Hi all,
First timer over here and am developing a custom CRM in the senior industry. I was wondering, can I still develop on the bubble platform and be protected under HIPPA compliancy laws?
Thanks!
Ryan
Hello,
No, we don’t support this currently. it’s a very big project to be HIPPA compliant.
2 Likes
Thank you for the quick response. I spoke to a company by the name of truevault that is a HIPPA compliant cloud and hosting company, and their question for me to ask was can you store a subset of your data in a different data base. @emmanuel
Ryan
You can have a separate SQL Database and use the DB Connector, but i don’t think that’d make you compliant.
Do you know any customers of yours that have created a web app that is HIPPA compliant using an external database? I would like to be able to use your product to develop my idea, but need a little help with the questions that would be flying back and forth. Is there any information that I would need to present to a HIPPA compliant hosting company so that they would understand how to talk to the Bubble system? @emmanuel
Thank You,
Ryan
Hi Ryan, do you have a thorough understanding of the requirements to be HIPPA compliant? My understanding is there are many requirements and being on a separate database wouldn’t be near enough to be compliant.
If you’re well versed in HIPPA compliance, then perhaps you can find a creative solution. If not, I strongly advise you to use only HIPPA compliant vendors and not to try to get creative.
Note - very few products are HIPPA compliant. Even Google won’t make the vast majority of their products HIPPA compliant because it’s so very costly to support. So, you’ll want to be very careful about the vendors you choose.
Also, I think you’ll probably be required to have all of your software vendors sign a BAA which means that they agree to be complaint and have liability if they don’t follow the rules. In my experience, only vendor’s who are focused on the healthcare space and make a point of being HIPPA compliant will take on that type of risk.
Ok. Still learning my options for HIPPA compliancy as I go through the process. Thank you for your input and time.
Regards,
Ryan
You’re welcome. Best of luck!
I consult with small businesses on HIPAA compliance, and I’m happy to talk through your application with you. There is a chance you could keep Bubble outside the compliance scope (though I may not recommend it depending on the application). Truevault may be one option, but it is not without risks of it’s own. At any rate, I would need more context to point you in a solid direction.
1 Like
According to this Amazon whitepaper, AWS is HIPPA compliant. All that’s needed is for Bubble to request a BAA (Business Agreement) from Amazon.
1 Like
It’s actually quite a bit more complicated (designing an architecture for HIPAA compliance on AWS right now). The BAA has quite a few stipulations about how protected health information (PHI) is handled. In particular, PHI can only be stored or processed on a subset of AWS services and those services must be run on dedicated hardware instances. Good news is that AWS has expanded some of these services, but it’d still take a lot of collaboration between the Bubble team and the developer to make sure that the application meets Amazon’s restrictions.
On top of the Amazon requirements, Bubble would also have to designate security/privacy officers, develop policies and procedures to stay compliant with HIPAA, demonstrate a robust security architecture within their platform, and implement a business associate agreement with the parties that are interested. You can get part of the way there by pulling boilerplate from online, but doing it properly still implies hundreds of hours and tens of thousands of dollars.
All of that said, I’ve had this little thought bouncing around my head about proposing a partnership to standup and run a HIPAA compliant version of Bubble. 
3 Likes
_(Does this sound plausible with Bubble???) _
Need a HIPAA solution for a non-coder ecommerce site.
SPLITTING YOUR DATA (Source TrueVault)
Fortunately there’s a better way: Data De-Identification. It involves separating out Protected Health Information (names, email addresses, physical addresses, health information, and other identifying information) and storing that data (and only that data) in a separate HIPAA-compliant data store. This frees you to host your application, and store the rest of the de-identified data, in an environment not subject to HIPAA.
If this sounds familiar, it’s probably because it’s a lot like using Stripe to store card payment information. In that case, rather than storing the 16-digit credit card number in your database and incurring the burden of PCI Compliance, you partition your application’s data into regulated credit card data (stored in Stripe) and non-regulated application data (stored in your database). In exactly the same way, Data De-Identification allows you to remove the majority of your data from the scope of HIPAA.
The result is that you can run the de-identified stack on any platform, write it in any language, and use any framework or SaaS tool you want without worrying about compliance issues. You will have to make changes to your application, but doing so will be much closer to the effort required to integrate Stripe than to the massive rebuild described above.
5 Likes
Sounds attainable to me with Bubble.
I recall Emmanuel saying that Bubble can’t promise HIPAA compliance. I think building on Bubble would be a big risk, so please do your research before you start getting personally identifiable info in the system!
Which is the reason why @anon29779373 mentioned that excerpt. DataVault would allow you to manage such sensitive data for apps that have no way of being HIPAA compliant themselves. In other words, integrating with DataVault and implementing “Data De-Identification” doesn’t require that Bubble be HIPAA compliant. If someone goes this route though, I caution to be extra careful about how they handle any data and to make sure DataVault is implemented correctly.
2 Likes
Bumping this topic since it’s been close to a year. Does anyone have any updated information about building a HIPAA compliant solution on Bubble, with or without a separate HIPAA compliant 3rd party vendor? Has anyone been successful building a HIPAA compliant solution using bubble? Thanks for help!
For some context, we are building a mobile platform for medical triage, that will require storing PHI. I do not believe we will be able to de-identify data since it needs to be identified data in real time to provide the live triage component. Initially, we were going to build it ourselves and deploy on top of Aptible, which is a 3rd party HIPAA compliant data solution, but since we have lost our developer due to poor fit. Now, as we search for a new developer, I’m wondering if it’s possible to use Bubble to build a front end, with data encryption, and deploy on top of someone like DataVault, or Aptible. The other option would be to build a very basic prototype version that only allows communication with a nurse, but no actual data transfer.
1 Like
Did any one come up a solution to build HIPAA compliant solutions?
I haven’t, but I’m interested in this question as well for my app.
1 Like
I’m also very interested in building a HIPAA-compliant application with Bubble.
I recently launched this business ( https://www.bettercare.online/ ) to give people affordable online access to a naturopathic doctor and my big issue right now is that the software I’m using for handling the PHI-related stuff isn’t quite cutting it, nor do any of the many options I’ve looked at.
I want to build my own simple application in Bubble, but obviously it has to adhere to HIPAA. The Data De-Identification mentioned above looks interesting, but a little bit beyond my abilities.