{
  "resourceType" : "Requirements",
  "id" : "CMHAFFR2-APU.4",
  "meta" : {
    "profile" : ["http://hl7.org/fhir/uv/cmhaffr2/StructureDefinition/FMHeader"]
  },
  "language" : "en",
  "text" : {
    "status" : "extensions",
    "div" : "<div xml:lang=\"en\" xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\">\n    \n    \n    \n    \n    <div id=\"requirements\"><b>Criteria <a href=\"https://hl7.org/fhir/versions.html#std-process\" title=\"Normative Content\" class=\"normative-flag\">N</a>:</b></div>\n    \n    <table id=\"statements\" class=\"grid dict\">\n        \n        <tr>\n            <td style=\"padding-left: 4px;\">\n            APU.4#83\n            </td>\n            <td style=\"padding-left: 4px;\">\n            SHALL\n            \n            \n            \n            </td>\n            <td style=\"padding-left: 4px;\" class=\"requirement\">\n                <div><p>PHI and PII stored on a smartphone is stored as encrypted values.</p>\n</div>\n                \n            </td>\n        </tr>\n        \n        <tr>\n            <td style=\"padding-left: 4px;\">\n            APU.4#84\n            </td>\n            <td style=\"padding-left: 4px;\">\n            SHALL\n            \n            \n            \n            </td>\n            <td style=\"padding-left: 4px;\" class=\"requirement\">\n                <div><p>PHI and PII stored by the mobile app on any external server is stored as encrypted values.</p>\n</div>\n                \n            </td>\n        </tr>\n        \n        <tr>\n            <td style=\"padding-left: 4px;\">\n            APU.4#85\n            </td>\n            <td style=\"padding-left: 4px;\">\n            SHALL\n            \n            \n            \n            </td>\n            <td style=\"padding-left: 4px;\" class=\"requirement\">\n                <div><p>Unless PHI and PII has been transmitted to a data set maintained by a Health Plan or Health Provider, the account holder can delete information collected through the app, including data generated by a device associated with the app.</p>\n</div>\n                \n            </td>\n        </tr>\n        \n        <tr>\n            <td style=\"padding-left: 4px;\">\n            APU.4#86\n            </td>\n            <td style=\"padding-left: 4px;\">\n            SHOULD\n            \n            \n            \n            </td>\n            <td style=\"padding-left: 4px;\" class=\"requirement\">\n                <div><p>Improve and/or upgrade encryption cipher and suites to match evolving best practices.</p>\n</div>\n                \n            </td>\n        </tr>\n        \n        <tr>\n            <td style=\"padding-left: 4px;\">\n            APU.4#87\n            </td>\n            <td style=\"padding-left: 4px;\">\n            SHALL\n            \n            \n            \n            </td>\n            <td style=\"padding-left: 4px;\" class=\"requirement\">\n                <div><p>PHI and PII transmitted between an app and an external data source, including data generated through a device associated with the app, are transmitted as encrypted values.</p>\n</div>\n                \n            </td>\n        </tr>\n        \n    </table>\n</div>"
  },
  "extension" : [{
    "url" : "http://hl7.org/fhir/StructureDefinition/structuredefinition-wg",
    "valueCode" : "mobile"
  }],
  "url" : "http://hl7.org/fhir/uv/cmhaffr2/Requirements/CMHAFFR2-APU.4",
  "version" : "2.0.1",
  "name" : "APU_4_Security_for_Data_at_Rest_and_in_Transport",
  "title" : "APU.4 Security for Data at Rest and in Transport (Header)",
  "status" : "active",
  "date" : "2026-03-20T11:58:09+00:00",
  "publisher" : "HL7 International / Mobile Health",
  "contact" : [{
    "telecom" : [{
      "system" : "url",
      "value" : "http://www.hl7.org/Special/committees/mobile"
    }]
  }],
  "description" : "This category is about providing assurance that the consumer’s stored data is secure, regardless of whether it is stored on the consumer’s\ndevices or elsewhere (e.g., in cloud-based servers for an app). It also provides assurance that consumer data is secure when it is moved between the\nconsumer’s device(s) and other locations.",
  "jurisdiction" : [{
    "coding" : [{
      "system" : "http://unstats.un.org/unsd/methods/m49/m49.htm",
      "code" : "001",
      "display" : "World"
    }]
  }],
  "statement" : [{
    "extension" : [{
      "url" : "http://hl7.org/fhir/uv/cmhaffr2/StructureDefinition/requirements-dependent",
      "valueBoolean" : false
    }],
    "key" : "CMHAFFR2-APU.4-83",
    "label" : "APU.4#83",
    "conformance" : ["SHALL"],
    "conditionality" : false,
    "requirement" : "PHI and PII stored on a smartphone is stored as encrypted values."
  },
  {
    "extension" : [{
      "url" : "http://hl7.org/fhir/uv/cmhaffr2/StructureDefinition/requirements-dependent",
      "valueBoolean" : false
    }],
    "key" : "CMHAFFR2-APU.4-84",
    "label" : "APU.4#84",
    "conformance" : ["SHALL"],
    "conditionality" : false,
    "requirement" : "PHI and PII stored by the mobile app on any external server is stored as encrypted values."
  },
  {
    "extension" : [{
      "url" : "http://hl7.org/fhir/uv/cmhaffr2/StructureDefinition/requirements-dependent",
      "valueBoolean" : false
    }],
    "key" : "CMHAFFR2-APU.4-85",
    "label" : "APU.4#85",
    "conformance" : ["SHALL"],
    "conditionality" : false,
    "requirement" : "Unless PHI and PII has been transmitted to a data set maintained by a Health Plan or Health Provider, the account holder can delete information collected through the app, including data generated by a device associated with the app."
  },
  {
    "extension" : [{
      "url" : "http://hl7.org/fhir/uv/cmhaffr2/StructureDefinition/requirements-dependent",
      "valueBoolean" : false
    }],
    "key" : "CMHAFFR2-APU.4-86",
    "label" : "APU.4#86",
    "conformance" : ["SHOULD"],
    "conditionality" : false,
    "requirement" : "Improve and/or upgrade encryption cipher and suites to match evolving best practices."
  },
  {
    "extension" : [{
      "url" : "http://hl7.org/fhir/uv/cmhaffr2/StructureDefinition/requirements-dependent",
      "valueBoolean" : false
    }],
    "key" : "CMHAFFR2-APU.4-87",
    "label" : "APU.4#87",
    "conformance" : ["SHALL"],
    "conditionality" : false,
    "requirement" : "PHI and PII transmitted between an app and an external data source, including data generated through a device associated with the app, are transmitted as encrypted values."
  }]
}