
Show HN: HIPAA compliant file storage - jason_wang
We (TrueVault), released our HIPAA compliant file storage today. Our BLOB Store is not a cloud file backup service like Box or Dropbox but instead, it&#x27;s meant to be integrated with healthcare mobile apps, web apps and wearable devices. During our beta period in December, early adopters are using the BLOB Store to store X-Rays, CT Scans, MRIs, PDFs, scanned medical records, images, and videos.<p>You can upload, update, delete, and download any binary file via our REST API.<p>We are also beta testing a browser-to-TrueVault direct file upload and download web form. If you would like to join the beta, please email us at beta@truevault.com<p>API: https:&#x2F;&#x2F;www.truevault.com&#x2F;rest-api.html<p>Blob post about its release: https:&#x2F;&#x2F;www.truevault.com&#x2F;blog&#x2F;hipaa-compliant-file-storage.html<p>Love to get your feedback.
======
res0nat0r
AWS is also HIPPA compliant.

[http://aws.amazon.com/compliance/](http://aws.amazon.com/compliance/)

~~~
trey_swann
TrueVault does more and costs less than AWS. We also save you hundreds of dev
hours.

The HIPAA Security Rule requires appropriate Administrative, Physical, and
Technical Safeguards to ensure the confidentiality, integrity, and security of
protected health information (PHI).

AWS will sign a BAA, but they only cover the Physical Safeguards (e.g.
facility access controls, etc.). TrueVault handles both the Technical and
Physical Safeguards.

With AWS you still need to build your own HIPAA compliant application stack.
The technical requirements include: -encryption and decryption -key management
-key rotation -access control -unique user identification -emergency access
-automatic logoff -audit controls -mechanism to authenticate electronic PHI
-person or entity authentication -transmission security -integrity controls

~~~
vonseel
I've been working on a mobile application for doctors and healthcare teams the
past few months. We are a startup and will be going into beta testing with
real users near the end of Q1.

I was interested in your last post on HN, as I've found it nearly impossible
to sift through the bureaucratic cruft of HIPAA, HITECH, HL7, and all the
other standards. A blog post on the topic would be amazing -- "What does
HIPAA-compliant mean?".

The main fear I have about using your service is trusting a brand-new company
for hosting. What reassurances can you provide that relying on you for my
infrastructure will not screw me over if something happens to your company?

~~~
jason_wang
Hey vonseel - we are reaching out to you via email. We can share with you a
few details about TrueVault that'll surely give you confidence.

------
health-techie
First things first, and this is more for the edification of those commenting,
not the group posting, the correct spelling is:

H I P A A

The acronym is the "Health Information Portability and Accountability Act."

Again,

H I P A A

I can't stand how many people mis-spell it - it exemplifies the fact that
really and truly, people don't care about the regulatory standard enough to
really learn about it ...

Not to hijack the thread, but I'd love to hear people's opinion on this
question:

Which type of data is more important, health data or financial data, and why?

I'll start, financial data is more important than health data. Why? Because we
all use money at least 100+ times a day to get things done - outside of a
doctor's visit health data is virtually worthless.

Outside of obtaining your soc number in a medical record, would you be more
afraid if a person got your bank's routing number, or your insurance ID?

Your credit card number, or the fact that you have erectile disfunction?

~~~
mattfenwick
An interesting read on this topic at
[http://www.ncbi.nlm.nih.gov/books/NBK9579/](http://www.ncbi.nlm.nih.gov/books/NBK9579/):

"When personally identifiable health information, for example, is disclosed to
an employer, insurer, or family member, it can result in stigma,
embarrassment, and discrimination. Thus, without some assurance of privacy,
people may be reluctant to provide candid and complete disclosures of
sensitive information even to their physicians. Ensuring privacy can promote
more effective communication between physician and patient, which is essential
for quality of care, enhanced autonomy, and preventing economic harm,
embarrassment, and discrimination (Gostin, 2001; NBAC, 1999; Pritts, 2002)."

I disagree with "outside of a doctor's visit health data is virtually
worthless" for the above reasons.

~~~
health-techie
Okay. Thanks for linking to that article. I concede health data isn't
"worthless," but I'd like to get people's personal opinion on which scenario
is scarier:

Target losing the credit card data of 40 million customers, or a dermatology
office losing a USB drive: [http://www.fiercehealthit.com/story/dermatology-
practice-fir...](http://www.fiercehealthit.com/story/dermatology-practice-
first-be-hit-hitech-breach-
penalty/2014-01-03?utm_campaign=AddThis&utm_medium=AddThis&utm_source=twitter#.UswqvlK4CmA.twitter)

A malicious party getting access to my banking data I feel is more scary than
knowing my co-workers are teasing me because of my erectile disfunction.

Disclosing important health data to a person's employer, insurer, law
enforcement etc, is a health data stewardship and education problem, not a
256-bit secure socket layer, 1048-bit RSA key-encryption problem, IMHO.

~~~
thetylerhayes
I think it may be helpful to break perceptions of health data into at least
two camps:

1\. Societal stigma: this may not be something you agree with but it's just
something that exists. People in the U.S., for whatever reasons, for right or
wrong, feel like they should be protective about their health data, even if
there's nothing potentially damaging or embarrassing in the data. It could be
an ingrained feeling trained in them from years of visiting doctors who never
gave them access to their data or it could be a learned response from watching
CSI. Whatever the cause, societal stigma to by default be very protective of
your health data is a real thing in the U.S. (I'm not saying they're
necessarily more protective of health than financial data, but pointing out
that stigma towards health data on its own is at least a thing.)

2\. Legitimate fears: I think if you changed your example away from erectile
dysfunction this would be more apparent. There are 133MM chronic illness
sufferers in the U.S. so let's use a different, very common example:
congestive heart failure. If you're 45 years old and trying to apply for a job
and your potential employer finds out you have CHF it's very possible (in an
unregulated environment) they'd consider not hiring you because you have a
high risk of missing work or even dying. Or imagine you're a CEO of a powerful
company and someone leaks the fact that you have pancreatic cancer — what
would happen to your company's shares, let alone your employees' morale? This
doesn't even get into the notions of genetic discrimination, which is already
a real thing:
[http://scholar.google.com/scholar?q=employment+genetic+discr...](http://scholar.google.com/scholar?q=employment+genetic+discrimination&hl=en&as_sdt=0&as_vis=1&oi=scholart&sa=X&ei=937RUseQMcXEoASO6IGIBg&ved=0CDkQgQMwAA)

EDIT: Also thanks for mentioning HIPAA spelling. I twitch every time I read
HIPPA.

------
quickpost
Awesome work! I have a nascent project in the healthcare space and I will
definitely consider using this for all HIPPA related issues.

One tidbit - will you have some kind of "HIPPA Compliant" image that can be
placed on partner sites using your API? Sort of like the "Secured by VeriSign"
graphic that shows up on eCommerce sites to give the end user more trust that
their data is secure, etc.

~~~
ceejayoz
"Secured by VeriSign" style badges are pointless advertising for the vendor.
I'd love to see an A/B test with them that _isn 't_ sponsored by the vendor -
they all tout conversion with internal tests that could easily be biased.
Given that I can just grab the image and slap it on any old website, they
offer no benefits.

~~~
larubbio
I thought the same thing as you and had the same reservations when a marketing
exec asked me to put one on the purchase page for a startup I used to work
for. I was shocked when the A/B test we ran showed a lift. I wish I had more
details but this was about 5 years ago.

I think people just want some assurance, even if it isn't backed by anything
they understand, that a shows them that a decision they really want to make is
ok. Putting a shiny badge that says it is safe is enough to sway some people.

------
gamedna
Per their site: "Example monthly cost:

If WebMD Answers was a TrueVault customer, their monthly charge would only be
$1,604. Here's the breakdown: WebMD Answers has 5,036,000 questions, so that's
5,036,000 JSON documents stored . According to Alexa, they have 1,042,705 page
views a month, so that's 1,042,705 requests. And presto, $504 + $1,100 =
$1,604/mo."

To save money WebMD should store their json documents as compressed binary
objects and get way more than 10k documents per $1.

~~~
jason_wang
That's absolutely okay with us.

Though the developers at WebMD team may not be very happy if every piece of
data is stored in a compressed BLOB. For each record lookup, you'll have to
retrieve the entire compressed binary object, decompress it, find the record
you need from some kind of a data structure. And if you are updating a record,
you'll have to do all that, plus send the compressed binary object back.
Performance _might_ be an issue :)

All kidding aside, our system is optimized for fast lookup of secure data. For
a site as popular as WebMD, our JSON Store really is the way to go.

------
sargun
How is TrueVault better than AWS?

~~~
trey_swann
Our customers are typically deciding between using TrueVault or a HIPAA
compliant hosting provider. The customer is facing a build vs. buy decision.

The HIPAA Security Rule requires appropriate Administrative, Physical, and
Technical Safeguards to ensure the confidentiality, integrity, and security of
protected health information (PHI). AWS, FireHost, and Rackspace are great!
But, HIPAA compliant hosting providers like these only provide a HIPAA ready
environment. They will sign a Business Associate Agreement (BAA), but they
only handle the Physical Safeguards mandated by HIPAA. If you use a HIPAA
compliant hosting provider you still have to spend months developing a HIPAA
compliant application stack within that environment.

In contrast, TrueVault provides all client-side and server-side
functionalities required by HIPAA, and works just like any other API service.
The typical TrueVault integration takes days and saves months of development
time.

Plus, if you want AWS to sign a BAA you need to use dedicated instances and
each instance hour is 10% more than the standard fee. So your meter starts at
$1,500/month if you want to become HIPAA compliant with AWS. FireHost starts
at $1,115/month and you are charged a $250 premium for each HIPAA ready
instance.

~~~
rpedela
"In contrast, TrueVault provides all client-side and server-side
functionalities required by HIPAA"

Maybe I am misunderstanding, but you seem to be saying that a customer's
application is automatically HIPAA compliant by using TrueVault. I get that
you take care of the HIPAA storage piece, but how do you make their entire
application HIPAA compliant?

------
me2718000
HIPAA is actually a pretty fuzzy, nonspecific standard. As long as you take
'adequate' technical/physical/administrative safeguards you are basically
fine.

Literally a sealed envelope (when dealing with paper documents) satisfies all
three.

~~~
killnine
Would you be so kind as to expand on 'adequate' safeguards that make
'basically fine'?

------
aptxkid
BTW, Box is HIPPA compliant

~~~
jason_wang
Box is HIPAA compliant, but:

Box is cloud backup for files on your computer.

TrueVault is an application backend that mobile apps and web apps are built on
top of.

We have customers switching from Box to TrueVault because 1) our API is
specifically designed to be called from a mobile/app rather than targeted for
file backup use cases and 2) Box has a user based pricing that doesn't make
sense if you are building an app rather than backing up files.

------
jhgg
A company I work with are looking into using TrueVault's document store to
keep PHI off of our servers, however TrueVault still does not fulfil the
requirements of our application. More specifically multiple document get &
document search.

Other than that, the team over at TrueVault is extremely friendly, reasonable
and nice to work with.

~~~
trey_swann
Thank you for your kind words!

Search functionality will be released by the end of January.

------
matthewmacleod
I don't quite get the USP here. S3 is also HIPPA compliant, and costs < 10% as
much.

~~~
interstitial
Well, according to much of Branding/USP theory, focus is a good starting point
for a USP. The other providers (S3, box, etc) may also be HIPPA, but this
company is driving the point home -- we only do HIPPA. I have no idea if this
is a strong enough differentiation, just pointing out it's not necessarily
anti-USP. And price is never a factor in government-compliance and government
contracts.

------
peterjliu
Seems like they're running out of an apartment unit:

TrueVault 801 Church St. #1328 Mountain View, CA 94041

~~~
trey_swann
Dell "Beginnings" [http://youtu.be/Ja61fxmY77Q](http://youtu.be/Ja61fxmY77Q)

------
tzs
How does HIPAA compare to PCI? Is it easier or harder or about the same
difficulty?

~~~
daigoba66
The difference is that PCI DSS is an industry developed and maintained
standard. HIPAA is a piece of legislation that created rules around privacy
and security (and a lot of other things). There are some standards outlined in
the rule. But there is no agency in place to perform validation or audits, and
as such being "compliant" doesn't mean much outside of how much you trust the
entity. But the penalties are very real, and very severe. Working for a small
healthcare IT software company, we take HIPAA very seriously.

------
jkresner
This looks great!

------
joshgel
much needed service

