I understand that Bubble is not HIPAA compliant. Is this expected to change? Is it on the roadmap?
Thank you.
6 Likes
I emailed with the Bubble team recently and heard they still arenāt compliant but is something in which they are interested. I, too, am curious to know if this is on any sort of priority list.
2 Likes
+1 for interest in HIPAA compliance 
3 Likes
+1 here too!
Kinda a loaded question. You can get hipaa compliant with amplify/s3 or Firebase/firestore
Either way you need to implement iam security policies and follow all other hipaa requirements related to
Data storage and electronic transmission and storage of data.
+1 for compliance with hipaa
Maybe @allenyang might be able to shed some light on the status of HIPPA complicate and what might be causing Bubble not to fit the criteria for HIPPA compliance?
To chime in quickly here - we are not currently actively pursuing HIPAA compliance. We are instead looking more into compliance certifications that would address a wider range of use cases to start (eg SOC2)
4 Likes
Thanks for replying so promptly, @allenyang! Sad to hear, but understand yāall have to prioritize. 
Still hoping for a compliant Bubble one day even if it were ālittleā more than Bubble being a compliant front-end while data lives elsewhere. This would go a long way in making Bubble a viable offering for those of us with clients in Healthcare.
Iāll still keep the dream of a HIPAA-compliant Bubble solution on the back burner in the hopes that comes along. Have a few client app opportunities here for which Iād LOVE to use Bubble. Thanks again!
1 Like
This is already possible. Firebase and aws both offer hipaa compliant backend solutions. Itās your task to tie in the front to the back
2 Likes
Thanks for the reply, @jared.gibb. Iāve heard different things on this, which has been a point of confusion for me. Iāve seen the Bubble team indicate that Bubble CANNOT be used in relation to HIPAA data as they arenāt compliant even as a front-end. Maybe thatās related to the configuration?
@allenyang, can you speak to the possibility of using Bubble solely as a compliant front-end?
1 Like
So, iāve not read much about a hipaa compliant front end. The only factors would be not storing any data and their backend not touching it. that plus end to end encryption which we get with HTTPS transmissions.
the bigger piece would be how you lock down data, signing a BAA, and how you store/manage that data over the long-run. storing for 7 years for example
1 Like
Thanks for those details! Iām newer to HIPAA compliance so am trying to envision how Bubble would work in cases where HIPAA data would need to be surfaced for the user to view on the front-end?
For example, letās say you want to display patient surveys to a hospital; would showing them using Bubble controls on a Bubble page be a violation of HIPAA at all as long as the data is handled safely along the way? I know Bubble has been introducing new tools (e.g., Segment), so I want to be sure there would be no risk of legal action due to Bubbleās subprocessors.
Not as long as all the data transmission occurs on the front end or using hippa compliant backends
My preference is firebase/firestore because of the ease of implementation.
you can use client side JS to trigger all types of hipaa compliant actions iād imagine and it all happens without ever touching bubbles servers. The only thing living in bubble is the site structure. I really want to talk to a lawyer or expert though to be sure of all this.
2 Likes
Thatās good to know, and yeah! We need to find a lawyer here on Bubble (unless the Bubble team have any comments?)
Iād love to just get confirmation if we can use a hippa compliant backend and use bubble as the front provided itās not touching the data.
the problem probably lies in that even as a āfront end onlyā the backend does touch the data for some reason unbeknownst to us.
+1 for HIPAA compliance. I have to say lack of this is super disappointing because otherwise Bubble is an ideal platform to develop my practice management application.
2 Likes
No, unless things change a lot, HIPAA is not on our roadmap for 2022
1 Like
But Bubble has the ārun asā functionality on the front-end so even if your back end was HIPAA compliant, if you still store your User table in the db, an American Bubble support staff person can ārun asā a User and view front-end data. (They have app access rules in place/a login register for their staff but we donāt have any control over these rules). If the User table is also stored externally then they would still be able to access API keys. I donāt know about for USA start-ups but for Australian start ups this would break data sovereignty compliance, even if I use an Australian server with an external db.