- My goal: To understand what native functionality does Retool offer that allows for easier HIPAA-compliant implementation and maintenance. Also, to understand what resources Retool offers for designing HIPAA compliant systems in Retool. Does Retool allow for native audit logging?
- Issue: Lack of resources and documentation online.
- Steps I've taken to troubleshoot: N/A
- Additional info: (Cloud or Self-hosted, Screenshots)
Hey @caffeine,
Thanks for joining office hours!
As discussed there, Retool is not a HIPAA Business Associate or subcontractor, which I think is why there isn't a ton of HIPAA specific documentation. That said, self-hosted Retool offers a secure solution because you maintain full control over your deployment, securely contained within your infrastructure and behind your firewall.
Beyond self hosting, here are some general security recommendations:
- Consider implementing SSO. Enterprise customers have many options for SSO. Otherwise, you can configure Google SSO using the Sign in with Google on the Business plan
- Business and Enterprise plans have access to the audit logs feature, and self hosted accounts can query this data in the database that powers your Retool instance. Retool recommends externalizing this database, and implementing appropriate measures to persist and back up the DB.
- The easiest way to ensure transmission security is to deploy Retool and the PHI database in the same private VPC. This ensures that requests between the Retool server and database cannot be intercepted.
I'm also including a link to our security docs: Security Practices | Retool Docs