Home
Documentation
  1. HIPAA Compliance
  2. Protecting PHI in Your Knack App

Minimum Necessary Rule

What You'll Learn

This article explains the HIPAA Minimum Necessary Rule and how to apply it when designing and managing your Knack app. This rule shapes how you build tables, configure views, assign user roles, and handle data through the API.

What Is the Minimum Necessary Rule?

The Minimum Necessary Rule is a core HIPAA principle. It says that when you use or share PHI, you should limit it to the minimum amount needed to get the job done.

Think of it as "need-to-know" for health data. Every person, every page, and every integration should only access the PHI they actually need — nothing more.

This applies to:

  • What data you collect in the first place
  • What data you display in your app's pages and elements
  • What data each user role can see
  • What data you send through the API or Flows to external services

How to Apply It in Your Knack App

Table and Field Design

Start at the data level. Only create fields for the PHI you actually need.

  • Don't add fields "just in case" — if you don't need a patient's Social Security number for your workflow, don't collect it
  • If a field was needed for a past workflow but is no longer used, consider whether it should be removed or hidden
  • Keep PHI fields in as few tables as possible to reduce your exposure surface

Pages and Elements

When you add an element like a table to a page, Knack populates it with initial fields from the connected table. Those default fields may include PHI that doesn't belong on that page.

  • Review every element after adding it and remove fields that aren't necessary for that page's purpose
  • A check-in page for a receptionist doesn't need to display clinical notes or billing details
  • A provider dashboard doesn't need to show insurance account numbers
📘

Check your defaults. When you add a new table element, the first several fields from your table are added automatically. Always verify that those defaults don't expose PHI that isn't relevant to the page.

User Roles

Use Knack's role-based access to give each type of user access to only the data they need.

  • A receptionist role should see appointment details and contact info — not diagnoses or lab results
  • A billing role should see payment information — not clinical notes
  • An admin role may need broader access, but even admins should be limited to what's necessary for their function

You can control this by assigning different pages and elements to different roles and by using source filters to limit which records a role can see.

For details on configuring roles, see User Roles and Permissions for HIPAA.

API and Integrations

The Knack API returns all accessible fields for a record — it cannot restrict access at the field level. This means:

  • If you pull patient records through the API, you may receive more PHI than your integration actually needs
  • You're responsible for filtering out unnecessary fields on your end before passing data to a third-party service
  • Only send the minimum data required for the integration to work

For more detail, see HIPAA and the Knack API.

Flows and Automations

When you connect your app to external services through Flows, apply the same principle:

  • Only map the fields the external service needs — don't pass entire records
  • Verify that the receiving service is HIPAA compliant and has a BAA in place
  • Review your Flows periodically to make sure they still send only what's necessary

For more detail, see Flows and Third-Party Compliance.

Common Mistakes

  • Displaying all fields by default. After adding a table element, leaving the default fields in place without checking whether they include PHI.
  • Giving every role the same access. Using a single user role for all app users instead of creating roles that match different access needs.
  • Sending full records through the API. Pulling entire patient records when the integration only needs a name and appointment date.
  • Collecting data you don't use. Adding fields during initial setup that were never needed and now sit unused with PHI in them.

Next Steps

Updated about 7 hours ago