Building HIPAA compliant messenger using QuickBlox API

Anton Dyachenko
Anton Dyachenko
29 Jan 2020
Healthcare Archives • Quickblox Blog

Building HIPAA compliant messaging solution using QuickBlox API

Everyone is concerned about protecting their privacy. Digital storage of personal data arises the question: what does a healthcare provider do to protect your privacy? Healthcare organizations dealing with personal information have standards that they must follow.

That is why the Health Insurance Portability and Accountability Act (HIPAA) compliance is a crucial responsibility for all healthcare providers.

What information is protected by HIPAA?

Protected health information under the Privacy Rule contains any information that may be transmitted or stored by one of the entities covered by the HIPAA compliance requirements:

  • IIHI (individually identifiable health information): name, address, date of birth, social security number.
  • PHI (protected health information) – includes bills from doctors, emails, MRI scans, blood test results, and any other medical information
  • CHI (consumer health information) – includes data you can receive from a fitness tracker: number of calories burned, heart rate readings, and number of steps walked

HIPAA compliance requirements

To build a HIPAA compliant text messaging application, you need to follow four rules:

Privacy rule

HIPAA Privacy Rule regulates access to Protected Health Information (PHI). It covers the circumstances in which it can be used, and to whom it can be disclosed. Privacy rules also define the standards for the implementation of data protection.

Security rule

The Security Rule describes the set of administrative, physical, and technical measures that must be taken to protect the message history.

Physical safeguards

Focus on encrypting all data both at rest and in transit.

  • Access Control Requirements
  • Transmission Security
  • Audit and Integrity

Technical safeguards

Focus on thoroughly encrypting all data that is transferred between or stored on devices and servers.

  • Unique user identification
  • Emergency access procedures
  • Automatic logoff

Administrative safeguards

They are policies and procedures that set out what the covered entity does to protect its PHI. These requirements regulate the work of the employees that have direct access to PHI.

Breach notification rule

It requires HIPAA-covered entities and their business associates to notify the media in case of the data breach. The notice is usually presented in the form of a press release and must be provided no later than 60 days following the discovery of a Breach.

Enforcement rule

U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) handles enforcing the HIPAA Privacy and Security Rules. It deals with compliance, investigations, penalties for violations, and procedures for hearings. Failure to follow HIPAA can also result in civil and criminal penalties.

Building HIPAA compliant message solutions using QuickBlox API

There are many factors to consider when creating a healthcare application. But you can get confused because of poorly documented instructions. The best way to make it secure is to use a HIPAA compliant instant messaging service to transfer and store ePHI. Using an existing service allows you to focus on your application without worrying about creating the HIPAA compliant message infrastructure. The infrastructure must safeguard the integrity, confidentiality, and accessibility of health information.

Quickblox services can be hosted on the dedicated AWS cloud. All AWS instances that we use to run our applications follow the HIPAA requirements both at rest and in transit. While AWS no longer requires the use of dedicated hosts for the purposes of HIPAA compliance, we still offer this option for sensitive data management.

Practical tips for configuring a HIPAA compliant chat environment

It is worth noting that your message app can only be HIPAA compliant if all its layers follow data security specifications. To follow the mentioned regulations, some of your primary concerns will be that it meets the following core requirements:

Access control

Access control is the first of the HIPAA Security Rules. It is described as the responsibility for all healthcare providers to allow access only to authorized users.

1. User verification

Access control ensures users can only access messages they sent or received. Also, all actions are logged including administrative password resets for users. It guarantees the usage of data is identifiable, audited and attributed to an individual user.

QuickBlox follows this rule and prevents unauthorized access. It helps businesses to improve access control and safeguard sensitive patient data. QuickBlox allows access to ePHI only to those granted access rights. A user can perform any of the operations and access the data as defined by the union of the privileges associated with their roles.

2. Person or Entity Authentication

Person Authentication guarantees the identity of the users accessing the database. It ensures that only designated users have access to the database. All users should be engaged in this secure ecosystem only by invitation. This prevents incorrect use and allows transparency and accountability. Access to the messages should be secured with a password.

QuickBlox HIPAA compliant message solutions provide secure authentication methods to ensure authorized access. Each user has a password and he can create a unique token session that will live 2 hours. This will further help elevate the level of security offered.

3. Automatic Logoff

HIPAA requirements include automatic logoff – in case of session end due to inactivity. If the user forgot to close the page, the chances of data theft increase.

QuickBlox provides full support for anonymous sessions. Its automatic logoff procedures can prevent unauthorized users from accessing ePHI. It helps to end any session after a set period of inactivity. To continue, the user would have to re-enter the password or authenticate in some other way.

Data encryption in rest & transit

To ensure information security, you need not only protect the on-device data but also take care of transmission security. Standard message services are open to access by mobile companies. But the HIPAA compliant message app ensures that third parties do not get PHI at all. Encrypting your traffic, you make sure that the malicious cannot access the data by traffic interception. QuickBlox HIPAA compliant message applications use strong encryption standards and send your traffic through connections protected by security protocols.

1. Implement the “Transmission Security” requirements

QuickBlox supports the HTTPS protocol to work with our API, as well as Secure XMPP, Secure Bosh, and Secure WebSockets. Finally, QuickBlox advanced the HIPAA implementation between the application and database layer using native AWS tools.

2. Integrity as a Feature

QuickBlox HIPAA compliant communication tools support easy integration with third-party applications such as document or customer identity providers. It ensures secure data storage and transfer between business applications and users.

We use database-native encryption to prevent the direct reading of database files. You can also store your sensitive data in S3 that provides both server-side and client-side encryption. Your files will be replicated and backed up, so you will be able to retrieve them any time you need.


To prevent database corruption or PHI damaging as a result of a server crash, HIPAA messaging compliance requires backup of sensitive data. Backup systems create, store, and manage the copies to ensure their recovery in case of a failure.

1. Disposal as a Requirement

QuickBlox provides the necessary steps to create and implement the disposal policies, procedures to follow HIPAA secure messaging regulations. We offer a backup PHI to safeguard our clients from ransomware and cyber attacks. You can choose a cloud backup service or an offline backup solution according to your needs. You can also configure the system so that it destroys the data and backups automatically or on request.

2. The Data Backup and Storage Implementation

QuickBlox offers the following options for Data Backup Storage.

Data Backup to Hardware Appliances

QuickBlox HIPAA compliant communication solutions installed on your systems perform the backups and handle the backup process. You access the solution via a graphical interface provided with the appliance. This is the best option for quick backups of small systems. It is designed for the recovery of individual files or systems in the event of software failure.

Data Backup to Network Shares

With a centralized NAS (Network Attached Storage), SAN (Storage Area Network), or a simple network share, you can store many or all company backups in one place. In case of a virus attack or data corruption, you quickly restore your data.

Data Backup to Cloud Storage.

QuickBlox allows you to subscribe to a certain storage capacity in the cloud vendor’s or service provider’s data center. You need an internet connection to send backups to the cloud. We provide essential solutions to cut the problems with uploading large amounts of data.

High availability / Disaster recovery support

High Availability is the ability of a system to switch over to a redundant system in case of component failure. Disaster Recovery stands for restoring the services to normal operations in the shortest possible time.

QuickBlox offers such a configuration when highly available cluster servers are used for an application in the production center, with backup hardware in the off-site recovery center.

The data is backed up in the recovery center and coupled with the High Availability design in the production center. This allows the system to be relatively better protected at both ends. We work hard to ensure any hardware failure or even complete shutdown of a hardware host will not affect the availability of the application and the PHI data.


Our experts developed products aimed at protecting against leakage and data loss. This allows us to create solutions of any complexity that best meet the individual needs of your HIPAA-compliant telehealth platform. If you have questions about ways to implement security measures, please contact us.

Share article

Subscribe for news

    Thanks for subscribing!

    You will receive an email shortly to verify your subscription.

    Check out your inbox!

    Ready to get started?


    Subscribe for news

    Get the latest posts and read anywhere.

      Don’t forget to visit our social networks:

      • twitter
      • fb
      • linkedin
      • medium
      • git
      • instagram