You really need to do a risk assessment to determine how PHI would be moving around and whether anybody at bubble would have access to it. But it doesn’t look promising. It appears that bubble will not execute a HIPAA business associate agreement, and they discourage using their platform for processing PHI. https://bubble.io/support-article/is-bubble-hipaa-compliant
It’s not possible to say yes or no to your question without knowing a lot more about what you plan to build. There’s simply no such thing as a “HIPAA compliant platform.” Everything is highly dependent on your specific implementation, and it is your HIPAA risk assessment where you are required to document that.
But at a glance, I would say that bubble does not look like a good partner for a HIPAA covered entity, in contrast to salesforce who actively courts HIPAA covered entities as clients and will happily execute the required business associate agreement.
You may also want to evaluate hosting logging services yourself within your infra - so that data doesn't leave your cloud boundaries and compliance becomes easier.ELK is a good open source alternative which many companies use for logging - https://www.elastic.co/what-is/elk-stack
The name, email, and what applications are being access is fine.
The password?
Are we back to this again: http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants
Its "HIPAA Officers" like the OP's that make the rest of us good auditors/compliance officers look bad.
Use internally assigned unique ids without any additional identifying info and you can use Trello safely.
Here are some Trello alternatives that you can self host which with some additional logging can be HIPAA compliant:
https://alternativeto.net/software/trello/?platform=self-hosted
I usually recommend Amazon Web Service right off the bat.
But I've also worked clients who really liked Sookasa, which is a dropbox add on that is HIPAA compliant. This might be the most cost effective given that they won't need to set up additional infrastructure if they're already using dropbox.
It's for telehealth communication tools only as they are extremely needed for remote diagnosis etc. It's not a direct override of the act. If in good faith and if you're not using any public-facing option (youtube, twitch). It just eases the regulation so you can get started first and get compliant after. So, you can use Hangouts or Skype for now, but you should still try to get them to sign a BAA.
>Is it also applicable to collecting patient information or is it just for telehealth remote communication tools?
No, it doesn't apply to collecting patient information. You still have to use HIPAA compliant methods such as online forms. Those can be quite expensive as far as I remember. But, there's a deal going on for people who are fighting against the outbreak. I believe they are giving away their plans for free, it doesn't apply to us but might help you out. This should be the link to the page: https://www.jotform.com/corona-responder-program/
I would suggest you to go with HIPAA BAA as it is very critical while storing PHI. You need to ensure that your company complies with relevant health care industry regulations, including data protection laws such as HIPAA, and must strike a balance between protecting the privacy of patients and standards laid down by HIPAA to maintain greater control of patient’s sensitive data.
Customer Identity and Access Management tool like LoginRadius (https://www.loginradius.com/industry-healthcare/) take care of all the requirements related to PHI. In comparison to Auth0 and Okta, the pricing of LoginRadius is very low and they have a forever free plan as well. As a CIAM solution it is safe, streamlined and scalable. Be it in the cloud, on-premise, or a hybrid environment, healthcare organizations can easily manage their data anywhere.