Home
Documentation
  1. HIPAA Compliance
  2. BAA and Compliance Administration

Flows and Third-Party Compliance

What You'll Learn

This article covers what you need to know about HIPAA compliance when connecting your Knack app to third-party services through Flows, the API, or any other integration method. If data leaves your Knack app, you're responsible for making sure it stays protected.

The Core Principle

Knack's BAA covers the Knack platform. The moment PHI leaves Knack and enters another service, Knack can no longer guarantee its security. You are responsible for verifying that every external service in your workflow handles PHI in a HIPAA-compliant way.

This applies to:

  • Flows that send data to external apps (Google Sheets, email services, CRMs, etc.)
  • API integrations that push or pull data between Knack and other systems
  • Webhooks that trigger external actions based on Knack events
  • Manual exports that you upload to other platforms

Before Connecting a Third-Party Service

Before you connect any external service to your HIPAA app, verify the following:

  • The service is HIPAA compliant. Check their documentation or contact their sales team. Not every plan or tier of a service supports HIPAA. Some only offer compliance on enterprise plans.
  • You have a signed BAA with the service. A BAA must be in place between you and the third-party vendor before any PHI is transmitted. If a service won't sign a BAA, you cannot use it with PHI.
  • The service handles data appropriately. Understand where the service stores data, who has access, and what happens to your data if you stop using the service.
⚠️

No BAA = no PHI. If a third-party service won't sign a BAA, do not send PHI to it. This is non-negotiable under HIPAA, regardless of how secure the service claims to be.

Using Flows With HIPAA Apps

Knack Flows let you connect your app to external services and automate workflows. When using Flows on a HIPAA plan:

  • Only map the fields the external service needs. Don't pass entire records when the integration only requires a name and appointment date. Apply the Minimum Necessary Rule to every Flow.
  • Verify compliance for every connected service. Each app in your Flow that touches PHI needs its own BAA with you.
  • Review your Flows periodically. As your app changes, Flows may start sending data that wasn't originally intended. Check that each Flow still sends only what's necessary.
  • Understand that Flows use the HIPAA API endpoint. Your Flows will route through usgc-api.knack.com when your app is on the HIPAA environment.

Common Third-Party Scenarios

Email services. If your Flow sends emails containing PHI (appointment confirmations with patient names, test results, etc.), the email provider must be HIPAA compliant with a signed BAA. Standard email services like Gmail or Outlook are not HIPAA compliant by default. Some offer compliant configurations on business or enterprise plans.

Google Sheets or spreadsheets. If your Flow exports data to a spreadsheet, that spreadsheet now contains PHI. You need a BAA with the spreadsheet provider (e.g., Google Workspace with BAA), and you need to manage access to that spreadsheet just as carefully as you manage access to your Knack app.

CRM or project management tools. If patient data flows into a CRM or task management system, that system must be HIPAA compliant with a BAA. Many popular tools (Trello, Asana, Monday.com) do not offer HIPAA compliance.

AI and machine learning services. If you connect to an AI service through Flows or the API, verify that the service offers HIPAA compliance and a BAA. Some AI providers explicitly exclude PHI from their terms of service.

The Compliance Chain

Think of your data flow as a chain. Every link in that chain must be HIPAA compliant. If one service in the middle doesn't have a BAA, the entire chain is broken and you're out of compliance.

For example, if your Flow goes: Knack > Google Sheets > Zapier > Email Provider, you need a BAA with Google, Zapier, and the email provider. If any one of them won't sign a BAA, you need to remove that link or find a compliant alternative.

Your Checklist for Each Integration

For every third-party service connected to your HIPAA app:

  • Confirmed the service is HIPAA compliant
  • Signed a BAA with the service
  • Mapped only the minimum necessary fields
  • Documented the integration in your compliance records
  • Set a reminder to review the integration periodically

Next Steps

Updated about 7 hours ago