be on the server, and not locally on the mobile device:

Section §164.312 of the HIPAA standards says the following:

(a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

So to be more specific,

1) Assuming a person with access to the phone can eventually extract a key/access token, does that mean that local key storage is not HIPAA compliant?

2) How can a messaging app be HIPAA compliant? Since the user is not prompted to enter a password every time the app is opened, it means the access token is saved somewhere locally on the phone.

Ohad
  • 1,450
  • 4
  • 18
  • 27
  • [AFAIK (see my answer here)](http://stackoverflow.com/questions/28609526/store-client-secret-securely/31352769#31352769) you can't store 100% securely a token in an Android device. I'm posting this as a comment, because I have the feeling that, to answer properly your question, you should be a lawyer ;) – jmm Sep 02 '15 at 12:39
  • @jmm, thanks for the answer! As a simple example, even knowing how whatsapp store the user access token would be great :) – Ohad Sep 02 '15 at 12:41

0 Answers0