My company has a customer which is requesting we can provide PDF and media content which is HIPAA compliant through our Android app. I was wondering if there are any existing apps out there for viewing Media and PDFs, which are HIPAA compliant, that I can invoke via an intent. I would prefer to pass via the intent a URL to stream the content from, which I can control its security, or an encrypted file and key to the intent.
My understanding on what chagnes I need to make to be HIPAA compliant is to make sure we never save these media/PDF files to disk or if we do we encrypt them.
As far as media content is concerned, I can currently play the media content in a MediaPlayer but after doing some research I have found no information if the MediaPlayer internal implementation is either HIPAA compliant or not. I've tried digging through the source of Video and MediaPlayer and can not conclude either way if this stores anything on the internal storage of the device.
With PDFs, I rely entirely on 3rd party applications for downloading and viewing the PDF files.
A backup solution is to include 3rd party applications for media/PDFs and modify anything that would need changing to be HIPAA compliant.
In the Android ecosystem, third-party and HIPAA compliance are just about mutually exclusive.
By firing off an intent, you are delegating the next action to the OS and to the user--you have very limited control over what app gets launched, and though unlikely, you could very well wind up passing PHI to Sketchy NSA Phone-Home PDF Scraper Pro™.
Admittedly, I'm not sure where the software's responsibility ends and the end-user's begins under HIPAA.
Never say never, but you will probably need to incorporate a reader into your app.