The Firebase library’s are in fact client side and allow you to auth users and transact private sensitive data securely.
I’m watching you @PWC 
You’re a bit rebelish with that knowledge dropping. I like your style. 
@hi14 HIPAA compliance requires each process and component to be compliant not just the associated storage or plugin. So unfortunately, the platform as a whole is not yet HIPAA compliant. We are evaluating steps required to become HIPAA compliant but this is a longer term project without a guaranteed timeline at the moment.
2 Likes
Hi Rebecca from Virgil Security here.
I’m not a Bubble expert and I don’t know how PHI is moving around your app, so I can’t speak to whether you can use Bubble or not for your use case.
However, I can explain some common data storage/transmission scenarios and Virgil Security’s view on their implications for HIPAA compliance. It’s important to note that I’m not a HIPAA expert or attorney, but am just sharing some learnings from working with our users operating in the healthcare industry.
- If you are storing healthcare data and the respective personal identifiers (like full name, email address, etc) somewhere, that data is considered Protected Health Information (PHI) under HIPAA, and the storage service needs to assert that it is HIPAA compliant and sign a BAA with you. Bubble does not call itself HIPAA compliant and will not sign a BAA, so this means you cannot use it store any healthcare data tied to an individual.
- If you are just passing the PHI through a service, the service does not need to assert that it is HIPAA compliant and does not need to sign a BAA with you IF your use of that service is done in a way that qualifies them as a “conduit” under HIPAA (like the Post Office delivering a package). According to a third party expert opinion, if you use Virgil’s end-to-end encryption service AND redact/delete all PHI from the service after the message data is delivered to the recipient, that would qualify a service like Twilio or Nexmo (or Bubble) as a conduit under HIPAA and can be used as a mechanism to send and receive PHI as long as they’re not storing it.
- If you are using a service but not sending/storing any healthcare information with it, the service does not need to assert that they are HIPAA compliant. Even if a service like Stripe is seeing sensitive user data like email addresses or bank accounts, it’s not subject to HIPAA compliance because they don’t see any healthcare data. This might be relevant here. If Bubble is just seeing information related to the users and not to their healthcare data, it might be fine. More info here - https://www.hipaajournal.com/what-is-considered-protected-health-information-under-hipaa/.
- If you completely de-identify your data, meaning you’ve separated the healthcare data from any names, emails, DOBs, etc., it’s not subject to HIPAA’s Privacy Rule and can be freely shared. This most likely won’t apply here. This exception is most commonly used to build large datasets for academic research and other analytical purposes where there’s very little chance of linking a healthcare record back to an individual.
Hope this is helpful!
Feel free to join other developers and security experts in the Virgil Security Slack workspace here to discuss further - https://virgilsecurity.com/join-community
6 Likes
so @lottemint.md was right from the beginning. Hope you got paid, you deserve it.
1 Like
@nocodeventure He did get paid, of course. 
I think now you know why I didn’t do the app with you - I was not sure it was a good idea at the moment. (HIPAA reasons)
1 Like
@rebecca1 and @neerja, I think you guys have a fantastic opportunity to work together here. Bubble is an up-and-coming platform, and the benefits that a fantastic company like Virgil Security offers is immense. As an expert growth strategist, I tell you the following; you need each other, and you should explore this opportunity. About three years ago, @emmanuel said something similar to what you said Neerja ”We are evaluating steps required to become HIPAA compliant but this is a longer term project without a guarantee.”
Well, here you are, ladies! Invite your CEOs to the conversation and win that promotion. _ Damian
Hi,
I understand and hopefully you will be back once Bubble is compliant.
Cheers
@neerja Since you don’t deal with HIPAA compliant apps on a daily basis, would you mind giving us all a bit more context as to how you formed that opinion or where you got that information from?
Also, would you mind commenting on what @rebecca1 so graciously explained to us all? I think this is a very important subject that deserves more attention.
Thank you, @neerja
Bubble can’t handle this particular use case. You’ll need to either use some other framework or code it from scratch. HIPAA (and other healthcare privacy regs) is just not the sweet spot for Bubble. There’s near-zero incentive for Bubble to support such use cases either. You’re just barking up the wrong tree. Do another idea (if you’re hooked on Bubble) or use some other framework (which may or may not even exist) for your needs-to-be-HIPAA-compliant app idea. Or do both (the non-HIPAA idea in Bubble and the HIPAA-regs-compliant idea somewhere else).
2 Likes
@keith Respectfully, you literately said nothing.
Actually, I explained it all to you. But you can ignore that if u wanna. To reiterate: There is no low- or no-code platform that will let you build a HIPAA-compliant app. Full stop.
Ok. Thank you @keith
It’s possible there is one (we can’t scientifically disprove a negative) but it’s highly unlikely. If there were, the entry cost would be in the hundreds of thousands of dollars. (Heck, I think of changing the entry cost of CG Pro to be 6 figures. Get it now, as they say…)
Then use that? 
So I can build HIPAA Compliant apps now?
Almost! Before moving on to a HIPAA plan, you must sign a Business Associate Agreement (BAA) with us and migrate any existing apps.
Once you are on the HIPAA plan, you can then use Knack to create database applications for storing and managing your protected health information.
But note you need to sub the database.
Quit trying to get shit for free that YOU WILL NOT GET for free, right?
1 Like
@keith Language! Please be respectful, sir.
Then use THAT. It’s not Bubble. Good luck! Seriously.