HIPPA compliance

For those who require HIPPA compliance, what steps do you take to ensure security?

We follow the obvious steps:

  • Never include production data in any collections.
  • Store any sensitive information in environments.
  • Only use the current value in our environments. (as current values dont get synced to the cloud)
  • Disable “automatically persist variable values”.
  • Don’t save responses

Any other safety tips?


I would add to this: don’t save responses as examples, since they will be synced:


If you are hitting a test environment why cant you save responses? This is to assist people learning the api… what does this have to do with hippa…?

Postman gets used to test in production. If you never use it in Prod it should be fine to save responses.

This is a great list.

How about for the times if we run requests against production data, does Postman keep that information at its servers? I went to their information page on what data is being collected (below), and it is not clear if the requests or the response contents are collected and stored:

It could very well be the case, implied by this section that seems to cover everything:

Information you provide to us

We collect information about you when you input it into the Services or otherwise provide it directly to us.

Account and Profile Information:…

Content you provide through our products: The Services include the Postman products you use, where we collect and store content that you create, send, receive and share. This content includes any information about you that you may choose to include: we collect feedback you provide directly to us through the Services; and we collect clickstream data about how you interact with and use features in the Services.