Challange for amazeball developers (Virgil Security, HIPAA)

All - let’s be collaborative here . We’d all like to see a HIPAA project successfully deployed using Bubble, so no harm in smart minds thinking through how it COULD work.

We’ve looked at using Virgil in the past and have thought through this architecture. For reasons @rebecca1 mentioned, we think this is possible depending on the needs of the application, and where Bubble would need to fall in the architecture/data transmission. End of day, every regulated application, whether PCI, HIPAA, or other, comes down to a human’s interpretation of a set of guidelines. As per our interpretation, you’d build a HIPAA compliant application to the best of your understanding with the regs and if/when an audit occurs (self-sponsored, or event-triggering) you will make your case to an auditor. The risk/expense associated with mitigating or managing said audit would be the same with or without using Bubble. Intuitively, it would still be less, as the ability to iterate using Bubble is generally lower - but audit risk is everpresent, nonetheless.

We’ve DM’d @hi14 with a list of app-specific questions, but our view is that this may very well be feasible today, but by no means is a vanilla Bubble project. If anyone else is interested in how we’ve thought about this for clients you may have, please feel free to message us and we’d be happy to help you think through it.

–

@neerja - if bubble is expressly stating that they don’t want users to build stuff in the space, that is one thing. But if you aren’t closing off the window, it does seem possible for certain types of applications.

If data is stored elsewhere like @PWC and @rebecca1 mentioned and logs are not saved in bubble could there be an option to not to save workflow actions to app’s logs?

@hi14 I Can only agree with @keith
Going HIPAA will cost a lot. So I don’t believe it’s a priority (and I don’t think it should) for Bubble.
Just to give you an idea: HIPAA plan for knack start at 500$+/month and caspio 400$/month. And this doesn’t include the dev time you will spent to create your app. So I don’t think there’s enough client for that to make this high on the roadmap.

Also, HIPAA are guidelines. Mean that everybody have different way of interpreting that. This include all party included in this topic (Virgile, Bubble and you and me ;p). But for all the tools, Even if Bubble get compliant (or you choose Casio or knack) there’s always a part that remain on dev and you will need to handle this part to be compliant. This is not just buy a tool that is HIPAA compliant that make YOUR app HIPAA compliant.

@Hyperbuild_Labs I hear you loud and clear, and I will respond to your private message. I’ll share my info with the excellent participants here in the thread.

I have talked to an expert HIPAA consultant about this, (not in depth) and he agrees with @rebecca1

You see, due to the “you don’t get to take your app’s code elsewhere if you want to” environment we find ourselves in with this fantastic technology, thus far, the following is my only concern.

" @neerja if bubble is expressly stating that they don’t want users to build stuff in the space, that is one thing. But if you aren’t closing off the window, it does seem possible for certain types of applications."

Like many new adopters of what I believe is the future of code, I don’t mind keeping my app’s code in one place even if I can’t take it with me if I chose to.

However, unique policies, likes, and dislikes are something that would be a deal-breaker for me. (I am NOT saying that that is the case here at all.) I truly hope that Emmanuel’s and the boys’ spirit of changing the world with a no-code technology carries its weight with other possibilities outside of one single bubble.

Besides, is there a better way to expand? We need these types of “serious” apps representing the technology we all have come to love.

No we don’t need any hipaa apps right now. They said it’s a big job, I much prefer they continue to focus on speed and performance.

@Jici The HIPAA practices envelop a lot more than just the technology that’s used for carrying out a particular action in the health care ecosystem. As you can gather from what we are trying to solve here, a technological aspect in the workings of this ecosystem is what we are trying to assemble.

I am NOT a developer.

However, pricing, should or shouldn’t, how-to strategies and expansion is my expertise and that we can talk about in length if it adds to solving this particular challenge.

Respectfully, I disagree with the entire first half of your comments regarding what you think would favor Bubble.is.

@danielowega I see that you or your clients don’t need a HIPAA compliant app. If you pay closer attention to what’s being presented by the participants, you’ll notice that Bubble wouldn’t have to do, well, much.

But I’d rather let others second what I am saying when it comes to smarter tech subjects.

But wait, are you saying that Bubble is slow and its performance is bad? That’s not good for my dream or any other app that is already built on this platform.

Please tell us more about this terrible product you are describing. I am not a techie person, and your comments do alarm me.

I don’t care to answer your questions.

Okay. You did bring up a good point, though — performance and speed are crucial. Sorry, Daniel, I think I accidentally erase this message before.

Lantz2560×1600 367 KB

I am not sure if you guys can see the same feed I see. But I see this message. Is that from the show The office? Anyways.

So what are you planning right now? Are you going to use Bubble or what are the alternative solutions?

Hi All,

@enes

1. I am planning a few things. (read below)

2. After being contacted by some fantastic participants here on the forum, after all, I am still considering Bubble for my HIPPA compliant app. The dream is alive y’all!

3. There are other tangible and attainable solutions out there for the type of company you contacted me in private about.

The one thing you must ALWAYS keep in mind while working in Bubble’s environment is that Bubble could bring your enterprise down if they saw it fit as per their policies, believes, likes, or dislikes, etc.

Bubble.is is a privately owned company, (not open source) and they can do things which you might not like. Things you might not like include you being dropped out as a client, erasing or stoping things from happening. When or if that happens, well, there goes your everything.

This terrifying possibility is the one characteristic that deters other more “serious” companies from ever coming on board with Bubble. You have to take that risk on your own. There is no reason to be alarmed, yet, or hopefully never, but this is the one particular reason why I would NEVER recommend others to join something that could potentially harm their investment.

Although different, Facebook “kills” good and honest companies on a daily basis. Companies that plan, market, and execute their business models around or on top of facebook’s ecosystem - chatbots, integrations, and analytics, etc. Facebook changes its policies every time it sees outsiders make money in some honest way. You see, they learn from what these outside developers (companies) are doing, and then they implement those same models themselves. They are geniuses - evil geniuses. It’s as if they have thousands of MVP creators that cost them nothing. Essentially, they have an army of researchers and developers that cost them zilch.

Those who create plugins or services on top of Bubble should be very mindful of this. This is one of many other examples @Hyperbuild_Labs

Unless you are “part of the family” or unless you have signed a contract that protects you, I wouldn’t take my eyes off of this.

All that darkness said, I am willing to take the risk with Bubble.is - my own money. I have faith that Bubble isn’t a totalitarian company. What do you think? @enes

Without giving specifics here, you mentioned investment once you go native. Look, the vast majority of apps or businesses never see the light of day. If you are already thinking of going native down the road, go native now.

Most people mistake the role of an MVP, and they think that creating an “MVP” on Bubble is a good idea - that is not always correct. Most people rush to creating apps; instead, they should validate their idea with a simple survey or a basic landing page.

They should ask their potential users (clients) to pay minimal advancement on the promise of the app. If they pay for it, well, at that point, Bubble or native will be, at least, a lesser concern. You have to be creative in how you ask, though. If the app that you described in private is for your PERSONAL use, then, by all means, I’d say explore all Bubble and native possibilities.

So, what am I planning to do now? Three things.

1. At first, when I got @keith 's response, I wanted to crawl in my bed and mourn the loss of my dream . I must say that I NEVER felt like punching him in the face, no-no-no. However, I did feel like firmly pressing my thumb against his left cheek until he turned purple . But I never ever thought of hurting him. (I would never do that)

I then received @Jici 's response, which made me think that perhaps @keith was NOT as KooKoo as I originally had thought!! I actually started to appreciate and like Keith’s response . I was the KooKoo one. My thoughts of firmly pressing my thumb against his left cheek until he turned purple began to melt away. I started to like @keith

In fact, those thoughts started to make me feel a bit dirty and creepy. Keith was merely pointing out some difficulties. He did take his time to do so, and kindly offered his take on the challenge. Nonetheless, a dark and violent side in me was awakened when I felt my dream fading away. @keith and @Jici are, in my opinion, very valuable minds. Although they didn’t offer solutions, they did point out some negatives that need to be taken seriously into consideration. Thank you, guys.

2. I am waiting on the always caring and helpful @neerja I’m hoping she will respond to what I believe is one the smartest non-tech comments on this thread. The comment is from @Hyperbuild_Labs

" @neerja - if bubble is expressly stating that they don’t want users to build stuff in the space, that is one thing. But if you aren’t closing off the window, it does seem possible for certain types of applications."

3. I will continue massaging my knees in an attempt to minimize the swelling caused by all the praying I have been doing in the past days while dealing with this challenge.

Thank you for your questions, @enes

Damian

P.S

Guys, keep the questions and suggestions coming. Do you realize that you have a huge opportunity here with the forum to make your goals a reality? What can I do for you?

I can already hear someone say, "you can shut up, man!! That’s what you can do for us!! Haha, funny.

As you’re back with Bubble, the first challenge is still…

I think the first challenge will be with Bubble to get the JWT (Json Web Token)

So technically you owe me $100

Unless you touch illegal domains, there’s no obvious reason that Bubble would be a threat to our applications. I understand that we are totally dependent on the platform, but I see Bubble as my business partner with the responsibility of maintaining my servers operationally, and offering me simple tools for designing and implementing my ideas.

The day our friends at Bubble sell their business to a giant, well, there are other challenges ahead. And before that happens, you’ll have plenty of time to monetize your project.

I think you are correct about the $100
But now that I am back, the challenge isn’t over!

Do any of you smart people have an answer for Mr. @JohnMark ?

" I’m trying to create a JWT from Bubble to be used with Nexmo API. Easy steps? I have a private.key and I tried using an api connector with JWT, but I’m stuck. My understanding is that the JWT must be created on Bubble server. Do we have to create a plugin for each JWT? curl -X POST https://api.nexmo.com/v1/calls/ -H “Authorization: Bearer \ JWT” -H “Content-Type: application/json” -d ‘{ “to”: [{ “type”: “phone”, “number”: “1xxxxxxxxxx”}], “from”: {“type”: “phone”, “…

Give it a try!

There are a ton of node libraries that can sign a JWT token. Anyone with a knowledge of JavaScript could build it for you as a SSA.

AuthO maintains an open source one that I have used a few times in projects.

TBH, I didn’t know this was such a roadblock for people!

At the risk of re-melting your dream, I would advise – once again – that you not attempt an app that deals with PHI or PFI (directly) in Bubble.

If you do so, you lose ALL the benefits of Bubble. You need HIPAA-compliant storage, for example. So then, what is the effing benefit of Bubble? The benefit of Bubble is that you can stand up a web and web app stack – with database and all – in seconds.

If you have to use an external db, you lose one of the major benefits of Bubble. So just forget about that.

Regulatory compliance is no joke. (It’s stupid, but not a joke, see?) That is, Bubble’s database may actually meet or exceed HIPAA requirements, but without certification (which is costly – in time and dollars) THAT DOESN’T MATTER. And – let me reiterate – Bubble is unlikely to proceed with any such certification in the near, mid- or long-term future.

They will tell you as much if you ask. It’s just “not a thing”.

Hell, Bubble won’t even fix bugs like this one, because it only affects the most advanced of users (currently, an army of one… namely ME). So why would they pursue the requisite HIPAA certifications, etc.

If you choose to go that route, you’re simply doomed to failure. Build your HIPAA-compliant app on a HIPAA-compliant stack. There is no come to bet on here.

In the meantime: Build something without weird regulatory compliance requirements on Bubble. The possibilities are endless, as long as they don’t involve stuff like this. (And there are, in fact, an infinite number of things that don’t require HIPAA compliance. That’s the nature of infinity. It’s big. Like, mind-boggling big as Douglas Adams would have it.)

Aside: There is no turnkey HIPAA-compliant stack. You’re on your own there.

I agree with @keith. At the moment, it is not a good idea to build it out using Bubble.
You will receive a Frankenstein as the outcome which can be handled by specific developers only.
Moreover, it will not be flexible for debugging, fixing, and implementation of new features. I’m sure that you will spend much more than using code as a solution.
Also, I think it would be hard to explain to a HIPAA consultant that your app follows all requirements while Bubble doesn’t support it.

@lottemint.md solved the problem by creating a Nexmo JWT plugin.