Proper implementation of HIPAA within iOS app with several factors

Disclaimer: My company makes a HIPAA-compliant iPod application. I'm responsible for the compliance...

The iPhone actually meets many HIPAA requirements out of the box. Once a passcode is set on the device, the contents are encrypted -- which takes care of many HIPAA requirements, notably encryption at rest.

For downloading the data, you must use a TLS or otherwise encrypted connection to make sure data is encrypted in transit.

You have to configure your application to download and push a security policy to a web site in a .mobileconfig file that forces the users to set a passcode on the device to use the application. If the passcode is set, then the device is encrypted. So, the .mobileconfig will enforce this.

You also should leverage use of the keychain to store any type of token or credential provided by the user. To make it simpler, you can have your app require a 4-digit passcode to unlock those credentials from the keychain --rather than have them retype a password on the phone.

If the app does not have a network connection to the server constantly, you can create a sync button. This will sync relevant data to the local filesystem. When changes are made, it saves it locally, until the app is told to sync again, in which case it reconciles changes with the master web app database.

Finally, this is not an exhaustive description of iOS HIPAA compliance, I encourage you to consult with a lawyer to draw up your security policies and other documentation, which is required to have under HIPAA.