Hi everyone,
I’m exploring a setup where my Bubble app acts as the frontend, Xano handles the backend, and any PHI (Protected Health Information) is displayed through an embedded iframe sourced from a HIPAA-compliant service.
Since Bubble would never directly store, process, or handle PHI, and the iframe content would remain entirely within a compliant environment, could this architecture be considered HIPAA-compliant?
(I’m aware this doesn’t substitute for legal advice, just looking for technical insights!)
Thanks in advance!
I would say definitely not.
Bubble would still handle the data to some degree.
I would suggest you use Drapcode or something similar as a frontend.
1 Like
Thank you for your input!
In this setup, the iframe handles all PHI directly through a HIPAA-compliant backend, with Bubble only embedding the iframe and never processing or storing PHI itself
Could you clarify why you think this still wouldn’t be compliant if the PHI processing is entirely outside of Bubble?
1 Like
The processing might be outside of Bubble, but, you’re still using Bubble to display it which means they’re still handling the data.
1 Like
Thanks for the feedback
Just to clarify, the iframe is fully sandboxed and pulls content directly from a HIPAA-compliant backend. Bubble doesn’t process, log, or transmit the PHI—it only embeds the iframe
Would you still consider this “handling” PHI?
1 Like
My thinking is it may only embed the iframe, but, it’s still embedding it on a site that is not HIPPA compliant.
I would definitely check with an attorney first before you do this.
Myself, I wouldn’t do it.
1 Like
If Bubble doesn’t touch or interact the data itself in any way then that would be HIPAA compliant (although technically-as some have yelled at me in other posts,-it wouldnt be HIPAA complaint as much as it would be avoding the need for HIPAA compliance ).
However in general using Bubble for front end only is not a great way to go as the utilitiy of Bubble is best when leveraging both back and front end. (Depending on your use case it may possible to use Bubble for front and back end and tokenize the PII).
Also if Bubble connects with the Xano DB in any way that it can theoretically access any PII that’s likely a violation of HIPAA.
Finally, note that if the patient is logging into the Bubble app then their email (or even username if you use that approach) is PII…
1 Like
Yeah the emails are a concern - I’m planning to encrypt the emails themselves using KMS, so Bubble would only ever handle encrypted values or non-sensitive data. All the encryption and decryption would happen on the backend (Xano).
I hope that might solve the PII issue… I will consult a lawyer to be sure about it
thanks again for the inputs!
I would appreciate any other tip you might have on the matter