Home
Documentation
  1. HIPAA Compliance
  2. Understanding HIPAA

Your Responsibilities as a Covered Entity

What You'll Learn

This article explains what you're responsible for when building and running a HIPAA-compliant app on Knack. It covers the division of responsibility between you and Knack, how to handle patient data requests, and the key areas where your organization must take action.

The Shared Responsibility Model

HIPAA compliance is a shared effort between Knack and you. Here's how the responsibilities break down:

Knack is responsible for:

  • Providing HIPAA-ready hosting infrastructure
  • Encrypting data in transit and at rest
  • Signing a Business Associate Agreement (BAA) with you
  • Maintaining SOC 2 Type II certification
  • Managing platform-level security controls (server infrastructure, backups, disaster recovery)
  • Providing tools for access control, audit logging, and authentication

You are responsible for:

  • Designing your app so PHI is properly protected
  • Configuring user roles and permissions to restrict access
  • Ensuring every page with PHI is login-protected
  • Setting up strong authentication (passwords, 2FA, SSO)
  • Training your team on HIPAA policies and procedures
  • Monitoring how your app and data are used
  • Maintaining your organization's HIPAA policies and documentation
  • Ensuring any third-party services you connect to also meet HIPAA requirements

In short: Knack secures the platform. You secure the application.

Key Compliance Areas

Protecting PHI

You decide what data your app collects and how it's displayed. That means you need to:

  • Identify which fields in your app contain PHI
  • Make sure PHI is only displayed on login-protected pages
  • Verify that default view fields don't accidentally expose PHI (when you add a new element like a table, Knack populates it with initial fields from the connected table — check that those defaults are appropriate)
  • Apply the Minimum Necessary Rule: only collect and display the PHI needed for each user's job

For more detail, see What Counts as PHI and Minimum Necessary Rule.

Access Controls

You control who can see and do what in your app. This includes:

  • Creating user roles that match your organization's access needs
  • Assigning page-level permissions so each role only sees relevant pages
  • Using source filters to limit records to the logged-in user or their group
  • Enabling 2FA for app users and builders
  • Setting password policies that meet HIPAA requirements

For more detail, see User Roles and Permissions for HIPAA and Authentication Best Practices.

Auditability

HIPAA requires you to track who accessed PHI and what changes were made. You're responsible for:

  • Enabling record change logs to track modifications
  • Using system fields (like date created, date modified) to maintain a timeline
  • Designing your app so access patterns are traceable
  • Retaining audit data for the required period (HIPAA requires a minimum of 6 years for certain documentation)

For more detail, see Building Audit Trails in Knack.

Secure Data Handling

You're responsible for how PHI moves in and out of your app. This includes:

  • Never including PHI in support communications with Knack (chat, email, screenshots, exports, CSVs) — always redact or obfuscate sensitive data before sending
  • Ensuring any data sent through the API or Flows to third-party services is handled in a HIPAA-compliant way
  • Verifying that third-party tools you integrate with are also HIPAA compliant and have their own BAA in place

For more detail, see Secure Data Handling in Knack and HIPAA and the Knack API.

BAA and Organizational Policies

A Business Associate Agreement is required before you store any PHI in Knack. Beyond the BAA, you need:

  • Written HIPAA policies and procedures for your organization
  • Regular employee training on PHI handling
  • A process for conducting and documenting risk assessments
  • An incident response plan for potential breaches

For more detail, see Business Associate Agreements and Policies and Training Requirements.

Handling PHI Requests

Patient Requests

Under HIPAA, patients have the right to request access to their PHI or ask that it be deleted. Knack does not interact directly with patients — all patient requests must be handled by you (the covered entity).

For example, if a patient asks for all their PHI to be deleted from your Knack app, you handle this by deleting the relevant records directly in the Knack database. Knack does not process these requests on your behalf.

PHI Disclosure Requests

As a business associate, Knack has certain obligations regarding the disclosure or deletion of PHI. If you need Knack to retrieve a log of PHI-related actions, you can submit a request through the PHI request form at knack.com/hipaa/phi-requests/. Make sure to choose the correct options for the type of data you need.

Working With Consultants

If you hire a consultant or developer to build your Knack app, be aware of how the BAA applies:

  • The BAA is between Knack and you (the HIPAA customer). It is not between Knack and your consultant.
  • If you want your consultant to be covered, you need to enter a separate BAA between your organization and the consultant.
  • A consultant can be an Authorized User under the Knack Terms of Service if you authorize them to use the Knack Services on your behalf.
  • You are responsible for making sure your consultant complies with the Terms of Service and the HIPAA Customer Addendum.

Next Steps

Updated about 7 hours ago