Would love to hear from anyone who has successfully had Retool be HIPAA compliant and how you went about nailing each of the reqs! Happy to chat in private as well, if not comfortable here.
1 Like
Hi @Ori,
Let me check internally to see if we have some details or documentation on the best practices for this!
1 Like
I'm in healthcare industry under HIPAA as well.
Our compliance officer gave us greenlight if the Retool is hosted strictly internal, which means no public access at all time, and communicates only limited non PHI data (license check, user invite, etc.) with Retool company (as outlined in Self-hosted Retool quickstart | Retool Docs).
Since it's self-hosted internally, we don't have to worry about PHI during external transmittion or how Retool is gonna store / use the data. The Retool entry point, in this way, is under the same rigorous security policy of our intranet / VPN. Besides,
-
Use a delecated service account / authorization to connect any resources to Retool.
-
Upgrade to Business tier and above to enable the Audit log feature. Backup this log regularly.
-
When developing the app, record the identifier of the app operator when inserting / modifying the data.