Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Champion

HIPAA compliance plans?

Are there any plans to make Canvas HIPAA-compliant?

Tags (2)
7 Replies
Community Champion

I haven't heard of any.  I'd suggest talking to your CSM, or if you don't have one, reach out to Instructure, the makers of Canvas.

Community Coach
Community Coach

Hi  @emily ​

Could you elaborate on what you mean by HIPAA compliant. I worked as a Privacy Officer for a regional medical center for many years, and have a good understanding of HIPAA (in fact I traveled all over the country training health care professionals in HIPAA). There is only a limited intersection of HIPAA and education, but only in respect to an individual's Protected Health Information. This intersect typically occurs in health care programs and physical ed/sports where PHI may be collected, stored and used by the school.

Where PHI is collected and used (maybe even created) by a school, the school is responsible for publishing a Notice of Privacy Practices (NOPP), and is obligated to protect that information from unauthorized disclosure and use. I do not understand what role Canvas plays in this. The only way PHI can become available for unauthorized disclosure in Canvas is if a teacher or student posts it. This means that this is a teacher training issue. Teachers need to be trained to not post private protected information to be viewable by students, and in how to design assignments that do not require students to make discusures of their own private information. The only place I can envision this happening is in Discussions when an instructor is asking their students to post confidential information  - this should never be done, but is not something Canvas can fix other than by turning off every student submission feature. Every other student submission type can only be viewed by the submitting student and the instructor.

Peer reviewed assignments and TA grading can come into play, but if those folks have a need to access an assignment submission - for example a vaccination history - then that disclosure is covered by HIPAA if it is included in the school's NOPP. Again, not a Canvas issue.

If I have missed some other back door, please let me know.


Community Coach
Community Coach

One more point to keep in mind Emily.

In the normal course of business, most educational institutions are not covered entities under HIPAA unless they maintain and operate a health care clinic on site - which many, especially in higher ed, do. Also, only seldom are schools considered business associates under HIPAA, but that also happens when a school contracts with a health care provider to provide student health care services. Again, for both of these examples I do not see an intersection with Canvas, unless there is a poorly trained teacher posting protected health care information in a Canvas classroom.

Just to help, I found a great reference about HIPAA and education that you might find useful:  Comparison of FERPA and HIPAA Privacy Rule | State Public Health | ASTHO

Can't wait to hear back from you, so that I can better help you.


Community Champion

We are a dental school and we treat patients on-site. It would occasionally be helpful to list a patient's record number as part of an assignment - because the assignment is "How well did you treat Patient X?"

Community Coach
Community Coach

Hi Emily and thanks for the clarification!

How you use Individually Identifiable Health Information (IIHI), is under your control, and not Canvas', so I am still not sure if this is something Canvas can help with, but based on my further comments below, I hope so. HIPAA does provide for the use of IIHI and PHI for the training of staff and students so you are covered there.

However, there are some things you should be aware of and some holes you should attempt to plug.

  • Because Canvas is cloud-based and your students can access it from anywhere, you are going to have to take steps to limit access from home (off campus) computing devices. I am not certain how this can be done, but I suspect that there are ways to white-list IP addresses and perhaps your best bet would be to talk with your CSM. Perhaps this is a capability Canvas can enable for you, or perhaps one of their tech partners can help you with this.
  • Another thing to keep in mind is that you should only post IIHI or PHI in areas that students cannot copy/print from. This piece is very challenging, because with almost any browser, text can be selected and copied, then pasted anywhere. I am hoping that someone more familiar with the Canvas back-end might be able to come in and offer some great suggestions for this.

In the meantime, I strongly suggest not posting IIHI and PHI on Canvas until these issues can be resolved. Since your students are on-site, provide them in hard-copy with a patient of the week or some such thing, then use that patient for assignments and discussions in Canvas that do not disclose any additional IIHI or PHI. Or, provide a pseudonym for the patient of the week, so that everybody can talk openly about the care provided to Mel Gibson, or Madonna! This might even be fun if you get creative with your pseudonyms:smileysilly:

You could try submitting feature ideas specific to those shortfalls I mentioned above, and especially if you cannot find solutions for those two concerns. Ask for a way to restrict logins to specific IP addresses, and ask for the ability to limit copy/paste/print permissions in Canvas. If/when you post these feature ideas use what I have shared as use-case scenarios to support your ideas as well as your  own.  I'm not sure how many medical (or related) schools are using Canvas, but I know there are some. In fact, there is a Canvas Medical Schools group you can join at Canvas Medical Schools where others may already be discussing just these issues.

I am following this discussion, and will continue to follow it wherever it leads you to try to be of more assistance if I can. In the meantime you can learn more about how to write feature ideas at How do I create a new feature idea?

Let me know if there is anything else I can help you with.


Community Participant

Once a HIPAA compliance plan has been developed, it has to be implemented. This can create numerous issues – particularly in a busy medical facility where access to PHI is vital for the running of the medical facility and the treatment of patients. The risk exists that unsecure access to PHI – or the unsecure communication of PHI – could result in an unauthorized disclosure of health data, exposing the medical center to fines and civil legal action.

Secure messaging is an appropriate solution to resolve the potential issues with implementing a HIPAA compliance plan. Operating via a secure cloud-based environment, secure messaging works by creating a secure and encrypted communications network for the medical center – or, on a larger scale, for a whole healthcare organization.


Community Member

Look at the best HIPPA chat API and video calling SDK providers classified based on their Communication Style, Features, Cloud Service, Backend/Front-end Technologies, Technical stacks, Pricing and reputation in the market.

  1. MirrorFly
  2. Apphitect
  3. CONTUS Fly
  4. Cometchat

Know more about collaboration app -