The identity of an app user is authenticated prior to any access of PHI or PII.

The app user is authorized to access a feature of the app before that feature or any associated PHI or PII is displayed. Authorization may be internal to the app or derived from an external source.

At the request of an app user, the app terminates such that access to PHI or PII requires a new, successful authentication attempt.

[Other external HIT system (e.g., EHR) is a system actor] Verify a subject’s association with their real-world identity, establishing that a subject is who they claim to be (identity proofing).

The EHR authorizes an app user’s access to app features when these features are supported by data provided by or written to the EHR.

[PII or PHI are displayed] The app terminates the app or makes PHI or PII invisible after a period of time of user inactivity as described in the app’s Terms of Use. This feature is sometimes called “inactivity timeout” “Session timeout” or “automatic logoff.” The determination to include this feature within an app is made as part of the overall risk analysis regarding the sensitivity of data provided by or through the app.

[Passwords are stored on the device] passwords are encrypted and never displayed as plaintext.

[Access to account exposes Protected Health Information (PHI) or PII] The user is given an option to utilize strong authentication methods (e.g., multi-factor authentication and/or biometrics) in addition to passwords. Before selection of this option, the mechanism for authentication is clearly described and/or demonstrated to the user. This capability may apply to an app itself, and also to the pairing of the app with a device.