Forum Discussion

AdamSmeigh's avatar
AdamSmeigh
Qrew Member
8 years ago

Is Quick Base HIPAA compliant? Not to be confused with the HIPAA management app.

  • Thanks for the answers to this question. I want to take the opportunity to expand on them to help others who are looking to create HIPAA-compliant applications in Quick Base.

    The short answer to the question is that Quick Base enables builders to create HIPAA-compliant applications. In other words, it is a shared-responsibility model where Quick Base handles various HIPAA requirements out-of-the-box and provides tools and controls that builders can use to satisfy other application-specific HIPAA requirements. Quick Base is audited annually by a third-party to ensure we abide by the HIPAA security and privacy rules. Please refer to https://www.quickbase.com/security-and-compliance for further information.

    A more detailed answer first requires some baseline information. HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding electronic Protected Health Information (ePHI). The HIPAA Privacy Rule addresses how PHI can be used and disclosed. The Security Rule mandates administrative, physical, and technical safeguards. The latter is the most relevant to Quick Base applications.

    The list of what the Quick Base platform gives builders "for free" to comply with the HIPAA security rule is as follows: Data encryption, a data backup plan, a disaster recovery plan, an emergency mode operation plan, and a physical security plan. Areas that the builder needs to apply Quick Base tools and controls to comply with the HIPAA security rule are as follows: Access control (e.g., using roles and permissions to restrict access to ePHI to those who need it, provisioning access to named users and implementing multi-factor authentication, and configuring a user inactivity timeout), using the Audit Log feature to record all access to and changes to apps which hold ePHI, and defining defining password complexity requirements either via Quick Base or by integrating with the corporate SSO (single sign-on) system.

    Quick Base will also sign a Business Associate Agreement (BAA) under certain conditions. Signing a BAA is very common as we have a lot of customers with HIPAA compliance requirements. Please work with your Account Executive if you require a BAA.

  • Thanks for the answers to this question. I want to take the opportunity to expand on them to help others who are looking to create HIPAA-compliant applications in Quick Base.

    The short answer to the question is that Quick Base enables builders to create HIPAA-compliant applications. In other words, it is a shared-responsibility model where Quick Base handles various HIPAA requirements out-of-the-box and provides tools and controls that builders can use to satisfy other application-specific HIPAA requirements. Quick Base is audited annually by a third-party to ensure we abide by the HIPAA security and privacy rules. Please refer to https://www.quickbase.com/security-and-compliance for further information.

    A more detailed answer first requires some baseline information. HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding electronic Protected Health Information (ePHI). The HIPAA Privacy Rule addresses how PHI can be used and disclosed. The Security Rule mandates administrative, physical, and technical safeguards. The latter is the most relevant to Quick Base applications.

    The list of what the Quick Base platform gives builders "for free" to comply with the HIPAA security rule is as follows: Data encryption, a data backup plan, a disaster recovery plan, an emergency mode operation plan, and a physical security plan. Areas that the builder needs to apply Quick Base tools and controls to comply with the HIPAA security rule are as follows: Access control (e.g., using roles and permissions to restrict access to ePHI to those who need it, provisioning access to named users and implementing multi-factor authentication, and configuring a user inactivity timeout), using the Audit Log feature to record all access to and changes to apps which hold ePHI, and defining defining password complexity requirements either via Quick Base or by integrating with the corporate SSO (single sign-on) system.

    Quick Base will also sign a Business Associate Agreement (BAA) under certain conditions. Signing a BAA is very common as we have a lot of customers with HIPAA compliance requirements. Please work with your Account Executive if you require a BAA.

  • MCFNeil's avatar
    MCFNeil
    Qrew Captain
    Correct,  Its compliant as long as your users are compliant.  It always comes down to the person handling the paperwork/data that makes it compliant.

    This also plays into the app design and role permissions.
  • You will need to speak to sales about that.  I do have a client who needed to be HIPPA compliant and they were able to get a "Business Associate Agreement" signed by Quick Base which satisfied their needs. That agreement largely dealt with the concept of an undertaking on the part of QuickBase to destroy data when and if the client ever stopped using Quick Base.

    I'm by far not an expert on this,  but I believe that HIPPA compliance is more than just who QuickBase treat data.  It has has to do with your own control over userids and passwords.