Would a Bubble frontend with a Xano backend and a HIPAA-compliant iframe to present PHI be considered HIPAA-compliant?

Hi everyone,

I’m exploring a setup where my Bubble app acts as the frontend, Xano handles the backend, and any PHI (Protected Health Information) is displayed through an embedded iframe sourced from a HIPAA-compliant service.

Since Bubble would never directly store, process, or handle PHI, and the iframe content would remain entirely within a compliant environment, could this architecture be considered HIPAA-compliant?

(I’m aware this doesn’t substitute for legal advice, just looking for technical insights!)

Thanks in advance!

I would say definitely not.

Bubble would still handle the data to some degree.

I would suggest you use Drapcode or something similar as a frontend.

1 Like

Thank you for your input!

In this setup, the iframe handles all PHI directly through a HIPAA-compliant backend, with Bubble only embedding the iframe and never processing or storing PHI itself

Could you clarify why you think this still wouldn’t be compliant if the PHI processing is entirely outside of Bubble?

1 Like

The processing might be outside of Bubble, but, you’re still using Bubble to display it which means they’re still handling the data.

1 Like

Thanks for the feedback

Just to clarify, the iframe is fully sandboxed and pulls content directly from a HIPAA-compliant backend. Bubble doesn’t process, log, or transmit the PHI—it only embeds the iframe

Would you still consider this “handling” PHI?

1 Like

My thinking is it may only embed the iframe, but, it’s still embedding it on a site that is not HIPPA compliant.

I would definitely check with an attorney first before you do this.

Myself, I wouldn’t do it.

1 Like

If Bubble doesn’t touch or interact the data itself in any way then that would be HIPAA compliant (although technically-as some have yelled at me in other posts,-it wouldnt be HIPAA complaint as much as it would be avoding the need for HIPAA compliance ).

However in general using Bubble for front end only is not a great way to go as the utilitiy of Bubble is best when leveraging both back and front end. (Depending on your use case it may possible to use Bubble for front and back end and tokenize the PII).

Also if Bubble connects with the Xano DB in any way that it can theoretically access any PII that’s likely a violation of HIPAA.

Finally, note that if the patient is logging into the Bubble app then their email (or even username if you use that approach) is PII…

1 Like

Yeah the emails are a concern - I’m planning to encrypt the emails themselves using KMS, so Bubble would only ever handle encrypted values or non-sensitive data. All the encryption and decryption would happen on the backend (Xano).

I hope that might solve the PII issue… I will consult a lawyer to be sure about it

thanks again for the inputs!
I would appreciate any other tip you might have on the matter :pray:t3: