HIPAA stands for Health Insurance Portability and Accountability Act and it is a strict US regulation on healthcare data. I developed an app that conforms to HIPAA regulations but I did not use Anvil. Here’s what I learned while developing the app:
- I developed only the frontend. I used encryption to secure all user data on device and did not receive data from the database. Encryption on the frontend plus one way communication should make it HIPAA compliant, although you will need to assess your use case and look at the HIPAA requirements. You MUST use HTTPS for HIPAA compliance and any healthcare data needs to be stored securely, this includes personal information like names and addresses.
- If you develop a HIPAA compliant server it needs to be audited and the access needs to be monitored. If you use Anvil to do this you would need to talk to them because of item 4.
- If you build a HIPAA compliant service on AWS you need a Business Associate Addendum. Anvil is built on AWS so you will probably need a BAA with both of them.
Developing a frontend ONLY app that is HIPAA compliant is much easier than developing a HIPAA compliant server. I would suggest talking with a lawyer and/or HIPAA auditor to understand exactly what you need to build your service. Here is more information on HIPAA.
From what I understand App Secrets would not satisfy the requirements because the service needs to be audited. Anvil is closed source so you would need to contact them to get a BAA and allow an auditor to inspect their servers. Again I would definitely talk to a lawyer and/or auditor to understand what you need to do.
HIPAA is serious business. If you mess up there’s up to a $50,000 fine per user. One bug could cost you millions. GDPR aint got nothin on HIPAA.