In This Section      

Johns Hopkins Best Practices for Application Development

The following is a checklist of requirements for custom developed mobile, web, and EMR integrated applications within Johns Hopkins:

  • Applications will not put patients or users at risk of harm.
  • Applications developed for research should be part of an IRB Study.
  • Applications should reside on professionally managed Johns Hopkins servers or within the Johns Hopkins Cloud environment (Microsoft Azure preferred, AWS also available).
    • Applications hosted off-premise will require security review and legal approval.
  • Applications must conform to the CISO Risk and Controls Assessment Requirements.
  • Applications will not use, distribute, or expose protected health information or other confidential information illegally or in any manner other than that which the Recipient has given its informed consent.
  • Applications collecting and managing HIPAA data must take extra precautions with sensitive data. Information about HIPAA can be found here.
  • Clinical applications not managed by IT@JH or the Technology Innovation Center must ensure their application is available 24/7.
  • All roles and points of contacts for apps should be defined, including:
    • App Owner(s)
    • Administrators
    • Developers
    • Testers
  • All applications should be designed in a way to avoid disrupting operations with other systems (e.g. flooding a system with too many requests).
  • Include Terms of Service language.
  • Any IP developed should be disclosed to JHTV.
  • Paid applications will require a License and Agreement ID with JHTV.
Branding & Marketing
Maintenance & Support
  • Application code must reside in Johns Hopkins Bitbucket repository.
  • Application team should have a maintenance agreement with the developer for ongoing support.


For more information, please contact