Forum Discussion

AdamSmeigh's avatar
AdamSmeigh
Qrew Member
7 years ago
Solved

Is Quick Base HIPAA compliant? Not to be confused with the HIPAA management app.

Security and SSO
  • ChrisPliakas's avatar
    ChrisPliakas
    5 years ago

    Thanks for the answers to this question. I want to take the opportunity to expand on them to help others who are looking to create HIPAA-compliant applications in Quick Base.

    The short answer to the question is that Quick Base enables builders to create HIPAA-compliant applications. In other words, it is a shared-responsibility model where Quick Base handles various HIPAA requirements out-of-the-box and provides tools and controls that builders can use to satisfy other application-specific HIPAA requirements. Quick Base is audited annually by a third-party to ensure we abide by the HIPAA security and privacy rules. Please refer to https://www.quickbase.com/security-and-compliance for further information.

    A more detailed answer first requires some baseline information. HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding electronic Protected Health Information (ePHI). The HIPAA Privacy Rule addresses how PHI can be used and disclosed. The Security Rule mandates administrative, physical, and technical safeguards. The latter is the most relevant to Quick Base applications.

    The list of what the Quick Base platform gives builders "for free" to comply with the HIPAA security rule is as follows: Data encryption, a data backup plan, a disaster recovery plan, an emergency mode operation plan, and a physical security plan. Areas that the builder needs to apply Quick Base tools and controls to comply with the HIPAA security rule are as follows: Access control (e.g., using roles and permissions to restrict access to ePHI to those who need it, provisioning access to named users and implementing multi-factor authentication, and configuring a user inactivity timeout), using the Audit Log feature to record all access to and changes to apps which hold ePHI, and defining defining password complexity requirements either via Quick Base or by integrating with the corporate SSO (single sign-on) system.

    Quick Base will also sign a Business Associate Agreement (BAA) under certain conditions. Signing a BAA is very common as we have a lot of customers with HIPAA compliance requirements. Please work with your Account Executive if you require a BAA.

ChrisPliakas's avatar
ChrisPliakas
Qrew Trainee
5 years ago

Thanks for the answers to this question. I want to take the opportunity to expand on them to help others who are looking to create HIPAA-compliant applications in Quick Base.

The short answer to the question is that Quick Base enables builders to create HIPAA-compliant applications. In other words, it is a shared-responsibility model where Quick Base handles various HIPAA requirements out-of-the-box and provides tools and controls that builders can use to satisfy other application-specific HIPAA requirements. Quick Base is audited annually by a third-party to ensure we abide by the HIPAA security and privacy rules. Please refer to https://www.quickbase.com/security-and-compliance for further information.

A more detailed answer first requires some baseline information. HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding electronic Protected Health Information (ePHI). The HIPAA Privacy Rule addresses how PHI can be used and disclosed. The Security Rule mandates administrative, physical, and technical safeguards. The latter is the most relevant to Quick Base applications.

The list of what the Quick Base platform gives builders "for free" to comply with the HIPAA security rule is as follows: Data encryption, a data backup plan, a disaster recovery plan, an emergency mode operation plan, and a physical security plan. Areas that the builder needs to apply Quick Base tools and controls to comply with the HIPAA security rule are as follows: Access control (e.g., using roles and permissions to restrict access to ePHI to those who need it, provisioning access to named users and implementing multi-factor authentication, and configuring a user inactivity timeout), using the Audit Log feature to record all access to and changes to apps which hold ePHI, and defining defining password complexity requirements either via Quick Base or by integrating with the corporate SSO (single sign-on) system.

Quick Base will also sign a Business Associate Agreement (BAA) under certain conditions. Signing a BAA is very common as we have a lot of customers with HIPAA compliance requirements. Please work with your Account Executive if you require a BAA.