Skip to content

Building a Private App to Store PHI Data in Shopify

May 27, 2023 | HIPAA Web Development, Shopify

We have done several projects where Shopify is a part of a HIPAA-compliant solution. These have included:

  • A Shopify Plus store that sells at-home test kits for allergies and other bloodwork.
  • A Shopify store that sell prescription eyewear alongside other non-HIPAA products and supplies.
  • A B2B Shopify Plus store that sell pharmaceuticals direct to clinics.
  • A Shopify store that sells Telehealth visits and TRT.
  • At least 4 different medical supply Shopify sites that deal with prescriptions, insurance or patient disclosed ePHI.

Protecting personal health information (PHI) is crucial for businesses in the health and medical industry. This data must be stored, processed, and transmitted securely to comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA). In this article, we’ll outline the process of creating a private app in Shopify that can securely store PHI data.

Prerequisites

Shopify is not inherently HIPAA compliant. Therefore, to store PHI data in a Shopify app, you must ensure that you have the necessary safeguards in place to protect the data and comply with HIPAA requirements. This generally involves using a compliant hosting provider, implementing proper data security measures, and signing a Business Associate Agreement (BAA) with any third parties that handle PHI.

Always consult with a legal expert or a healthcare compliance specialist before proceeding.

Step 1: Set up Your Development Environment

First, set up your development environment. You’ll need:

  • A Shopify store: You can create a development store for free if you don’t have a store already.
  • A secure server: Your app will need a server to run on. This server should be hosted in a HIPAA-compliant environment.
  • An SSL certificate: Shopify requires all apps to use HTTPS, so you’ll need an SSL certificate for your server.
  • A suitable programming language: Shopify apps can be built with any language that can run on a server, such as Ruby, Python, or JavaScript with Node.js.

Step 2: Create a New Private App

To create a new private app, follow these steps:

  1. From your Shopify admin, go to Apps.
  2. Click on Manage private apps at the bottom of the page.
  3. Click Create a new private app.
  4. Enter the App name and Emergency developer email.
  5. In the Admin API section, set the permissions for the app. You should adhere to the principle of least privilege, which means granting only the permissions necessary for the app to function.
  6. Click Save to create the app.

Shopify will then provide you with the credentials for the app, including an API key and password that you’ll use to authenticate API requests.

Step 3: Develop Your App

Now that you have your private app created, you can start developing it. This will typically involve writing code on your server to interact with Shopify’s APIs.

Remember that any PHI you store will need to be handled securely. This should include:

  • Encryption: All PHI should be encrypted both at rest and in transit. This means using encryption to protect data stored in your database and using HTTPS to encrypt data sent over the network.
  • Access controls: Implement strong access controls to ensure that only authorized individuals can access PHI. This includes both user authentication and role-based access controls in your app.
  • Audit logs: Keep a record of all accesses and changes to PHI. This is necessary for compliance purposes and to help detect and respond to any security incidents.

Step 4: Test Your App

Before your app goes live, you should thoroughly test it to ensure it works correctly and securely. This should include both functional testing and security testing.

Step 5: Deploy Your App

Once your app has been tested and you’re satisfied it’s working correctly, you can deploy it to your production server. Remember that this server also needs to be HIPAA-compliant.

Conclusion

Building a private Shopify app to store PHI data requires careful planning and execution to ensure compliance with HIPAA and other relevant regulations. Always ensure that you have the necessary safeguards in place to protect PHI data.

If you would like to talk to a Shopify HIPAA expert please contact us using the form below.

Related posts:

  1. Building a HIPAA-Compliant Ecommerce Solution with Shopify: A Detailed Guide
  2. Shopify API Web Development Services
  3. HIPAA Web Design & Development Project Spotlight: PreViser Corporation
  4. Ways you can use AI (Artificial Intelligence) in Shopify.

If you are interested in HIPAA compliant web hosting you can look at packages we offer below.

HIPAA Hosting Solutions

Contact Us Today!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
I would like to be contacted by:*
Select all that apply.

Categories

Join Our Newsletter List!

* indicates required
Test