Best practices for implementing HIPAA compliance using BioT

PHI (Protected Health Information) refers to private patient data collected during the course of care.

This information is protected by the U.S. Health Insurance Portability and Accountability Act (HIPAA).
The European General Data Protection Regulation (GDPR) refers to similar Personal Information (PI).

BioT is a HIPAA-compliant platform. It utilizes a shared responsibility model to facilitate the building of HIPAA-compliant solutions on its platform. BioT takes on a significant portion of the overall responsibility, significantly reducing the tasks BioT users need to complete to build HIPAA-compliant solutions. This article discusses what remains for you, the BioT user, to implement your part of the HIPAA compliance responsibility model.

BioT allows you to design and define your data model within its platform using templates. Each template consists of attributes that may contain PHI information.

To indicate that an attribute contains PHI, simply check the checkbox next to it.

Once marked, BioT will remove this information from API responses of users that are not permitted to access this data.

Generic Entities

Generic entities offer versatility. They allow you to define custom data structures that precisely fit your needs. However, when storing or referencing PHI data from other entities within generic entities, you risk unintentionally exposing that PHI data to unauthorized users.

For example, a generic entity could represent a "medication." This medication could be linked to multiple patients who have been prescribed it.

In this scenario, when patients access information about the medication (referencing the generic entity), they might inadvertently see information relevant to other patients who are also taking the same medication.

If you define generic entities containing PHI data, special Attribute-Based Access Control (ABAC ) rules might be necessary.
To ensure appropriate security measures are implemented, please contact us to discuss your specific use case. We can then work with you to tailor a solution that meets your needs.


Plugins enable you to extend the functionality of BioT. In case your Plugin processes PHI data, under HIPAA you are required to maintain audit logs of your plugin activity for at least 6 years. It is important that you make sure your plugins writes to the BioT log system.