Home
Documentation
  1. HIPAA Compliance

HIPAA Best Practices Checklist

What You'll Learn

This checklist pulls together the key action items from across the HIPAA Compliance section. Use it as a quick reference when setting up your app, onboarding your team, or running a periodic compliance review.

Before You Start

  • Sign up for a Knack HIPAA plan (HIPAA Core or HIPAA Enterprise)
  • Sign your Business Associate Agreement (BAA) with Knack
  • Do not add any PHI to your app until migration is complete and the BAA is in place
  • Complete your app's migration to the HIPAA environment
  • Update all API integrations to use usgc-api.knack.com

App Security Settings

  • Enable inactivity logout (15 minutes or less recommended)
  • Enable all password complexity options (numbers, special characters, uppercase, lowercase)
  • Enable password expiration (every 60 days)
  • Enable password reuse prevention (last 3 passwords)
  • Confirm failed login lockout is active (default: 3 attempts in 5 minutes, 15-minute lockout)
  • Enable secure browser (HTTPS) — should be on by default
  • Consider enabling IP whitelisting if users access from known locations
  • Enable 2FA for all builder accounts
  • Enable 2FA for live app users

For details, see HIPAA Security Settings and Authentication Best Practices.

Protecting PHI

  • Identify which tables and fields in your app contain PHI
  • Ensure every page that displays PHI is behind a login
  • Review default fields on every element after adding it — remove any PHI that doesn't belong
  • Enable the Secure File setting on any file/image fields that store PHI
  • Apply the Minimum Necessary Rule: only collect and display the PHI each user role needs
  • Do not store PHI you don't need — remove unused fields that contain sensitive data

For details, see What Counts as PHI, Minimum Necessary Rule, and Secure Data Handling in Knack.

User Roles and Access

  • Create separate user roles for each access level (patient, receptionist, provider, billing, admin)
  • Assign page-level permissions so each role only sees relevant pages
  • Use source filters to limit records to the logged-in user or their group
  • Only add edit/delete actions where the role genuinely needs them
  • Test your app as each user role to verify access is correct

For details, see User Roles and Permissions for HIPAA.

Audit Trails

  • Enable record history (Settings > General > Record History)
  • Add Date Created and Date Modified columns to table elements that display PHI
  • Add a "Last Modified By" connection field and record action to track who made changes
  • Build a change log or version history table for long-term audit trail retention (record history only lasts 3 months)

For details, see Building Audit Trails in Knack, Creating a Change Log for Records, and Creating a Version History for Records.

API Security

  • Use usgc-api.knack.com for all API calls
  • Never expose API keys in client-side code
  • Use view-based API requests for browser-side operations
  • Rotate API keys at least annually
  • Filter out unnecessary fields in your code before passing data downstream
  • Verify that any third-party service receiving data via API is HIPAA compliant with a signed BAA

For details, see HIPAA and the Knack API.

Flows and Third-Party Integrations

  • Verify HIPAA compliance for every connected third-party service
  • Sign a BAA with each service before sending PHI
  • Only map the minimum necessary fields in each Flow
  • Review Flows periodically to confirm they still send only what's needed
  • Do not connect services that won't sign a BAA

For details, see Flows and Third-Party Compliance.

Working With Knack Support

  • Never include PHI in support messages (chat, email, screenshots, exports)
  • Redact or obfuscate sensitive data before sharing files with support
  • Add support agents as shared builders via [email protected] when app access is needed
  • Revoke shared builder access after support is complete

For details, see Secure Data Handling in Knack.

Organizational Requirements

  • Write and maintain HIPAA policies and procedures
  • Train all employees who handle PHI (initial + annual refresher)
  • Conduct and document regular risk assessments
  • Maintain an incident response plan for breach notification
  • Retain compliance documentation for a minimum of six years
  • If hiring consultants, sign a separate BAA with them

For details, see Policies and Training Requirements and Business Associate Agreements.

PHI Retention

  • Understand Knack's retention timelines: record deletion is immediate from production, backups kept up to 4 weeks
  • Know the delinquent account timeline: 28 days to production deletion, 56 days total before data is unrecoverable
  • Maintain your own backups or archives if your compliance program requires longer retention than Knack's backup cycle

For details, see PHI Retention and Data Deletion.

Updated about 7 hours ago