Consumer Mobile Health Application Functional Framework, Release 2
2.0.1 - CI build International flag

Consumer Mobile Health Application Functional Framework, Release 2, published by HL7 International / Mobile Health. This guide is not an authorized publication; it is the continuous build for version 2.0.1 built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/HL7/cmhaff-ig/ and changes regularly. See the Directory of published versions

Requirements: APU.4 Security for Data at Rest and in Transport (Header)

Official URL: http://hl7.org/fhir/uv/cmhaffr2/Requirements/CMHAFFR2-APU.4 Version: 2.0.1
Standards status: Informative Active as of 2026-03-20 Computable Name: APU_4_Security_for_Data_at_Rest_and_in_Transport

This category is about providing assurance that the consumer’s stored data is secure, regardless of whether it is stored on the consumer’s devices or elsewhere (e.g., in cloud-based servers for an app). It also provides assurance that consumer data is secure when it is moved between the consumer’s device(s) and other locations.

Criteria N:
APU.4#83 SHALL

PHI and PII stored on a smartphone is stored as encrypted values.
APU.4#84 SHALL

PHI and PII stored by the mobile app on any external server is stored as encrypted values.
APU.4#85 SHALL

Unless PHI and PII has been transmitted to a data set maintained by a Health Plan or Health Provider, the account holder can delete information collected through the app, including data generated by a device associated with the app.
APU.4#86 SHOULD

Improve and/or upgrade encryption cipher and suites to match evolving best practices.
APU.4#87 SHALL

PHI and PII transmitted between an app and an external data source, including data generated through a device associated with the app, are transmitted as encrypted values.