Separate PHI from PII?


New member

I am a software developer. I'm new to the forums and have some questions. Any help would be greatly appreciated.

I have inherited a web app that is intended to facilitate data collection by in-house researchers for an internal R&D project involving a medical device we are developing. I'm not deeply familiar with HIPAA compliance. The code base/ app architecture was presented to me by the former devs as 'HIPAA-ready' meaning it is not properly audited but was designed not to be cost prohibitive to bring into HIPAA compliance at a future date (we are not US based but want HIPAA compliance later on). A key part of that readiness was presented to me as the separation of PHI from PII into two unique databases on HIPAA compliant services (MongoDB and Salesforce) with a unique identifier for each subject that allows properly authorized users connecting PII to PHI when the need arises. I have been asked to replace the Salesforce service with a different service of my choosing without negating any HIPAA 'readiness'. We are small scale at the moment so expensive enterprise grade solutions are not relevant.

1. Is it in fact required for HIPAA compliance to have such separation? Can you provide a reference for the relevant HIPAA regs?
2. If it is required, are you aware of any HIPAA compliant database services that are small scale friendly?
3. Can I use two separate accounts on the same HIPAA compliant service? It is difficult to find HIPAA compliant low scale database services, and the path of least resistance code wise for me would be to just use MongoDB for both PHI and PII.

Again, thank you very much for your help.
Last edited:
$900 Gets You HIPAA Security + 23-Point SEO Checkup - Learn More