
Ask HN: How to develop a HIPAA compliant app? - boltzmannbrain
Building a mobile application that will communicate personal health data between the user and a cloud service, what regulatory measures need to be taken?<p>The data is &quot;protected health information&quot; (PHI), so the app + cloud service definitely need to be HIPAA compliant. What all needs to be done to make sure the system I build passes the grade, and how would I get the system officially certified? What about FDA approval (if the PHI includes medication info)?<p>I&#x27;ve seen a few helpful sources of info like [1, 2], but is there a comprehensive checklist of requirements and best practices that I haven&#x27;t come across? Given what&#x27;s at stake  and the repercussions I don&#x27;t want to leave any stone unturned!<p>[1] https:&#x2F;&#x2F;aws.amazon.com&#x2F;quickstart&#x2F;architecture&#x2F;compliance-hipaa&#x2F;
[2] https:&#x2F;&#x2F;www.peerbits.com&#x2F;blog&#x2F;hipaa-compliance-mobile-app-development.html
======
jrowley
One baseline to think about is SOC-II compliance. You'll also need training
for your organization and certain designated people that are responsible for
security. You'll want a third party to audit your architecture / pentest your
systems. Finally, a lot of pressure will be from whoever you may be working
with (hospitals, clinics, data brokers, etc) with respect to proving your
security. They'll put you through their own IT and securitya audits. In terms
of FDA clearance, you'll want to look into the 510(k) fast track, and look for
similar systems to yours. I've worked at an algorithm oriented HIPAA complaint
startup and don't know a ton, but would be happy to discuss my experience with
you. email hn at funk.dog

------
jameslk
[https://github.com/truevault/hipaa-compliance-developers-
gui...](https://github.com/truevault/hipaa-compliance-developers-guide)

------
dyeje
I recently went through setting up a HIPAA compliant web app. The team is
small and has no dedicated DevOps so I went looking for a PaaS solution. After
extensive researching and trialing, I went with Healthcare Blocks. They
provide a great experience and were the only company that offered a sane price
point for an early stage startup. Honorable mention to Aptible, especially
their Gridiron product that we will eventually use.

I think another viable route is hiring a contractor to build out your
environment for you. We got a quote from an AWS contractor and it was
reasonable for our setup, but ultimately we really wanted a PaaS. Unless
you’re an expert in HIPAA and the cloud platform you’re looking at, it’s not
something I would recommend tackling on your own.

Remember that there are a lot of non-tech parts of compliance to consider as
well such as training, physical security, security assessments, etc.

~~~
boltzmannbrain
Thanks I'll definitely look into these! In your research and trialing did you
compare TrueVault (mentioned in other comments). Digging around today I'm
rather impressed, but haven't tried anything yet.

And if you don't mind, what do you consider a "sane price point"? I'm assuming
that price is relatively small compared to the actual AWS hosting fees you pay
on top of the PaaS, no?

~~~
dyeje
I didn't try TrueVault because I didn't want to integrate it into an existing
application. Certainly seems like an option worth exploring if you're into it.

For HIPAA compliant hosting, I would say a sane price point is below $1000 a
month for a single server and database. Only Healthcare Blocks, Aptible, and
EngineYard came in below that. Other providers like Heroku and Datica started
around $3000 a month. With Healthcare Blocks the monthly cost is all in, there
are no additional hosting fees. That said, for a small app hosting fees are
small. The AWS consultants forecasted the actual server costs around $200 for
the year I believe.

------
Digory
FWIW, Amazon's quickstart doesn't reference its WorkDocs product, which is now
"HIPAA eligible."[0] I'm not sure about any over-and-above pricing, but the
core service pricing is reasonable, if it fits into your workflow.

[0] [https://aws.amazon.com/about-aws/whats-new/2017/07/amazon-
wo...](https://aws.amazon.com/about-aws/whats-new/2017/07/amazon-workdocs-
achieves-hipaa-eligibility-and-pci-dss-compliance/)

------
saluki
I was looking at developing a HIPAA compliant app a few years ago I was going
to use [https://www.truevault.com/](https://www.truevault.com/).

Ultimately I decided against doing anything that requires HIPAA compliance.

~~~
boltzmannbrain
Thanks for the TrueVault pointer, that's a great resource for info! I was
going to followup asking your thoughts on using their service vs doing it
yourself, but reading the dev guide posted by @jameslk I came across this:

    
    
        We think this comment from Hacker News sums up the technical debt required to roll your own HIPAA compliant infrastructure quite accurately. This was completely unsolicited and is not from a TrueVault customer.
        
            "[Building our own HIPAA compliant infrastructure] took upwards of 1,000 person-hours to figure out HIPAA-compliance issues. This will continue to be an ongoing cost for us, because HIPAA is an ongoing law and it changes sometimes. It takes substantial auditing time and money." — jph

~~~
saluki
y, I don't think it's practical to DIY.

Although Patio11 did it with AppointmentReminder it sounds like basically
their HIPAA plans were ran the same as their regular plans as far as
servers/security. From what I read he just offered the agreement, etc to the
higher paying customers.

There are lots of interesting apps that could benefit patients and doctors.
HIPAA is just scary to tackle as a small company, it's way easier just to
choose another niche.

People always say selling to the medical field is difficult too.

