HIPAA

The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of protected health information

Xano is NOT fully HIPAA compliant yet ...

But we are actively going through the process. In the mean time, here are some measures we've already taken to ensure we are compliant

Steps we've already taken

Data Security

All data stored within Xano is encrypted at rest. Transmission of data is done securely over SSL. Access to workspaces are limited to the team settings defined on the instance, which is governed by the owner of the instance.

To be compliant, users must be on one of our dedicated plans (Prototype or Business) which provides them with a dedicated instances for processing, storing or transmitting ePHI. Additional workspaces can be used for separating personally identifiable information from the main workspace, or a 3rd party vault server can be used instead.

What ePHI needs to be protected?

Information protected by HIPAA typically includes:

  • Names & birthdates

  • Dates pertaining to a patientโ€™s

    • birth

    • death

    • treatment schedule (illness and medical care)

  • Contact information

    • telephone number(s)

    • physical addresses

    • email

  • Social Security Numbers (SSI)

  • Medical Record Numbers

  • Photographs & digital images

  • Fingerprints

  • Voice recordings

Any other form of unique identification or account number(s).

Data Privacy

The Health Insurance Portability and Accountability Act (โ€œHIPAAโ€) requires the protection and confidential handling of protected health information by covered entities. Xano has already achieved a ISO27001 certification.

Xano's servers are also hosted on Google Cloud which is fully HIPAA compliantโ€‹

Actively working on ...

Helping you meet your compliance obligation (BAA)

In accordance with HIPAA, Xano needs to enter into Business Associate Agreements, or BAA with it's customers. We are currently working with compliance to figure out the requirements to be able to do this.