Any Update on HIPAA Compliance?

Xano and api calls made via plugins client side might get you there. It would definitely require custom plug-in work. But you can absolutely send data from Plugins to xano without having it logged in bubble at all. At least as far as the logs that they’re giving us access to indicate we can do this.

Essentially you would store all data in xano and use bubble as your front end only. Any workflow that may process data would need to happen xano side.

It ain’t a piece a cake, it’s more like a really really fancy soufflé.

2 Likes

I think a client-side plugin would still expose the API key in the plugin editor to which Bubble staff have access? I can’t lock Bubble down to be accessible to my team only, like I can lock a Xano Workspace down.

@jared.gibb Did you have any luck with Strac.io? Looks like you investigated them at some stage as well.

What api keys? That’s not phi is it?

@jared.gibb @cowontherun are guys in Australia? I would really like to know if u came across a way to make bubble compliant with the APP?

The API connector would still have to make API calls to Xano?

Why not make them in the code in the plugin? You could get tricky, just use inputs and detect button clicks that aren’t attached to workflows but instead code.

Fetch will take you far

I asked Xano and they have posted this YouTube video on JS Fetch + Bubble.

3 Likes

It is a huge topic… But I hope that the bubble team could place in their roadmap a HIPAA compliance solution for Bubble aps.

2 Likes

Has anyone found any alternatives close to Bubble.io that have HIPAA compliant options?
Any update from Bubble on whether HIPAA compliance is on roadmap for 2023 or 2024 @allenyang ?

Bubbles staff isn’t hipaa compliant nor will they sign a BAA agreement which you need for hipaa. (Don’t build on any platform that won’t give you one)

Your two best bets for no code for easy compliance are Caspio & outsystems but you definitely pay the price for them.

Also just because the builder is compliant doesn’t mean your app will be. You will need a developer that understands building for compliance & documenting everything for your compliance application.

@lancemcneill

1 Like

Super helpful, @chris.williamson1996. I appreciate you taking the time to respond. Have a good weekend.

I can’t find the exact literature we used when I built my first HIPAA case management web app but here is another resource I’ve found. chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/https://langate.com/wp-content/uploads/2022/12/HIPAA-Compliance-Checklist-for-Software-Development-2022.pdf

With Bubble, you can integrate with TrueVault to become HIPAA compliant. Although it’s still up to you to make sure your implementations of TrueVault are bulletproof. Also, you’d need to have your own policies and procedures for PHI and protecting it etc and making sure your staff is adequately trained.

All in all, if you’re an indy dev looking to build a SaaS product to offer, unless you’ve got lot’s of capital, legal experts, and other required resources, I’d steer clear of building any web app that handled PHI.

1 Like

Great info @doug.burden! Thank you for your response. I’m going to check out TrueVault
@chris.williamson1996
I just got off a call with Caspio and their HIPAA compliant subscription starts at $3,750 per month, which is going to be cost prohibitive for our startup.

We’re looking to build an online marketplace connecting language interpreters with customers and some of those customers will be healthcare organizations who might require that our platform be HIPAA compliant because I can foresee that some of the job-related details would include personal health identifying (PHI) information.

1 Like

Yea Caspio is definitely up there, outsystems is a bit better. Compliance no code is expensive. (Full stack is almost better if you don’t want to get stuck with the high monthly costs)

@doug.burden did you actually have a bubble app obtain compliance? It was a few years ago but Bubble wouldn’t sign a BAA form & their team who has access to acounts/data isn’t trained on compliance which will instantly fail you in the compliance review with HIPAA.

Our client spent $15k just trying to get compliance worked out on the bubble version we built, we ended up having to rebuild full stack.

1 Like

Oh no, it wasn’t built on bubble. We used the .NET framework.

1 Like

But TrueVault is an entire backend as a service for all sorts of data compliance, HIPAA being one. If I was to pursue building on bubble an app that handled PHI I’d start there.

1 Like

I haven’t messed with PHI or compliance around it since 2016. And to be honest I’m sure a lot has changed and is still evolving. I know Azure does have resources you can create for health data; but I haven’t pursued any knowledge of it.

1 Like

Issue is the PHI still will pass through bubble servers in logging. Unless bubble signs a BAA (which they won’t even on dedicated plans) and their team gets trained to be HIPAA compliant you will still fail compliance.

Every point of access for the PHI has to be compliant including all APIs, backend, servers, etc and they are picky with BAAs for all major points that PHI passes through.

3 Likes

Yea. Unfortunately, you’ll be better off building with another stack on your own servers. Sh*t scares me, so I won’t be doing it again. HA

2 Likes