Home
Documentation
  1. HIPAA Compliance
  2. Understanding HIPAA

HIPAA Basics for App Builders

What You'll Learn

This article explains what HIPAA is, why it matters when you're building apps that handle health data, and how Knack supports HIPAA compliance. If you're new to HIPAA or need a refresher, start here.

What Is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a US federal law that sets standards for protecting sensitive patient health information. It applies to healthcare providers, health plans, healthcare clearinghouses, and their business associates.

HIPAA has three main rules that matter for app builders:

  • Privacy Rule — Defines what counts as protected health information (PHI) and limits how it can be used and shared. This is about who can see what.
  • Security Rule — Requires specific safeguards to protect electronic PHI (ePHI). This covers encryption, access controls, audit trails, and more. This is about how you protect the data.
  • Breach Notification Rule — Requires organizations to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media when a breach of unsecured PHI occurs.

Who Needs to Comply?

HIPAA applies to two types of organizations:

  • Covered entities — Healthcare providers (doctors, clinics, hospitals), health plans (insurance companies), and healthcare clearinghouses. If your organization provides healthcare or handles health insurance, you're a covered entity.
  • Business associates — Any vendor or service provider that handles PHI on behalf of a covered entity. When you use Knack to store or process PHI, Knack acts as a business associate. This relationship is formalized through a Business Associate Agreement (BAA).

If you're a consultant building an app for a healthcare client, your client (the covered entity) is responsible for entering into a BAA with Knack. They may also need a separate BAA with you, depending on your access to PHI.

How HIPAA Applies to No-Code Apps

Building an app on a no-code platform like Knack doesn't change your HIPAA obligations. The same rules apply whether you wrote the code yourself or used a visual builder. Here's what that means in practice:

  • Every page that displays PHI must be login-protected. Public pages are visible to anyone with the URL. If a page shows patient names, diagnoses, or any other PHI, it must be behind a login.
  • User roles must restrict access to the minimum necessary. A receptionist doesn't need to see clinical notes. A billing clerk doesn't need to see lab results. Use roles and permissions to limit what each user can see and do.
  • You're responsible for how data flows in and out of your app. If you export data, send it through the API, or connect to third-party services via Flows, you need to make sure every step of that process protects PHI.
  • Audit trails are your proof. HIPAA requires you to track who accessed PHI and what they did with it. Knack provides tools like record history and system fields to help you build this.

What Knack Provides

Knack Health plans include platform-level safeguards that support your compliance efforts:

  • HIPAA-ready hosting with a signed BAA
  • Encryption of data in transit and at rest
  • Role-based access controls with unlimited, customizable user roles
  • Two-factor authentication (2FA) for both app users and builders
  • Advanced SSO for live app users
  • Record change logs to track data modifications
  • SOC 2 Type II certification (report available under NDA)

These features give you the building blocks. The next step is using them correctly in your app.

What Knack Does Not Provide

Knack provides the platform. It does not manage your compliance program. Specifically:

  • Knack does not determine which data in your app is PHI
  • Knack does not configure access controls or user roles for you
  • Knack does not monitor how your team uses the app
  • Knack does not manage your organization's HIPAA policies or training
  • Knack does not guarantee compliance — only you can do that by designing and operating your app correctly

For a detailed breakdown of your responsibilities, see Your Responsibilities as a Covered Entity.

Next Steps

Updated about 7 hours ago