HIPAA Compliance


NBI Health offers customers health news and information in addition to a personalised line of supplements and vitamins in addition being a full-service medical practice.


In order to better serve their customers and assist in providing the right products and services, they wanted to be able to offer booking and reporting of laboratory tests right on their website. They had already found the right service provider to administer the tests and needed an integrated, Health Insurance Portability and Accountability Act (HIPAA) compliant solution to be developed for their website.

See it live!

The challenge:


NBI Health wanted to offer a clean, intuitive interface that was on-brand while also ensuring the highest level of data-protection possible.


HIPAA requires all electronic Personal Health Information be rigourously protected both at rest and during transmission, restricting authorized access to only those that are providing care or service and all contractors and service providers in the chain of custody must be certified as having completed both Awareness and Security training as well as be bound by a Business Associate Agreement.


The technical skill and industry-specific requirements for this project made it especially unique.

Our solution:


The merchant's existing Shopify store was used as the base for this build. A new product template was created using the merchant's brand guidelines and providing a ton of additional information organised into collapsible sections. The content model was designed to be for the merchant to be independent when adding or updating their lab test catalog.


A testing site search page was developed and connected to their service provider's API, testing locations including hours of operation and contact information by zip code.

ePHI handling


Each laboratory test being ordered needed test subject information attached, but the subject's personal information is considered electronic Personal Health Information and cannot be transmitted in the clear nor saved on the e-commerce platform as access cannot be strictly controlled nor monitored and customer service agents must not be allowed access to protected data.


Our solution was to use asymmetrical RSA-2048 encryption on all ePHI. Using the exposed Public Key, data was encrypted in the client's browser and attached to the cart before being transmitted to Shopify for payment.

Custom requisitions and results


Once the order has been paid, a webhook listener configured in a HIPAA compliant Microsoft Azure data center receives a copy of the Shopify order, including the encrypted ePHI. Using the securely stored Private Key. the data is decrypted and sent to the service provider to confirm the laboratory test order. within moments, the service provider responds with a confirmation.


Using the confirmation data, a requisition form is generated using a custom template with NBI Health branding, which the subject will take with them to the testing facility.


Once the testing is complete and results are available, a notification is sent to the subject where, if consent was given during the ordering process, a copy of their test results are attached using a custom NBI branded template. If data-transmission consent was withheld, the subject is notified that their results are available, and directed to the Customer Account section of the merchant's site to download.

The result

Core features included

HIPAA Compliance

Data security and HIPAA compliance are at the forefront of every design and engineering decision. SSL & TLS is used for all data transmission and asymmetrical RSA-2048 Public Key encryption ensures data security at rest and in transit.

360-degree customer experience

Supporting the customer before, during and after the laboratory test, interface design and feature implementations provide the customer with important information and secure access to forms and results.

Custom branded reporting

Laboratory test requisitions and results are delivered to the subject using custom branded documents in PDF format. Subjects are in control of consent for data transmission and consent can be updated at any time.

API Integration

A custom test center search page allows customers to quickly find the nearest test center and all data transmission happens behind the scenes between Shopify and the service provider via a HIPAA Compliant Microsoft Azure data center.

Powered by Shopify

Developed and deployed natively for Shopify, a custom product template, receipt and laboratory test document downloads and custom order forms are built directly into the theme to deliver an optimal customer user experience.

Unique customer experience

With this unique service offering, NBI Health differentiates themselves from other health service and product providers, strengthening their brand, increasing revenues and improving overall customer satisfaction.

Offer a custom service or product on your website

Send message