Home
Documentation
  1. HIPAA Compliance
  2. Protecting PHI in Your Knack App

Secure Data Handling in Knack

What You'll Learn

This article covers how to handle PHI securely inside your Knack app and when interacting with Knack support. It includes guidance on protecting pages, reviewing default fields, managing file uploads, and making sure sensitive data stays out of support communications.

Protect Every Page That Contains PHI

Any page in your live app that doesn't require a login is public. That means anyone who knows or finds the URL can view it. If a page displays PHI, it must be behind a login.

  • Add login protection to every page that shows patient data, health records, or any information tied to the 18 HIPAA identifiers
  • Don't assume a page is safe because it's not linked in your navigation — public pages are still accessible by URL
  • If you're unsure whether a page contains PHI, review the elements on it and check what fields they display

For help setting up login-protected pages, see How to Create a Login-Protected Page.

Review Default View Fields

When you add a new element (like a table or list) to a page, Knack populates it with initial fields from the connected table. If your table contains PHI, those default fields may expose sensitive data you didn't intend to display.

After adding any element to a page:

  • Check which fields were added by default
  • Remove any fields that aren't needed for that page's purpose
  • Verify that the remaining fields are appropriate for the user roles that can access the page

This is one of the most common ways PHI gets exposed unintentionally. Make it a habit to review defaults every time you add or modify an element.

Use the Secure File Setting

Knack offers a Secure File setting for file and image fields. When enabled, files are served through authenticated URLs that expire, which prevents unauthorized access to uploaded documents.

If your app stores files that contain PHI (lab reports, scanned documents, insurance cards, etc.), enable the Secure File setting on those fields. Without it, anyone with the file URL could access the document.

For details on this setting, see File & Image Fields.

Connect Records to the Logged-In User

Use Knack's source filters to make sure users only see records they're authorized to view. By connecting records to a user role and filtering views to show only records linked to the logged-in user, you prevent one patient or staff member from seeing another's data.

This is critical for any app where multiple users share the same page structure but should only see their own records — patient portals, provider dashboards, intake forms, and similar workflows.

For help with this, see User Roles and Permissions for HIPAA.

Working With Knack Support

HIPAA requires extra care when engaging with the Knack support team. You need to make sure PHI stays protected in all support interactions.

Never include PHI in support communications. This means:

  • Don't paste patient data into chat messages or support emails
  • Don't include PHI in screenshots — blur or redact any visible patient data before sending
  • Don't attach exports, spreadsheets, or CSVs that contain PHI
  • Don't include PHI in screen recordings or video walkthroughs

If you need to share data for debugging:

  • Remove or obfuscate all PHI before sending. Replace real patient names with test data, redact identifiers, and strip sensitive fields from exports.
  • If you need to share a CSV or spreadsheet, make sure every row is scrubbed of PHI before attaching it.

If support needs access to your app:

  • Add the support agent as a shared builder using [email protected]
  • Once support is complete, Knack will notify you that access is no longer needed
  • Revoke shared builder access at any time by following the instructions in your account settings
📘

This is your responsibility. Knack support cannot determine what data in your app is PHI. It's up to you to make sure nothing sensitive is included in your communications.

Handling Sensitive Data Outside Your App

PHI doesn't stop being PHI when it leaves your app. If you export data, send it through email, or share it with your team, the same protections apply.

  • Don't email unencrypted files containing PHI
  • Don't store PHI exports on unsecured devices or shared drives without proper access controls
  • If you download data for analysis or reporting, delete the local copies when you're done
  • Treat any data that contains PHI with the same level of care whether it's inside Knack or on your desktop

Next Steps

Updated about 7 hours ago