Is there anyway to make an Adalo app HIPAA compliant?
This is a BIG thing. It’s best to talk to customer support on best practices for HIPAA app compliances. Also google “HIPAA App best practices” and that might help in some areas.
HIPAA is just one page in terms of do’s & don’t’s, so go off that as a what NOT to do. lol.
It’s also not on adalo, you’ll have to design / build your app to be HIPAA compliant as well.
I’m building a journal app that will have a therapist connection, so I’ll be venturing into the HIPAA stuff eventually myself.
1 Like
Thank you for this information. I’ve been reading on it some. I’m more so wondering if I need to rebuild on a different platform or if the build being on Adalo can still be made HIPAA compliant. When I started building I didn’t need to be, but because I’ve add some additional elements it now has to be.
HIPAA is a huge deal for sure. Your best bet is to communicate with Adalo on certain areas where they control (server compliance, etc). The app is up to you and how you make it.
You can make it HIPAA compliant though.
I know I’ll be going down this road eventually myself and I’d want to make sure I get real answers. HIPAA violations are massive, gotta make sure we’re safe too.
You cannot make Adalo apps HIPPA compliant.
3 Likes
@dazzlindezigns if anyone had a straight answer for sure, @TKOTC would know. lol.
Also make that the “solution” as well for others when they search since HIPAA is a BIG deal. We don’t want any misinformation to be misinterpreted (like myself :P).
Thanks for chiming in w/ a hard answer. I was thinking native is only way to be compliant, but gave no-code the benefit of the doubt. My optimism got in the way 
haha
Good to know now for myself and the future of some key features of my app.
1 Like
If you are going to mark the solution as solved for future people, then I will provide a little more detailed answer 
.
4 days ago (at the time of this writing) Adalo announced they have implemented collection permissions so you can control who has access to information
So, if you can now control who has access to the information, what was it 5 days ago? If this is the first time you have asked yourself this question, then you shouldn’t collect anyone’s personal health records, or any secrets for that matter.
Taking it one step further, Adalo controls the Data Center that your information is stored in. Adalo is not HIPPA compliant so there is no way for your to be HIPPA compliant using Adalo. I am not sure who at Adalo has access to Adalo customer’s user data, but I am certain that the engineering department can access your client’s data, and there is nothing you can do to change that. This means that all health records you store are accessible to at least some, if not all Adalo staff.
When you build a website or app using Adalo, Adalo collects information on the user as outlined here
In schedule 2 of the terms and conditions for Adalo you agreed to share some or all yours and your customers information with Heroku, Amazon Web Services, Sentry, Google Suite, Slack, Stripe, Sendgrid, Hubspot, Mixpanel, Google Analytics, Imgix. Sidenote: Any privacy policy/Terms and Conditions you write up for your App must include that you share their data with Adalo and the services above. You are not in control of what data is shared, or how it is shared. This means that you cannot be HIPPA compliant. For example, if you build a system to upload X-Ray images in Adalo, it will certainly go to Imigx and be mostly accessible to the world.
If you think to yourself, I will use external collections and link it to AWS for HIPPA compliance. That still will not work as you will be using external collections and that passes through Adalo. Adalo transforms the data from AWS to your App when you use external collections and Adalo is not HIPPA compliant so you cannot use external collections as a way to be HIPPA compliant.
At the end of the day, to be HIPPA compliant you must know where the information is at every step and ensure its privacy at every step of the way, or it must go through a HIPPA compliant black box where you know the exact entry point and exit points for the information, which you don’t. So at the time of this writting, and for the foreseeable future there is 0% change you can meet HIPPA (or any other compliance standard) using Adalo.
I hope this answers the question in a little more detail than the 1-liner from before. If you have any other questions about the subject let me know.
4 Likes
I’ll add one more response in addition to what PragmaFlow already covered well.
First, even if the app is HIPAA “compliant”, there’s way more to HIPAA than just the technology. The regulation sets standards for things like your company’s documented policy. You cannot simply proclaim that you’re compliant without actually going through the rest of those standards.
Second, there’s more to selling a product than just the tech (especially in a B2B setting). Let’s say you find a healthcare provider, medical group, or payer (i.e. insurer) that is interested in what you’re building. (This is a huge stretch to begin with, since most healthcare entities, except maybe a solo practitioner, would be skeptical of an outsider unless you have an established and credible team.) One of the first things they will do is ask you to fill out a massive information security (infosec) questionnaire and show proof of a relevant certification. Companies rely on those certifications as a confirmation that your company is in fact compliant with HIPAA. As a result, this often means that you need to go through a huge audit process with a third party (e.g. HITRUST), which is expensive.
Hopefully, this didn’t come off as too harsh but instead will save you time from going down a route that isn’t set up for success. Good luck.
Adalo should be more transparent & upfront about stuff you can’t build, and 3rd party services. If I paid for Adalo & encountered this, I’d be pissed.
Just the hint that they are (or possibly) using Facebook, makes me vomit.
Hi, question (not building something like this, but would be great to know for future reference), what if you build the frontend with adalo and connect it to a backend like Xano? Would that work? I was just on Xano’s site and it has the HIPAA logo.
No, that will not work as it passes through the Adalo servers still which is not HIPAA. Replace AWS with any backend service. Firebase, AirTable, Xano, etc… I choose AWS because Firebase is not HIPAA
Good to know! Thanks! (sorry had not seen that part of the response).
Well React is built by Facebook and is a great tool released to the world. So everyone is using Facebooks framework.
BUT, more to your point, Adalo apps bake in Sonarkit/Flipper by Facebook
1 Like
Thank you. I am completely non-tech. But, I love learning about this stuff. AND I love straight answers, too. Thanks for your time @TKOTC
You are very welcome. I just started putting a list of compliance together, but didn’t complete because the answer is usually the same, Impossible or Extremely Difficult. Here it is anyway.
List of common compliance and regulations you need to know when designing software, and the implications with using Adalo
GDPR – Impossible using Adalo. There are many, many reasons this is impossible, but let’s start and end with the Data Center is in the USA so GDPR is a non-starter.
HIPAA/HITECH – Impossible using Adalo. As already outlined in this thread. Adalo is not HIPAA so using Adalo cannot be HIPAA. Taking it one step further, HIPAA costs a lot of money. If 10,000 people are building TODO apps in Adalo on the pro plan at $50/month, and 3 people want to build HIPAA apps at the same $50/month, it does not make sense for Adalo to even consider obtaining a HIPAA certification.
PCI DSS – Extremely difficult in Adalo. If you use the marketplace Stripe component you MUST be PCI compliant, but if you use the marketplace Stripe component you CANNOT be PCI compliant. If you implemented your own payment system that does not pass through Adalo, by say, using Custom Actions and your own Backend, they you could get to a point of being able to be PCI compliant.
SOC/SOC1/SOC2/SOC3 – Extremely difficult using Adalo. To be compliant to these you would need to work directly with Adalo and have the full support of Adalo. As Adalo is not certified in SOC the chances of you succeeding with attaining one or all of these regulations are almost 0%.
PIPEDA – Extremely difficult using Adalo. Adalo collects user information on your behalf without you knowing what information they collect or where it is stored. You would need to request Adalo to open their operating practice to be PIPEDA compliant.
I am going to stop here, essentially if you need FISMA, FERPA, NIST CSF, NERC 1300, ISA/IEC 62443, LGPD, Australian Data Privacy Regulations, CCPA, ISO 27001/27002, etc…. certifications Adalo, and most no-code platforms are not for you.
3 Likes
This is awesome
This is a lot of acronyms (I need to look up 
)
Thank Bill Clinton for HIPAA.
And thank you for taking the time to compile & share this list!
-----think it deserves a “solution”
Thank you so much for your input and answers. My app isn’t a “medical/healthcare related app” per say which is why I didn’t consider HIPAA in the beginning. I just found out from my attorney that because people may choose to store PHI and/or medical documentation on the app, it’s required to be HIPAA compliant. I’m trying to see what can be done to avoid this option w/in the app, but I’m not sure if it’s possible and may just have to have it created natively.
Also, I thought Adalo was GDPR Compliant as of summer of '21? I must’ve misread that.
I would need to do more research into that, but I will probably say that it is a mincing of words.
Q: Is Adalo GDPR compliant?
A: Let’s assume yes, Adalo is GDPR compliant
sounds good, but wrong question
Q: Am I GDPR compliant if I use Adalo?
A: Out of the box, definitely not. Able to get gdpr compliant, probably not, and probably cannot be. I would be interested if anyone has used a 3rd party service to validate their gdpr claim.
Just for fun, if you have a user of your app in the EU that you truly trust, have your customer file a gdpr article 15 on your app/company, then an article 17 and see what the results are.
I mean I know that for EU users this still isn’t compliant. I think because my app is based in the US and will be used by US users, I feel like I would be clear on this. But again, thats just my the little knowledge that I know.
Ahh, If you are US based and US customers you do not need GDPR compliance, you might need CCPA if any of your users are in California, which I believe are the most comprehensive requirements in the USA, if you are CCPA compliant you are most certainly okay. I would put CCPA compliance using Adalo as extremely difficult to truly comply.