
TrueVault – HIPAA compliant data storage - skram
https://www.truevault.com/index.html
======
haldujai
I don't quite see the reason for this with the cloud. Amazon has a whitepaper
on AWS with HIPAA and I've seen some startups give presentations about their
implementation in the AWS conference.

There's some misinformation on your website, "HIPAA compliance is costly and
hard to get right" It's not. It's almost cheaper to sign an EA with Microsoft
and use Azure (who by the way also sign a BAA) than your pricing. I also
couldn't find any mention of what redundancy you use or any mention of uptime.

HIPAA compliance is basically encryption + access control + logs + redundancy
with a few other simple features. All of which are easily accomplished with
AWS or Azure. BAAs between you and your hosting provider are _not_ necessary
unless you have access to the PHI (Amazon doesn't, Azure does).

The biggest red flag to me is that this doesn't (as one might assume) absolve
the developer from liability / responsibility. If it were to come to light
that your business is (I don't think any of these things about you)
corrupt/poorly run/hacked/breached/etc. the developer is then liable to
immediately remedy the situation which may include being required to move
elsewhere. That would be a huge disruption to any service as they would have
to build a system from scratch while somehow still operating. This would be
the only reason I would switch my apps from AWS to your service but
unfortunately this is not the case. The fact also remains any HIPAA violation
would be more likely in the implementation of the webapp (i.e. allowing images
to be cached) and not in the storage of it. Leaks of encrypted PHI aren't even
an issue with HIPAA.

You have the issue of being new and without a reputation while I can still be
liable for your mistakes. While you have insurance it's not really feasible to
sue someone as a startup. Anyone not a startup would find your pricing way too
expensive.

Amazon whitepaper: [https://aws.amazon.com/about-aws/whats-
new/2009/04/06/whitep...](https://aws.amazon.com/about-aws/whats-
new/2009/04/06/whitepaper-hipaa/) re:Invent presentation:
[http://www.slideshare.net/ControlGroup/aws-
reinvent](http://www.slideshare.net/ControlGroup/aws-reinvent)

TL;DR: BAAs do not remove liability, HIPAA compliance isn't nearly as complex
as other regulatory bs, AWS and Azure are both easily made HIPAA compliant.

~~~
jason_wang
Howdy -

We think of ourselves as Parse for healthcare sites/apps/devices.

One can absolutely build their own Parse to power their own stack, but it may
not be time/resource effective. Behind the scene, among other things, we
provide unique object encryption and automatic object re-key and re-encryption
-- mechanisms one would have to be custom build for a homegrown HIPAA
environment (event on AWS).

We make sure the Protected Health Information our customers collect is always
in compliance with HIPAA despite the ever changing healthcare regulatory
landscape.

But you are absolutely right. We do not absolve the developers/covered
entities from all HIPPA liabilities and responsibilities. We just take care of
one aspect of HIPAA so they can focus on other things.

------
res0nat0r
FYI:

HIPAA & PCI

TrueVault is in the process of being audited by a third-party auditor. We will
soon be verified to be HIPAA compliant for the HIPAA technical safeguards.
TrueVault will go through PCI Service Provider Level 1 certification soon
thereafter. Feel free to contact us for details.

[https://www.truevault.com/documentation.html](https://www.truevault.com/documentation.html)

~~~
dekhn
There is no such thing as "HIPAA compliance".

Also, do they sign BAAs?

~~~
jason_wang
Hi - Yes, TrueVault does sign a BAA. We also carry a comprehensive cyber
liability insurance that covers any post-breach costs and regulator fines
(hopefully it'll never come to that).

~~~
debacle
Do you add clients as named insureds on that coverage?

If not, it's not really worth the paper it's printed on for your clients.

~~~
jason_wang
We will on a case by case basis. But there are other contractual
indemnification options as well. Ping us and we can tell you all about it.

------
david_shaw
HIPAA, unlike many other compliance standards, cannot be "certified." This can
lead to certain levels of open interpretation, but best practices are
generally agreed upon.

Products like TrueVault provide excellent value, but security awareness
training is the golden key to improve an organization's information security
posture.

For an example of what I mean, consider the following scenario:

\- Patient data (called Protected Health Information, or PHI) is stored
securely in a TrueVault database. This database is accessible only from the
hospital, and TrueVault has signed a BAA with the covered entity.

\- A surgeon is prepping a kidney transplant for patient John Smith. The
surgery is tomorrow morning, and Dr. Goofböl wants to make sure he's familiar
with the patient's medical history.

\- Dr. Goofböl, an authorized viewer of this patient's PHI, accesses the data
and begins to take notes. A new batch of PHI is now being created, as it
contains medical information as well as identifying information of the patient
(say, his name).

\- Dr. Goofböl emails this document to himself (whether his work or personal
email address--it doesn't really matter), and goes home for the night.

\- Dr. Goofböl stops at a nice coffee shop on his way home, and his personal
laptop (without full-disk encryption) is stolen. The data is lost, and cannot
be accounted for.

My company provides HIPAA Security Risk Assessments, and I've seen _this exact
scenario_ play out many times, albeit with other "HIPAA compliant storage"
solutions, rather than TrueVault. There is absolutely a place for secure
products like this, but security awareness training and the true gravity of
identity theft and information loss _needs_ to be ingrained in the medical
industry.

"Security" for a hospital used to mean protecting doctors and patients from
intruders (or mentally unstable patients). It used to involve burly men in
white clothes; they're not used to thinking about where their information is
traveling. Furthermore, the government is mandating that electronic health
information be available to patients through web-based patient portals, which
introduces a whole different level of potential vulnerabilities.

I truly believe that the healthcare technology industry is going to be one of
the most booming sectors of the next decade, but there are major changes that
need to occur to facilitate that. Hospitals need better IT infrastructures,
more attention needs to be paid to security, and better tech personnel need to
be brought into these environments. Only then can the next generation of
healthcare technology truly succeed.

~~~
chacham15
In your theoretical scenario, the doctor himself violated HIPAA when he
emailed himself the document. He exposed the document to his email provider
and all those along the transport path of the email. So, to agree, technology
can only do so much, you have to use it correctly.

~~~
pak
If the email server was provided by his workplace, then it was likely secured
and HIPAA compliant. Most hospital email services are. Once the file is on his
hard drive, most hospitals will require that the user uses some kind of
encryption if it contains PHI. They enforce this by training and
recertification procedures every year or so.

~~~
NovemberWest
When I worked at an insurance company, emailing certain things was a huge no-
no. So I doubt that.

------
teleclimber
Interesting product. It is certainly needed.

But if I understand correctly it is a data backend, right? So if there is any
sort of web-based dashboard to accompany the app, and the PHI data has to be
passed on to a server to display the dashboard then that server will have to
be HIPAA compliant too, which brings the developer back to square one?

~~~
jason_wang
Hello - We are developing a library of JavaScript UI controls our customers
place on their site to display protected content that's pulled directly from
our server. We'll have display widgets as well as input widgets/forms like
sign-in, sign-up, etc.

They are very much like Stripe's checkout JS form.

------
dr_
HIPAA compliance is a hugely important issue when it comes to developing
medical applications. I think it's important to point out here that Box is now
also apparently HIPAA compliant and signs BAA. Still, there's room for a
product that's easy to use and focuses purely on maintaining compliance.

Given how important this is, however, I would think the creators of the
product would put some information about themselves and their backgrounds up
on their site. It seems that's not done as much anymore with startups, but
given they are a new company offering security of healthcare data, I think
potential users would like to know.

------
christiangenco
I can't quite figure out why a HIPAA compliant data storage service is a big
deal...

Isn't this just a thin encryption layer on top of Mongo? I feel like I could
replicate this in ~100 lines of Node.

~~~
jason_wang
It's a few more lines of code more complicated that that :)

In all seriousness, we can give a talk on software security, encryption
algorithms and network security with the setup we've created. To do it right,
every system in our platform is segregated where one system doesn't see
another -through software and network level security. Plus every piece of data
is uniquely encrypted with rotating keys (that's kept isolated from the
encrypted data). The level of security is like the Secret Service vs. Paul
Blart the mall cop.

We are in the middle of writing a blog post about how we harden our platform.
Stay tuned.

~~~
christiangenco
Noted. I'll be looking out for it!

------
rsync
Do you build and run your own infrastructure, or are you built on top of
existing cloud infrastructure ?

(genuinely curious)

------
klhenry
There is actually a lot more to HIPAA compliance than what you see on the back
end of your application. You have to do Risk Assessments annually, assign a
Privacy Officer, have policies & procedures in place, implement employee
training, and execute Business Associate Agreements with anyone you share PHI
with.

These administrative parts are frequently forgotten when implementing a HIPAA
compliance program.

Disclosure: my startup, Accountable, automates this process.
[http://www.accountablehq.com](http://www.accountablehq.com)

------
peterwwillis
I always find it funny how more money is spent on audit tools like this, and
yet people get no training in HIPAA, so they _e-mail_ spreadsheets of social
security #s and medical records to 3rd parties, to say nothing of dropbox and
pastebin. Most people would shit themselves if they knew all the violations
that go unreported.

~~~
phren0logy
>and yet people get no training in HIPAA,

WHAT!?! I'm a physician, and to my lament I have to do HIPAA training over and
over and over and over... Just like everyone else everywhere I've ever worked.
Yes, we get plenty of HIPAA training. There are still breaches, of course, but
your statement is just plain wrong.

~~~
peterwwillis
Okay, perhaps they just blatantly ignore their training? In which case they
probably need to fix the training, or something. Are you sure all the
personnel that work for the hospital system (or private practice) gets HIPAA
training? There's plenty that work with sensitive data that aren't physicians.

~~~
phren0logy
Yes, everyone that touches protected data gets the training. I'm sure there
are some hospitals/offices that don't but that's got to be pretty rare. I
imagine most of the breaches are not due to overt ignorance, but due to poor
application like not understanding the level of security provided by some
means of transmission, or knowing but doing it anyway because it's convenient.

------
skram
OP here.. I created a quick little Ruby library for interacting with
TrueVault's REST API:
[https://github.com/marks/truevault.rb](https://github.com/marks/truevault.rb)

------
zeckalpha
Does anyone know of a HIPAA compliant PaaS (other than building it yourself)?
I'd like to run stuff for work on Heroku, but they don't claim and compliance
last I checked.

------
jpb0104
I'd love to learn more about HIPAA compliance and web applications. Any good
resources out there? From from a developer's standpoint HIPAA feels like a lot
of grey area.

~~~
daigoba66
HIPAA is more about policy than it is about any specific technology or
standard. And most of it is good practice for many applications, from a
privacy and security perspective, not just healthcare.

Start here:
[http://www.hhs.gov/ocr/privacy/hipaa/understanding/covereden...](http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html)

Then this:
[http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/i...](http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html)
and this:
[http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary...](http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html)

~~~
jlgaddis
Thanks for these links. I'm curently building a network to connect several
medical facilities together and, while I don't think I have to be too
concerned w/ HIPAA, this stuff is good to know. I've bookmarked those pages
and will be reading through all of them over the weekend.

------
hippaway
hmmm, It made me realize that I may be on the verge of breaching the HIPAA
laws. I'm developing an app on Google App Engine (which afaict won't sign a
BAA), this app will help users with storing and interpreting their data (some
of which may be considered health data: like all the biometric data). Anyone
knows if I have to comply to HIPAA in spite of not being an health provider
myself?

~~~
jason_wang
Take a look at this article:
[http://www.hhs.gov/ocr/privacy/hipaa/understanding/covereden...](http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-
identification/guidance.html)

The definition of who needs to comply with HIPAA has more to do with who has
contact with protected health information and less about who the company is
(e.g., a hospital or not).

~~~
hippaway
This document has some bullshit example: Identifying users by zipcode and
gender? huh?

"Imagine that a covered entity is considering sharing the information in the
table to the left in Figure 3. This table is devoid of explicit identifiers,
such as personal names and Social Security Numbers. The information in this
table is distinguishing, such that each row is unique on the combination of
demographics (i.e., Age, ZIP Code, and Gender). Beyond this data, there exists
a voter registration data source, which contains personal names, as well as
demographics (i.e., Birthdate, ZIP Code, and Gender), which are also
distinguishing. Linkage between the records in the tables is possible through
the demographics. Notice, however, that the first record in the covered
entity’s table is not linked because the patient is not yet old enough to
vote."

~~~
sp332
It's not bullshit. Here's the paper from 2000:
[http://dataprivacylab.org/projects/identifiability/paper1.pd...](http://dataprivacylab.org/projects/identifiability/paper1.pdf)
From the abstract: _87% (216 million of 248 million) of the population in the
United States had reported characteristics that likely made them unique based
only on {5-digit ZIP, gender, date of birth}._

~~~
hippaway
the date of birth is not cited in the example. Only the age. Seems like a
stretch of an example to me.

------
rdl
Could we get more tech details than are on the website? Specifically around
HITECH.

The box with logos makes me feel uncomfortable from a trademark perspective,
btw.

------
arthulia
I don't know how this stuff is handled normally, but is nobody uneasy about
storing HIPAA protected data in "the cloud"?

~~~
rxl
I understand your concern, but these days, cloud or no cloud isn't what's
important, just that you use a data store in a HIPAA compliant fashion and
that the provider will sign a BAA. Health tech startups these days are using
AWS, Azure, and Rackspace, all of which will sign BAA's.

------
bowlofpetunias
Companies like TrueVault can pretty much forget about expanding outside the US
after the NSA scandal.

Their target market is already writing the policies and protocols to ensure
that in the for the next few decades no bit of data ends up anywhere near US
jurisdiction.

------
piqufoh
I hope this includes the HIPAA NSA backdoor.

~~~
jessaustin
I've probably shoveled more fuel on HN's NSA fire than most, but how do you
think _health records_ are related to anyone's NSA threat model? Are there
health conditions that will prompt a visit from the black-bag squad?

~~~
jjoonathan
They aren't any more related to their threat model than anything else they're
vacuuming up but that doesn't mean they don't want them. All it takes is one
known terrorist with a known illness / rare treatment and "wouldn't it be nice
to have this access" becomes "we need this access NOW" becomes "we will take
the access, now and forever into the future, and there's nothing you can do
about it."

Also, perhaps terrorist networks target people with terminal illnesses and
nothing to lose? Or perhaps the FBI is worried that someone who has been
denied treatment in the US will turn terrorist all on their own. We have a
large population that has been wronged by the system and has nothing to lose,
I think the FBI wants to keep an eye on them. I know, FBI!=NSA, but the whole
"parallel construction" deal shows exactly what they think about separation of
powers: at least a few of them see it as an obstacle to overcome, not as a
safeguard against abuse. And a few people is enough to do all the damage in
the world.

Also, let's not forget there's a heavy financial incentive for individuals
with access to such a database to sell the info to insurance companies. It
follows that such individuals then have a motive to push for the establishment
of such a database. They could launder the info into some "proprietary
liability metric" which they would be able to sell for loads of money. I don't
know what internal checks they put in place after Snowden but they can't be
perfect. Any shadow copy of your health records increases your exposure and
provides an opportunity to the unscrupulous if the records can be accessed in
aggregate.

~~~
jessaustin
I have to admit that these are plausible scenarios. However, most regular
citizens (I know, lots of horrible arguments start out with that phrase) would
be harmed more by the spooks turning communications about legal gray areas
over to prosecutors than to anyone in the government knowing about their gout
or depression or whatever. (Sure some people are worried about "Obama's Death
Panels" but if such ever appear I'm pretty sure they'll have access to your
health records anyway.)

In your last scenario, the "bad" agents only win if they can sell the service,
but keep secret the inputs to that service. I'm sure they can do that in the
short term, but it's quite likely that eventually a salesweasel will speak a
bit too freely in a semi-public forum and the whole scheme will unravel. After
all, other government agents would be pissed off, if only out of jealousy.

