ERPNext - HIPPA Compliance

Can anyone confirm if ERPNext is HIPPA compliant?

Thanks & regards

1 Like

I think HIPAA is not so much about the software you’re using but about your company policies and processes:


Exactly. On a self-hosted ERPNext installation, patient information is as secure or insecure as your company’s policies.

From my limited experience with HIPAA, the only part that might be structurally problematic is the email module if you’re using it to email patient information. In a HIPAA compliant system, you typically would never email patient info anyway. Instead, you’d email patients to say that their records have been updated and then ask them to log into your portal.


If we look at past HIPAA violations and the fines, they have happened due to lack of process and safeguards for the data.

HIPAA is a complex process. It takes a lot of resources and money to get HIPAA compliant. You might even need help of external teams to help you become HIPAA compliant and get certified.

Even after getting certified, a simple mistake like adding @frappe.whitelist decorator on a function which access PHI data will result in HIPAA violation. So, there has to be a stringent process to make sure your software and services are HIPAA compliant.

If you are a developer, this HIPAA compliance guide will help you to get started.


Thank you gentlemen. You guys rock, all of you.