This section describes the review process that ensures an App meets VA software standards. Plan and develop your App by Compliance Review guidelines to avoid rework later. Most Compliance Review Bodies are willing to conduct an informal review early in Planning or Development. The Compliance Review stage begins when you hand the code off to Verification and Validation.
About the Compliance Bodies
Every VA Mobile App must undergo the following reviews (or be granted waivers) to ensure it meets all VA software standards:
- About Verification and Validation: This review ensures that the App's code is free of bugs and meets all of its business requirements. The App must pass the Validation and Verification review before proceeding with any other reviews.
- About Code Review: VA scans your App code with the Fortify scan tool and performs other tests to ensure it meets VA coding standards.
- About the Clinical Review: If your App handles clinical evidence the Mobile Applications Governance Board arranges for an an independent clinical review when it approves the Request.
- About the Data and Terminology Standardization Compliance Review: This team evaluates and interprets the App's data terms and ensures they map to standardized terms. The review team follows VA and Health Level 7 (HL7) standards.
- About the Data Security Compliance Review: This review ensures that the VA can place the App on VA Government Furnished Equipment (GFE), and the information that may reside on the device is secure.
- About the Enterprise Security Compliance Review: This review examines the App's source code to ensure there are no security risks and it is suitable for operating within the VA network.
- About the Patient Safety Assessment: This review provides analysis and assessment of health care information technology patient safety issues based on specific combinations of user, task, technology, and environment of use.
- About the Privacy and Application Data Security Compliance Review: This review ensures that Personal Health Information (PHI) and Personal Identification Information (PII) are appropriately protected and the data entered into the mobile device is appropriately secured.
- About the Section 508 Compliance Review: This review ensures that the App meets Federal law requiring that individuals with special needs can use it.
- About the User Interface Compliance Review: This review verifies that the Application App meets all required VA User Interface standards for Apps.
- About the VA Branding Compliance Review: This review ensures that the colors, fonts and logos used in the App comply with the standards outlined in the VA Mobile App style guide.
- About User-Centered Design: This review ensures a positive, meaningful and valuable user experience.
- About Enterprise Systems Engineering (ESE): This review provides central systems engineering services and management of a technical framework promoting one technology vision across VA, which supports system optimization, integration and interoperability throughout the enterprise.
Risk Level Determines Review Level
Not all VA Apps undergo a complete review by all Compliance Review Bodies. Some Apps pose little or no risk of harm to users or the VA. The Mobile App Governance Board (MAGB) assigns a risk level category to every Request they approve for development. The V&V review confirms the App has the correct category assignment. The category determines the thoroughness of the review. VA maintains a matrix for determining the risk level for each App. If you have an MAE JIRA account you can view the matrix:
Web and Mobile Application Types and Compliance Matrix at https://wiki.mobilehealth.va.gov/display/NMOCMAPS/Web+and+Mobile+Application+Types+and+Compliance+Matrix