Consumer Mobile Health Application Functional Framework, Release 2
2.0.1 - CI build International flag

Consumer Mobile Health Application Functional Framework, Release 2, published by HL7 International / Mobile Health. This guide is not an authorized publication; it is the continuous build for version 2.0.1 built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/HL7/cmhaff-ig/ and changes regularly. See the Directory of published versions

: APU.4 Security for Data at Rest and in Transport (Header) - XML Representation

Page standards status: Informative

Raw xml | Download


<Requirements xmlns="http://hl7.org/fhir">
  <id value="CMHAFFR2-APU.4"/>
  <meta>
    <profile
             value="http://hl7.org/fhir/uv/cmhaffr2/StructureDefinition/FMHeader"/>
  </meta>
  <text>
    <status value="extensions"/>
    <div xmlns="http://www.w3.org/1999/xhtml">
    <span id="description"><b>Statement <a href="https://hl7.org/fhir/versions.html#std-process" title="Normative Content" class="normative-flag">N</a>:</b> <div><p>This category is about providing assurance that the consumer’s stored data is secure, regardless of whether it is stored on the consumer’s
devices or elsewhere (e.g., in cloud-based servers for an app). It also provides assurance that consumer data is secure when it is moved between the
consumer’s device(s) and other locations.</p>
</div></span>

    

    
    
    

    
    <span id="requirements"><b>Criteria <a href="https://hl7.org/fhir/versions.html#std-process" title="Normative Content" class="normative-flag">N</a>:</b></span>
    
    <table id="statements" class="grid dict">
        
        <tr>
            <td style="padding-left: 4px;">
                
                <span>APU.4#83</span>
                
            </td>
            <td style="padding-left: 4px;">
                
                
                
                <span>SHALL</span>
                
            </td>
            <td style="padding-left: 4px;" class="requirement">
                
                <span><div><p>PHI and PII stored on a smartphone is stored as encrypted values.</p>
</div></span>
                
                
            </td>
        </tr>
        
        <tr>
            <td style="padding-left: 4px;">
                
                <span>APU.4#84</span>
                
            </td>
            <td style="padding-left: 4px;">
                
                
                
                <span>SHALL</span>
                
            </td>
            <td style="padding-left: 4px;" class="requirement">
                
                <span><div><p>PHI and PII stored by the mobile app on any external server is stored as encrypted values.</p>
</div></span>
                
                
            </td>
        </tr>
        
        <tr>
            <td style="padding-left: 4px;">
                
                <span>APU.4#85</span>
                
            </td>
            <td style="padding-left: 4px;">
                
                
                
                <span>SHALL</span>
                
            </td>
            <td style="padding-left: 4px;" class="requirement">
                
                <span><div><p>Unless PHI and PII has been transmitted to a data set maintained by a Health Plan or Health Provider, the account holder can delete information collected through the app, including data generated by a device associated with the app.</p>
</div></span>
                
                
            </td>
        </tr>
        
        <tr>
            <td style="padding-left: 4px;">
                
                <span>APU.4#86</span>
                
            </td>
            <td style="padding-left: 4px;">
                
                
                
                <span>SHOULD</span>
                
            </td>
            <td style="padding-left: 4px;" class="requirement">
                
                <span><div><p>Improve and/or upgrade encryption cipher and suites to match evolving best practices.</p>
</div></span>
                
                
            </td>
        </tr>
        
        <tr>
            <td style="padding-left: 4px;">
                
                <span>APU.4#87</span>
                
            </td>
            <td style="padding-left: 4px;">
                
                
                
                <span>SHALL</span>
                
            </td>
            <td style="padding-left: 4px;" class="requirement">
                
                <span><div><p>PHI and PII transmitted between an app and an external data source, including data generated through a device associated with the app, are transmitted as encrypted values.</p>
</div></span>
                
                
            </td>
        </tr>
        
    </table>
</div>
  </text>
  <extension
             url="http://hl7.org/fhir/StructureDefinition/structuredefinition-wg">
    <valueCode value="mobile"/>
  </extension>
  <url value="http://hl7.org/fhir/uv/cmhaffr2/Requirements/CMHAFFR2-APU.4"/>
  <version value="2.0.1"/>
  <name value="APU_4_Security_for_Data_at_Rest_and_in_Transport"/>
  <title value="APU.4 Security for Data at Rest and in Transport (Header)"/>
  <status value="active"/>
  <date value="2025-05-28T08:01:49+00:00"/>
  <publisher value="HL7 International / Mobile Health"/>
  <contact>
    <telecom>
      <system value="url"/>
      <value value="http://www.hl7.org/Special/committees/mobile"/>
    </telecom>
  </contact>
  <description
               value="This category is about providing assurance that the consumer’s stored data is secure, regardless of whether it is stored on the consumer’s
devices or elsewhere (e.g., in cloud-based servers for an app). It also provides assurance that consumer data is secure when it is moved between the
consumer’s device(s) and other locations."/>
  <jurisdiction>
    <coding>
      <system value="http://unstats.un.org/unsd/methods/m49/m49.htm"/>
      <code value="001"/>
      <display value="World"/>
    </coding>
  </jurisdiction>
  <statement>
    <extension
               url="http://hl7.org/fhir/uv/cmhaffr2/StructureDefinition/requirements-dependent">
      <valueBoolean value="false"/>
    </extension>
    <key value="CMHAFFR2-APU.4-83"/>
    <label value="APU.4#83"/>
    <conformance value="SHALL"/>
    <conditionality value="false"/>
    <requirement
                 value="PHI and PII stored on a smartphone is stored as encrypted values."/>
  </statement>
  <statement>
    <extension
               url="http://hl7.org/fhir/uv/cmhaffr2/StructureDefinition/requirements-dependent">
      <valueBoolean value="false"/>
    </extension>
    <key value="CMHAFFR2-APU.4-84"/>
    <label value="APU.4#84"/>
    <conformance value="SHALL"/>
    <conditionality value="false"/>
    <requirement
                 value="PHI and PII stored by the mobile app on any external server is stored as encrypted values."/>
  </statement>
  <statement>
    <extension
               url="http://hl7.org/fhir/uv/cmhaffr2/StructureDefinition/requirements-dependent">
      <valueBoolean value="false"/>
    </extension>
    <key value="CMHAFFR2-APU.4-85"/>
    <label value="APU.4#85"/>
    <conformance value="SHALL"/>
    <conditionality value="false"/>
    <requirement
                 value="Unless PHI and PII has been transmitted to a data set maintained by a Health Plan or Health Provider, the account holder can delete information collected through the app, including data generated by a device associated with the app."/>
  </statement>
  <statement>
    <extension
               url="http://hl7.org/fhir/uv/cmhaffr2/StructureDefinition/requirements-dependent">
      <valueBoolean value="false"/>
    </extension>
    <key value="CMHAFFR2-APU.4-86"/>
    <label value="APU.4#86"/>
    <conformance value="SHOULD"/>
    <conditionality value="false"/>
    <requirement
                 value="Improve and/or upgrade encryption cipher and suites to match evolving best practices."/>
  </statement>
  <statement>
    <extension
               url="http://hl7.org/fhir/uv/cmhaffr2/StructureDefinition/requirements-dependent">
      <valueBoolean value="false"/>
    </extension>
    <key value="CMHAFFR2-APU.4-87"/>
    <label value="APU.4#87"/>
    <conformance value="SHALL"/>
    <conditionality value="false"/>
    <requirement
                 value="PHI and PII transmitted between an app and an external data source, including data generated through a device associated with the app, are transmitted as encrypted values."/>
  </statement>
</Requirements>