Healthcare application development best practices for HIPAA

Hi friends. I am trying to build applications for healthcare to integrate with data from an EPIC electronic health record system. This requires HIPAA compliance. I was wondering if anyone had best practices to share on how to stay in compliance?

My default assumption is that even if I have encrypted databases, if it is read by a non-self hosted version of Retool, that I will be out of compliance.


1 Like

I have the same question. Can I save forms in retool storage?

Hi there,

Thanks for reaching out!

Retool does not sign Business Associate Agreements (BAAs); however, several of our customers who needed to comply with HIPAA prefer our on-premise (self-hosted) deployment. We have structured the self-hosted version of Retool in a way that helps organizations maintain control over their electronic Protected Health Information (ePHI), which could support your HIPAA compliance efforts.

When it comes to self-hosting, Retool itself does not access or interact with your data. The execution of all queries happens within your network, in your self-hosted Retool instance. This setup allows you to maintain your existing control over data access and security protocols related to your sensitive information.

As for the information sent back to Retool in a self-hosted setup, it's minimal and is strictly for licensing and analytics purposes. It includes basic usage data like the number of active users to help manage your license and aid our product development decisions. It doesn't include any sensitive data or details about your specific usage of Retool, such as schema, queries, or results. You can find more details about this in our Security Documentation.

For Retool Database, our docs generally recommend externalizing the database for self hosted deployments