Respecting patient data without cumbersome passwords

Keeping personal data private is essential, both for ethical reasons and to be HIPAA compliant – but the user shouldn’t bear the burden.

collage showing patient submitting clinical data to the app

The challenge

A telemedicine client of ours dealt with sensitive health data that needed to be kept private and HIPAA compliant. Building user trust by reassuring them that their data was protected was also a priority.

The solution

User research showed that the patients were mostly elderly and unfamiliar with technology. They would not do well with complicated UX or with difficult-to-remember passwords.

We implemented a one-time password (OTP) that is sent directly to patients in a text message during the onboarding process. This OTP is simply copied and pasted into the application at the initial login to confirm identity.

Biometric privacy protection

After this, the app is set up to automatically unlock with the same biometric mechanism that unlocks the user’s phone (for iOS, fingerprint authentication or face ID), keeping the login process seamless and ensuring that no other individual has access to sensitive health data.

Equally as important, the user is automatically logged out, either upon exiting the application or after several hours, further securing their data. The app’s background services (which are critical for remote monitoring and emergency assistance) are in effect all the while, whether the user is logged-in or not.

interface screens for OTP authentication

The impact

Protecting patient data is fundamental, both for HIPAA compliance and to maintain trust, but hard-to-remember passwords can cause frustration, especially with elderly users.

Finding balance between privacy and ease of use is essential, especially in the high-stakes field of healthtech. This keeps users coming back to products that can significantly improve their quality of life.