But we are actively going through the process. In the mean time, here are some measures we've already taken to ensure we are compliant
All data stored within Xano is encrypted at rest. Transmission of data is done securely over SSL. Access to workspaces are limited to the team settings defined on the instance, which is governed by the owner of the instance.
To be compliant, users must be on one of our dedicated plans (Prototype or Business) which provides them with a dedicated instances for processing, storing or transmitting ePHI. Additional workspaces can be used for separating personally identifiable information from the main workspace, or a 3rd party vault server can be used instead.
What ePHI needs to be protected?
Information protected by HIPAA typically includes:
Names & birthdates
Dates pertaining to a patient’s
treatment schedule (illness and medical care)
Social Security Numbers (SSI)
Medical Record Numbers
Photographs & digital images
Any other form of unique identification or account number(s).
The Health Insurance Portability and Accountability Act (“HIPAA”) requires the protection and confidential handling of protected health information by covered entities. Xano has already achieved a ISO27001 certification.
Xano's servers are also hosted on Google Cloud which is fully HIPAA compliant
In accordance with HIPAA, Xano needs to enter into Business Associate Agreements, or BAA with it's customers. We are currently working with compliance to figure out the requirements to be able to do this.