Some of the data that our apps will be capturing are related to individual healthcare related information.

As, such, in the U.S. the info is protected under HIPAA regulations.

Thus, I need to:

  1. Understand what I need to do technically inside OutSystems and/or AWS to be HIPAA compliant
  2. Get recommedations on "HIPAA Certification" solutions

Who can help with suggestions here on a fast-track to excellent HIPPA compliance with OutSystems?



did you solve this challenge?

If not, I suggest to contact support directly. they can be very helpful in these kind of specifications.

I did get some good feedback offline - thanks.

Hi Bruce,

I have a similar requirement to create a HIPAA compliant app and was wondering what you found out from Outsystems support.  Does the platform provide any built-in advantages that you were able to leverage?  Thanks.

Bottom line, I am well armed to tackle HIPAA and the associated audits that will come my way once we launch.

Yes, I did get a reference to this OutSystems article on Pharma and Biotech.

 Also, here are a few links to one OutSystems client in the healthcare space that tackled HIPAA including HL7:

A partner in the Middle East that used Outsystems to build their app (this is all Outsystems)


HIPAA Requirements for Safeguarding Protected Health Information

Being in compliance with HIPAA involves not only ensuring you provide the appropriate patient rights and controls on your uses and disclosures of protected health information, but you also have the proper policies and procedures in place. If audited or the subject of a compliance review you will be required to show the government you have all the necessary documentation in place for safeguarding patient Protected Health Information and indicate how you addressed all required security safeguards. This starts with the understanding the fundamentals of a HIPAA compliance.

If your healthcare practice, business, or organization needs to understand what is required to protect health records or make sure your current safeguards are adequate and can withstand government scrutiny, please join us for this informative and interactive course.

As I have come to understand it, HIPAA is not a publicly defined standard like PCI DSS, it is instead a set of practices that each company must decide how they are going to implement it.

So, one company could decide to in order to safeguard patient information - it is not going to put any HIPAA information into a database. Another company might decide that they will put it in a database, but it will use some complex security scheme.

Once a company decides on how they will implement HIPAA, they can audit their own practices.

Where this gets interesting is when a company is exchanging data with other partners. A company then needs to review and audit the partner company's practices against their own HIPAA standards in order to decide if they comply.

So I hope this help clarify a little bit - why you cannot just ask any company (OutSystems included) if they are HIPAA compliant as it is not a public standard.