HIPAA Compliant

If you are going to mark the solution as solved for future people, then I will provide a little more detailed answer :wink:.

4 days ago (at the time of this writing) Adalo announced they have implemented collection permissions so you can control who has access to information
image

So, if you can now control who has access to the information, what was it 5 days ago? If this is the first time you have asked yourself this question, then you shouldn’t collect anyone’s personal health records, or any secrets for that matter.

Taking it one step further, Adalo controls the Data Center that your information is stored in. Adalo is not HIPPA compliant so there is no way for your to be HIPPA compliant using Adalo. I am not sure who at Adalo has access to Adalo customer’s user data, but I am certain that the engineering department can access your client’s data, and there is nothing you can do to change that. This means that all health records you store are accessible to at least some, if not all Adalo staff.

When you build a website or app using Adalo, Adalo collects information on the user as outlined here

In schedule 2 of the terms and conditions for Adalo you agreed to share some or all yours and your customers information with Heroku, Amazon Web Services, Sentry, Google Suite, Slack, Stripe, Sendgrid, Hubspot, Mixpanel, Google Analytics, Imgix. Sidenote: Any privacy policy/Terms and Conditions you write up for your App must include that you share their data with Adalo and the services above. You are not in control of what data is shared, or how it is shared. This means that you cannot be HIPPA compliant. For example, if you build a system to upload X-Ray images in Adalo, it will certainly go to Imigx and be mostly accessible to the world.

If you think to yourself, I will use external collections and link it to AWS for HIPPA compliance. That still will not work as you will be using external collections and that passes through Adalo. Adalo transforms the data from AWS to your App when you use external collections and Adalo is not HIPPA compliant so you cannot use external collections as a way to be HIPPA compliant.

At the end of the day, to be HIPPA compliant you must know where the information is at every step and ensure its privacy at every step of the way, or it must go through a HIPPA compliant black box where you know the exact entry point and exit points for the information, which you don’t. So at the time of this writting, and for the foreseeable future there is 0% change you can meet HIPPA (or any other compliance standard) using Adalo.

I hope this answers the question in a little more detail than the 1-liner from before. If you have any other questions about the subject let me know.

4 Likes