Help Needed - HIPAA Compliance with Airtable

We have a database of ~6500 records with patient name, patient phone, medical provider, among other fields. We want to get HIPAA compliant. A developer suggested using GSheets to store name and phone and a hash reference in AT but there are views that my customer service rep needs to see that requires her to see the name and phone number of the patient (along with other fields) in AT to continue through her task list and update patient status. Outside of this, we have ~10 email automations that leverage GMail and 8 text automations that leverage Zap/Twilio - these would also need to pull the patient’s name and/or phone. Should we be looking at another CRM, maybe AppSheet (we have a BAA with Google), or can we make AT HIPAA compliant?

The key requirement you’ve included suggests the service rep must perform these tasks in Airtable.

This is accomplished by merging the restricted data (in Google Cloud Platform) with the unrestricted data in Airtable into a single view that is in Airtable. If the restricted data is stored in Airtable, it violates the HIPAA premise, so the best you can do is make it look like the data is in Airtable.

You could build an extension that renders a combination of Airtable fields and Google Cloud Platform based data in a web UI. The web UI (of course) would need to be served from a HIPAA-compliant infrastructure (i.e., a secure Firebase hosting app).

This is a lot of engineering just to combine a few fields.

Appsheet is a fine tool and it certainly simplifies the HIPAA requirement. However, it is no Airtable. Perhaps you should look at SmartSuite.

Thanks for your thoughts on this. Yes, the Airtable solution does sound overly complicated. Thank you for the SmartSuite recommendation - I have a call set with them tomorrow. It looks like I would need to subscribe to the enterprise package to get a BAA in place. Not a big deal, it’s more about how complicated the transition would be.

Welcome to the community, @paulv!

In my personal opinion, if you’re looking for the best database app that is 100% HIPAA-compliant, I would highly recommend using Claris FileMaker Pro.

I was a FileMaker developer for 30 years before becoming an Airtable consultant. I don’t do FileMaker work anymore, but if you reach out to me through my website, I can put you in touch with some of my best friends who are all FileMaker developers.

Thanks Scott, I will reach out.

Have you looked at Knack? It’s another low-code/no-code cloud database with HIPAA compliance. That combined with SmartSuite might get you where you need to be quicker and at relatively low cost compared to other HIPAA options.

Do note that Zapier does not offer HIPAA compliance but there are alternatives out there. Keragon is supposedly such an althernative but I can’t vouch for them. I just know about some of these options because I’ve been looking a various ways to solve end-to-end HIPAA compliant workflows using low-code tools.

I’ve looked at Knack and Caspio. They both look a bit pricey for HIPAA compliant solutions. I thought that they would be replacements for SmartSuite not complementary. I saw that Zapier and Make are not HIPPA compliant. Keragon also looks pricey. I do wonder what the realistic risk is in using Zapier/Make as a passthru/webhook trigger. I know it’s not ideal but we’re a 3 person company so at some point the cost v risk can get disproportionate especially when we keep very little medical information – Name, Phone, Medical Provider (nothing more, no med records). Thoughts from anyone?

The cost of HIPAA compliance has been a major barrier for small outfits like yours. In some cases, if you can find a way to build the carrying costs of these platforms into your offering, the pass-through gets absorbed there, but otherwise I’ve yet to find another way around this. The struggle is real!

Hello @paulv and @pnelson

I’m George - one of the founders of Keragon.

We are working already with quite a few small practices and we understand that budgets are tight, especially when using multiple SaaS vendors that allow BAA signatures only on their enterprise plans.

Please get in touch with us via our contact form on our website and mention Table Forums, and we’ll try to be as flexible as we can.

We sign a BAA on all our paid plans, so it’s just a matter of understanding the type of healthcare workflows you’d like to automate, the HIPAA-compliant vendors you’d like to use and the monthly usage you have.

You can find a list of our available & next in line vendors on our integrations page.

We do support Airtable, Gmail and Twilio that were mentioned in the parent post, so I’m positive that we can help setting up these automations in a HIPAA-compliant manner.

George, thank you for the response. Once I figure out the platform we’ll be using, I’ll reach out to your team.