Any Update on HIPAA Compliance?

I understand that Bubble is not HIPAA compliant. Is this expected to change? Is it on the roadmap?

Thank you.


I emailed with the Bubble team recently and heard they still aren’t compliant but is something in which they are interested. I, too, am curious to know if this is on any sort of priority list.


+1 for interest in HIPAA compliance :slight_smile:


+1 here too!

Kinda a loaded question. You can get hipaa compliant with amplify/s3 or Firebase/firestore

Either way you need to implement iam security policies and follow all other hipaa requirements related to
Data storage and electronic transmission and storage of data.

+1 for compliance with hipaa

Maybe @allenyang might be able to shed some light on the status of HIPPA complicate and what might be causing Bubble not to fit the criteria for HIPPA compliance?

To chime in quickly here - we are not currently actively pursuing HIPAA compliance. We are instead looking more into compliance certifications that would address a wider range of use cases to start (eg SOC2)


Thanks for replying so promptly, @allenyang! Sad to hear, but understand y’all have to prioritize. :frowning:

Still hoping for a compliant Bubble one day even if it were “little” more than Bubble being a compliant front-end while data lives elsewhere. This would go a long way in making Bubble a viable offering for those of us with clients in Healthcare.

I’ll still keep the dream of a HIPAA-compliant Bubble solution on the back burner in the hopes that comes along. Have a few client app opportunities here for which I’d LOVE to use Bubble. Thanks again!

1 Like

This is already possible. Firebase and aws both offer hipaa compliant backend solutions. It’s your task to tie in the front to the back


Thanks for the reply, @jared.gibb. I’ve heard different things on this, which has been a point of confusion for me. I’ve seen the Bubble team indicate that Bubble CANNOT be used in relation to HIPAA data as they aren’t compliant even as a front-end. Maybe that’s related to the configuration?

@allenyang, can you speak to the possibility of using Bubble solely as a compliant front-end?

1 Like

So, i’ve not read much about a hipaa compliant front end. The only factors would be not storing any data and their backend not touching it. that plus end to end encryption which we get with HTTPS transmissions.

the bigger piece would be how you lock down data, signing a BAA, and how you store/manage that data over the long-run. storing for 7 years for example

1 Like

Thanks for those details! I’m newer to HIPAA compliance so am trying to envision how Bubble would work in cases where HIPAA data would need to be surfaced for the user to view on the front-end?

For example, let’s say you want to display patient surveys to a hospital; would showing them using Bubble controls on a Bubble page be a violation of HIPAA at all as long as the data is handled safely along the way? I know Bubble has been introducing new tools (e.g., Segment), so I want to be sure there would be no risk of legal action due to Bubble’s subprocessors.

Not as long as all the data transmission occurs on the front end or using hippa compliant backends

My preference is firebase/firestore because of the ease of implementation.

you can use client side JS to trigger all types of hipaa compliant actions i’d imagine and it all happens without ever touching bubbles servers. The only thing living in bubble is the site structure. I really want to talk to a lawyer or expert though to be sure of all this.


That’s good to know, and yeah! We need to find a lawyer here on Bubble (unless the Bubble team have any comments?)

I’d love to just get confirmation if we can use a hippa compliant backend and use bubble as the front provided it’s not touching the data.

the problem probably lies in that even as a ‘front end only’ the backend does touch the data for some reason unbeknownst to us.

+1 for HIPAA compliance. I have to say lack of this is super disappointing because otherwise Bubble is an ideal platform to develop my practice management application.


@allenyang any plans this 2022 for hipaa compliance?

No, unless things change a lot, HIPAA is not on our roadmap for 2022

1 Like

But Bubble has the ‘run as’ functionality on the front-end so even if your back end was HIPAA compliant, if you still store your User table in the db, an American Bubble support staff person can ‘run as’ a User and view front-end data. (They have app access rules in place/a login register for their staff but we don’t have any control over these rules). If the User table is also stored externally then they would still be able to access API keys. I don’t know about for USA start-ups but for Australian start ups this would break data sovereignty compliance, even if I use an Australian server with an external db.