Hipaa Compliance
HIPAA Compliance on Tadabase
This guide is for Tadabase customers who have a Business Associate Addendum (BAA) in place with Tadabase or intend to enter into a BAA. It provides specific guidelines on how to use Tadabase to develop HIPAA-compliant applications and workflows for handling Protected Health Information (PHI).
Tadabase believes that security and compliance are shared responsibilities between Tadabase and the customer. We have implemented HIPAA-compliant controls to protect customer data, and additional safeguards are necessary for customers seeking HIPAA compliance.
Need Help? Book a consultation to discuss how Tadabase can support your HIPAA compliance needs.
Table of Contents
- What is HIPAA and HIPAA Compliance?
- HIPAA Technical Safeguards
- Business Associate Agreement (BAA)
- Designation of HIPAA Accounts
- Required HIPAA Features
- Recommended HIPAA Practices
- HIPAA Implementation Checklist
What is HIPAA and HIPAA Compliance?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes national standards for protecting sensitive patient health information. HIPAA applies to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates who handle Protected Health Information (PHI).
Electronic Protected Health Information (ePHI)
When PHI is stored, accessed, or transmitted electronically, it becomes ePHI. HIPAA compliance requires implementing specific technical safeguards to protect ePHI from unauthorized access, disclosure, alteration, or destruction.
The HIPAA Security Rule
The HIPAA Security Rule outlines three categories of safeguards:
- Administrative Safeguards - Policies and procedures for managing security
- Physical Safeguards - Protection of physical systems and facilities
- Technical Safeguards - Technology controls to protect ePHI (focus of this guide)
For more information, visit the Department of Health and Human Services (HHS) HIPAA website.
HIPAA Technical Safeguards
The HIPAA Security Rule requires five key technical safeguards for protecting ePHI:
1. Access Control
Carefully regulate who can access ePHI, ensuring only authorized individuals can view or modify this critical data. Tadabase provides:
- Role-Based Access Control (RBAC)
- Layout, Page, and Row-Level Security
- User authentication and authorization
- Login tracking and session management
2. Audit Control
Implement mechanisms to record and examine activity in systems containing ePHI. Tadabase provides:
- Comprehensive activity logging
- Record change and deletion logs
- User login and access logs
- Builder activity logs
- File access logs
3. Integrity Control
Ensure ePHI is not improperly altered or destroyed. Tadabase provides:
- Automated backup systems
- Record change history
- Page version control
- Delete logging with data retention
4. Person or Entity Authentication
Verify that users are who they claim to be before granting access. Tadabase provides:
- Email/Password authentication
- Two-Factor Authentication (2FA)
- Single Sign-On (SSO) with enterprise providers
- Magic Links (passwordless authentication)
- Password complexity requirements
5. Transmission Security
- TLS/SSL encryption for all data transmission
- Secure file storage with encrypted access
- Encrypted API communications
- HTTPS enforcement for custom domains
Business Associate Agreement (BAA)
A Business Associate Agreement is a legal contract between a covered entity and a business associate (like Tadabase) that defines how PHI will be handled, protected, and used.
Who Needs a BAA?
If your application will process, store, or transmit Protected Health Information (PHI), you must have a signed BAA with Tadabase before handling any PHI.
How to Get a BAA
- Subscribe to a HIPAA Add-On subscription
- Contact your Tadabase Account Representative or Support to initiate the BAA process
- Review and sign the Business Associate Agreement
- Designate which apps will be HIPAA-eligible
Important: Do not process, store, or transmit PHI in Tadabase until you have a signed BAA in place and have designated your apps as HIPAA-eligible.
Designation of HIPAA Accounts
HIPAA-Eligible Apps
Once you have a BAA in place, you can designate specific apps as HIPAA-eligible. Only HIPAA-designated apps should be used to handle PHI.
HIPAA Account Restrictions
- Only HIPAA-eligible products and services can process, store, or transmit PHI
- Projects and subaccounts designated as HIPAA-compliant must only use HIPAA-eligible features
- Contact your Account Representative or Support to enable HIPAA eligibility for new projects
Changes to Tadabase Experience
HIPAA-designated apps include enhanced security measures:
- Automatic Logout: Builder users are automatically logged out after 15 minutes of inactivity
- Enhanced Logging: Additional tracking and auditing of all activities
- Stricter Access Controls: Enforced security settings
Product Deprecation Notice
Tadabase commits to providing at least 180 days' notice before deprecating any HIPAA-eligible products and services. Notices will be posted as updates to this documentation.
Required HIPAA Features
The following security features are required for all HIPAA-compliant applications. You must configure and use these features to maintain compliance.
1. Encrypted Communication
Requirement: All data transmission must be encrypted using TLS/SSL.
Implementation:
- Use HTTPS for all app access
- Configure SSL certificates for custom domains
- Tadabase automatically encrypts all API communications
2. Record Logging
Requirement: Track all changes to records containing PHI.
Implementation:
- Enable record change logging for all data tables containing PHI
- Logs capture before/after values, user, timestamp, IP address
- Extend log retention beyond default 7 days
Learn more about Record Logging →
3. Delete Logging
Requirement: Track all record deletions with data backup.
Implementation:
- Enable delete logging for all data tables containing PHI
- Deleted records are backed up with full data and metadata
- Logs include who deleted, when, and from where
Learn more about Delete Logging →
4. Secure Buckets Only
Requirement: Store all files containing PHI in secure, private storage.
Implementation:
- Use secure file fields for all PHI-related documents
- Files are stored in private S3 buckets
- Access requires authentication and authorization
- File URLs are time-limited and expire automatically
Learn more about Secure File Storage →
5. Secure Layouts, Pages, and Rows
Requirement: Implement access controls at multiple levels.
Implementation:
- Layout Security: Restrict layouts to specific roles
- Page Security: Control access to individual pages
- Row-Level Security: Ensure users only see their authorized records
- Use page rules for conditional access
Learn more about Multi-Level Security →
6. App Auto Logout
Requirement: Automatically log users out after period of inactivity.
Implementation:
- Enable auto logout in App Settings → Security
- Recommended: 15 minutes or less for PHI applications
- Configure appropriate timeout message
Learn more about Auto Logout →
7. Login Logs
Requirement: Track all user authentication events.
Implementation:
- User login logging is enabled by default
- Logs include successful logins, failed attempts, and session data
- Review logs regularly for suspicious activity
- Extend log retention for compliance requirements
8. Password Minimums
Requirement: Enforce strong password policies.
Implementation:
- Set minimum password length (recommend 12+ characters)
- Require uppercase letters
- Require lowercase letters
- Require numbers
- Require special characters
- Enable password history to prevent reuse
- Consider password expiration (e.g., 90 days)
Learn more about Password Policies →
9. Support Tickets
Requirement: Control and track support access to PHI.
Implementation:
- Use Tadabase support sharing features
- Limit support access duration
- Restrict support access to necessary areas only
- Review support access logs regularly
- Revoke access immediately after issue resolution
Recommended HIPAA Practices
While not strictly required, these practices are highly recommended for maintaining robust HIPAA compliance:
1. HIPAA Training
- Provide HIPAA training to all users who will access PHI
- Document training completion and maintain records
- Provide annual refresher training
- Include training on proper handling, access, and disposal of PHI
2. IP Whitelisting
- Restrict app access to known IP addresses
- Particularly useful for office-based healthcare providers
- Prevents access from unknown locations
Learn more about IP Security →
3. Review Sessions
- Regularly review active user sessions
- Terminate suspicious or unauthorized sessions immediately
- Monitor for unusual access patterns
- Consider session limits per user
Learn more about Session Management →
4. Name and Rotate API Keys
- Use descriptive names for all API keys
- Rotate API keys regularly (e.g., every 90 days)
- Remove unused or old API keys
- Track API key usage
5. Require Page Version Comments
- Require comments when saving page versions
- Provides audit trail of changes
- Documents reason for modifications
- Helps with compliance audits
6. Share Minimum Necessary Access
- Follow the "minimum necessary" standard
- Grant users access only to PHI they need for their role
- Use row-level security to limit data visibility
- Regularly review and adjust permissions
7. Review Shared App Access
- Audit builder access monthly
- Remove access for terminated employees immediately
- Review access levels for all team members
- Document all access changes
8. Review Change Logs
- Regularly review builder activity logs
- Monitor record change logs for unusual activity
- Investigate any unauthorized or suspicious changes
- Document review activities for compliance audits
Learn more about Builder Logs →
9. Ensure Backups Are Working Properly
- Enable automated backups
- Test backup restoration regularly
- Verify backups complete successfully
- Document backup and restore procedures
- Maintain backup retention according to regulations
10. Remove Batch Operations Unless Very Necessary
- Batch operations increase risk of accidental mass changes or deletions
- Disable batch operations for users who don't need them
- If batch operations are necessary, implement additional confirmations
- Monitor batch operation logs closely
HIPAA Implementation Checklist
Use this checklist to ensure your Tadabase application meets HIPAA compliance requirements:
Pre-Implementation
- ☐ Subscribe to HIPAA Add-On package
- ☐ Sign Business Associate Agreement (BAA) with Tadabase
- ☐ Designate apps as HIPAA-eligible
- ☐ Document HIPAA compliance plan
- ☐ Conduct HIPAA training for all users
Required Security Features
- ☐ Configure SSL/HTTPS for all app access
- ☐ Enable record change logging for all PHI tables
- ☐ Enable delete logging for all PHI tables
- ☐ Use secure file storage for all PHI documents
- ☐ Implement layout-level security
- ☐ Implement page-level security
- ☐ Implement row-level security
- ☐ Enable app auto logout (15 minutes recommended)
- ☐ Verify login logging is enabled
- ☐ Configure password complexity requirements (12+ chars, upper, lower, number, special)
- ☐ Enable password history
- ☐ Configure support access controls
Recommended Security Features
- ☐ Enable Two-Factor Authentication (2FA) for all users
- ☐ Configure IP whitelisting (if applicable)
- ☐ Set up session monitoring process
- ☐ Implement API key naming and rotation policy
- ☐ Require page version comments
- ☐ Implement principle of least privilege access
- ☐ Schedule regular access reviews
- ☐ Set up automated backups
- ☐ Test backup restore procedure
- ☐ Disable or restrict batch operations
Logging & Monitoring
- ☐ Extend log retention beyond default 7 days
- ☐ Document log review schedule
- ☐ Set up process for monitoring failed login attempts
- ☐ Establish incident response procedures
- ☐ Create audit documentation procedures
Policies & Documentation
- ☐ Create HIPAA policies and procedures document
- ☐ Document security configurations
- ☐ Create user access management procedures
- ☐ Establish breach notification procedures
- ☐ Document backup and disaster recovery plan
- ☐ Create incident response plan
- ☐ Schedule regular risk assessments
Ongoing Compliance
- ☐ Conduct monthly access reviews
- ☐ Review security logs weekly
- ☐ Test backups monthly
- ☐ Rotate API keys quarterly
- ☐ Conduct annual HIPAA training
- ☐ Perform annual risk assessments
- ☐ Review and update policies annually
Additional Resources
Tadabase Resources
- Complete Security Guide - Comprehensive security documentation
- Logging & Audits - All logging capabilities
- Authentication & SSO - User authentication options
- HIPAA Solutions - Healthcare application solutions
- Free Consultation - Discuss your compliance needs
External Resources
- HHS HIPAA Website - Official HIPAA information
- HIPAA Security Rule - Technical safeguards details
- HIPAA Privacy Rule - Privacy requirements
Summary
HIPAA compliance on Tadabase requires implementing specific security features, following best practices, and maintaining ongoing vigilance. By following this guide and using Tadabase's comprehensive security features, you can build applications that meet HIPAA requirements for handling Protected Health Information.
Key Takeaways:
- HIPAA compliance requires a signed Business Associate Agreement (BAA)
- All nine required security features must be implemented
- Recommended practices significantly enhance your security posture
- Regular monitoring, logging, and auditing are essential
- HIPAA compliance is an ongoing process, not a one-time setup
Disclaimer: This guide provides technical guidance for implementing security features on Tadabase. It is not legal advice. Consult with qualified HIPAA compliance professionals and legal counsel to ensure your application meets all regulatory requirements for your specific use case.
For questions or assistance with HIPAA compliance on Tadabase, please contact our team or reach out to your Account Representative.
We'd love to hear your feedback.