HIPAA Compliance

Last updated: 11 Sep 2023

The public KoboToolbox servers were not designed with the specific requirements of HIPAA in mind and, as such, carry no guarantee of HIPAA compliance. HIPAA rules cover how servers store and transfer different kinds of data, what kinds of logs need to be kept at what level, as well as legal agreements, insurance requirements, and specific business rules that have to be put in place and monitored to ensure compliance.

We do not yet have plans to redesign the infrastructure of these public instances in accordance with the specific security protocols of HIPAA. Anyone willing to operate their own, private instance of KoboToolbox could do so in a HIPAA compliant way, for example by contracting with a hosting company that specializes in HIPAA compliance.