HIPAA compliant Anvil app?

Just wondering if anyone has experience with building a HIPAA compliant app using anvil. Would using anvil app secrets satisfy the requirements? Any thoughts?

For a muggle like myself what is HIPAA?

@JayKayAce Here is a bunch of info from Google about HIPPA

https://www.google.com/search?q=hipaa+compliance&oq=HIPPA&aqs=chrome.2.69i59j0l7.2890j0j7&sourceid=chrome&ie=UTF-8

1 Like

@woodpav built a hipaa compliant mobile app. Although it wasn’t with anvil he might have some insights.

HIPAA stands for Health Insurance Portability and Accountability Act and it is a strict US regulation on healthcare data. I developed an app that conforms to HIPAA regulations but I did not use Anvil. Here’s what I learned while developing the app:

  1. I developed only the frontend. I used encryption to secure all user data on device and did not receive data from the database. Encryption on the frontend plus one way communication should make it HIPAA compliant, although you will need to assess your use case and look at the HIPAA requirements. You MUST use HTTPS for HIPAA compliance and any healthcare data needs to be stored securely, this includes personal information like names and addresses.
  2. If you develop a HIPAA compliant server it needs to be audited and the access needs to be monitored. If you use Anvil to do this you would need to talk to them because of item 4.
  3. If you build a HIPAA compliant service on AWS you need a Business Associate Addendum. Anvil is built on AWS so you will probably need a BAA with both of them.

Developing a frontend ONLY app that is HIPAA compliant is much easier than developing a HIPAA compliant server. I would suggest talking with a lawyer and/or HIPAA auditor to understand exactly what you need to build your service. Here is more information on HIPAA.

From what I understand App Secrets would not satisfy the requirements because the service needs to be audited. Anvil is closed source so you would need to contact them to get a BAA and allow an auditor to inspect their servers. Again I would definitely talk to a lawyer and/or auditor to understand what you need to do.

HIPAA is serious business. If you mess up there’s up to a $50,000 fine per user. One bug could cost you millions. GDPR aint got nothin on HIPAA.

2 Likes

Are there rules on where the data is stored?
In other words, is it possible to store the data in Europe and be HIPAA compliant?

Good question. From what I’ve read yes you can but you still bear the risk. I would definitely talk to an auditing agency before you do it. Also it’s not that difficult to get hosting in the US, better safe than sorry.

And what about hosting data in a server in the us and showing it on a browser in the us, but traveling through a server in the uk?

Ok, ok, the auditing agency.

Yeah I really don’t want to give concrete advice. Encrypt everything and be careful. And don’t wind up like these people.

1 Like

A major obstacle appears to be lack of support for encrypting uploaded files, ideally something like:

upload[‘file’] = anvil.secrets.encrypt_with_key(‘phi’, file)

would transparently encrypt stored files just like encrypting stored strings.

2 Likes

Hi @woodpav

With The Anvil App Server is now open source!, would that allow using Anvil to build HIPAA compliant apps?

Thank you!

No you still need an auditor to inspect Anvil’s servers.

Thank you @woodpav,
So, all I need to do is to have a HIPAA compliance agency to review/inspect anvil server code (https://github.com/anvil-works/anvil-runtime/tree/master/server) to obtain HIPAA certification? Am I right?

Thanks.

We’re not HIPAA experts, but if you need someone to conduct a formal code audit, then the open-source App Server is a great fit!

However, if you’re using the App Server or Anvil Enterprise on your own server, then from a regulatory point of view it’s just like using any other software – you don’t need to sign any agreements with us :slight_smile:

(edit, 7 months later: locking this thread as the term “HIPAA” is a spam magnet!)

3 Likes