Is Grist HIPPA compliant?

mrsme · June 19, 2023, 8:36pm

Hi, I’d love to know if GRIST is considered HIPPA compliant for saving heath care records.
HIPAA Compliant App / Website Development Checklist for 2023 This is one example of the information to show whether it would be or not
Thanks!

natalie-grist · June 22, 2023, 1:35pm

Hi there!

While we have strong security and privacy safeguards in place, we don’t currently offer HIPAA compliance for our hosted product.

You can host Grist fully on your infrastructure, which may simplify HIPAA compliance if you already manage other software this way.

Thanks,
Natalie

Alex_Travis · January 10, 2025, 8:26pm

Hi!
To determine if GRIST is HIPAA compliant for saving healthcare records, you’ll want to check if they meet key HIPAA requirements, such as data encryption, secure access controls, and the ability to sign a Business Associate Agreement (BAA).

For a more up-to-date and detailed resource, I recommend checking out this article on HIPAA custom software development that is current for 2025. It covers modern best practices and guidelines for ensuring HIPAA compliance in your software.

dmitry-grist · January 10, 2025, 8:35pm

To add to this, as @natalie-grist said, to address compliance requirements, the solution is to run Grist on your own infrastructure. We can help you set everything up correctly and securely, and we will not be a data processor at all. Your own IT team will be in charge of your data, and you will not need a BAA from us.

If you want us to be the data processor (i.e. want us to host and run Grist as a service), that’s possible but more expensive. Our services are well suited for this on a technical level, but there is legal work to do.

Nathan · February 14, 2025, 12:07am

Hi I am really interested in this because I would like to use grist to store healthcare records. In Australia we have had recent data breaches, including of a health insurance company, that make this concern all the more salient.

I run a very small practice - only me - so Grist Desktop is a great solution. Files can be stored locally or on an encrypted and certified data storage (eg tresorit). I think Grist provides a great solution for small healthcare providers like me.

I have discovered so far that using cryptomator to encrypt the database seemed to cause it to become unstable - I received errors and lost the small amount of data that I was testing it with. I also discovered that I would really appreciate a flatpak version of Grist Desktop, or something similar, because I use Fedora linux and this would integrate Grist more easily into the system and allow for updates. I am not sure whether it is feasible or practical for someone like me to run it on my own infrastructure as you have suggested above but this would be easy and simple enough for small practices to use.

Thanks

Dalton_Allen · March 21, 2025, 5:31am

Hi! I’m the CFO for a few health clinics - not an attorney but I can possibly help a little. I can’t tell you how many hours (and $$$$$ to attorneys I have spent tracing this question). I can’t speak to Grist, but I can speak to HIPPA. I went down this rabbit hole when looking for non-medical software for my clients (like accounting). Spoiler alert, it’s not around and if it is it is crazy expensive!

TLDR; there is no such thing as “HIPPA Compliant Software” only software that can be used compliantly.

Many people think that healthcare=HIPPA, when that is not the case. HIPPA in fact stands for Health Insurance Portability and Accountability Act out of administrative burdens with billing. When we say “HIPPA” it has a very defined legal scope.

1st, and most importantly - there is technically no such thing as “HIPPA compliant software,” rather software that has can be utilized in a HIPPA compliant way. This certification you see essentially means that the vendor signed a BAA and setup the software in such a way that the user can comply with HIPPA. That’s it! Think about Excel for example, not “HIPPA certified,” but I bet most healthcare orgs in the country use it. Why? It doesn’t matter about the software so much as your handling of the data. If your internal policies, procedures, and practices comply with HIPPA, so too then does your software. This “HIPPA Certified” thing is seen a lot now in SAAS where the vendor interacts with your data as a function of SAAS, but is broadly misunderstood. (I also think probably some marking incentive in there!). In short, if you installed GRIST on your internal servers the same way you would Excel, then it is no different than Excel.

Beyond that, if you want to get into the weeds more:

1st - Evaluating if you are a covered entity. Not all healthcare organizations in the US are covered under HIPPA. For example, if you are a doctor and don’t take insurance, you likely aren’t covered under HIPPA.
2 - Is the data in question Protected Health Information (PHI)? HIPPA has a very clear definition of what PHI is and it is often over applied.
3 - If you are covered and it is PHI, HIPPA only cares about identifying information. For example, if you can randomize their name in with a unique ID in the dataset, that is now HPPA compliant as it only applies to identifying information. (This is what I do to get accounting information into ledger). There are cheap integrator services that do this for you.

Long winded, but I have spent so much money and many thousands of dollars answering this question for myself, and would love to save someone else the pain! Good luck on your search!