HIPAA
HIPAA (Health Insurance Portability and Accountability Act) is US federal law that sets standards for protecting sensitive patient health information (PHI) — any app that stores, processes, or transmits health data for US patients likely needs to comply.
In depth
HIPAA applies to Covered Entities (healthcare providers, insurers) and their Business Associates (any vendor handling PHI on their behalf — including your app if it stores patient data).
Key requirements: - Encryption at rest and in transit (AES-256, TLS 1.2+) - Access controls and audit logs - Business Associate Agreement (BAA) with cloud providers - Minimum necessary access principle - Breach notification within 60 days
HIPAA-compliant infrastructure: - Supabase (BAA available on Team plan) - AWS (BAA available) - Google Cloud (BAA available) - NOT: standard Vercel, standard Firebase
Building HIPAA-compliant from day one costs 20–30% more than standard apps but avoids a complete rebuild when you get your first healthcare customer.
Real example
A telehealth startup stores patient consultation notes in Supabase with BAA signed, RLS enabled, and all PHI encrypted at rest.
Tools & calculators
Related terms
Row Level Security (RLS)
Row Level Security (RLS) is a PostgreSQL feature that controls which rows in a database table a user can read, insert, update, or delete — enforced at the database level, not the application layer.
KYC (Know Your Customer)
KYC (Know Your Customer) is the process of verifying the identity of users before allowing them to access financial services — required by regulators to prevent fraud, money laundering, and terrorist financing.
PCI DSS
PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements for any organization that stores, processes, or transmits credit card data — non-compliance can result in fines and loss of payment processing ability.
Ready to build your product?
Fixed price. 21-day delivery. Senior team.
Get a free scoping call →