

Aptible (YC S14) Handles the Hard Parts of HIPAA Compliance - gwintrob
http://techcrunch.com/2014/08/05/backed-by-yc-and-rock-health-aptible-handles-the-hard-parts-of-hipaa-compliance/

======
chasb
Hey everyone! We did a Show HN last week [0], and are happy to answer any
questions you have here. We're also on the Olark widget if you want to chat
directly.

\- Chas

[0]
[https://news.ycombinator.com/item?id=8086431](https://news.ycombinator.com/item?id=8086431)

~~~
josephpmay
Any plans to support Windows stacks?

~~~
chasb
We're exclusively Linux at the moment, sorry.

------
Oculus
Out of curiosity, how hard is it to become HIPAA compliant?

~~~
rficcaglia
it is easy to assert you are hipaa compliant, but more work to actually
demonstrate.

most requirements overlap with PCI (having built both banking and healthcare
systems, PCI is much more demanding if still superficial)

the hardest part is paperwork and staff procedures

the most expensive part, amd i am not sure if this solution addresses this, is
every single hospital customer i have insists on a totally independent 3rd
part audit. what that entails is totally arbitrary but it costs ~25-50k per
year. they would not, for example, take the internal audit of the vendor
providng hipaa compliance as sufficient. however, if the vendor also provided
an audit by an external party, i suspect that would work

be sure this or any other vendor is willing to sign a BAA with you specific to
each customer

~~~
semerda
Well said!

Just to add a few more points. On the technology side you want to make sure
you have data encrypted "at rest" and "in transit". i.e. At rest means things
like running AES encrypted drives for your DB data storage. AWS has docs &
case studies on this and is HIPAA compliant. Just don't use RDS, it isn't
HIPAA compliant yet.

