
Ask HN: Is there an industry preferred HIPAA compliance certification? - zanezone
Hi HN, I run an Australian digital therapeutics company launching in the US. Basically, being HIPAA compliant is easy enough these days but the trouble is demonstrating this to clients (health payers in particular). Although you don&#x27;t need certification to be compliant, I wonder if there is a preferred non-official certification that insurers and the like consider highly and would help to make their due diligence of our program more efficient. Any help appreciated!
======
rficcaglia
When you actually get into contracts with these large cos, they may ask if you
are HITRUST audited ( _very_ expensive). If only that were sufficient. Then
they will still insist on sending you their 50 page checklist (draw, label,
and explain how your NIDS works...) and finally they will want to have a
review call (and likely followup calls).

More recently they will ALSO require you (not just your hosting provider, eg
AWS) are SOC2 compliant even though there is 99.9% overlap across
requirements. Why? Cuz someone in legal now requires that for all vendor
contracts.

Efficiency is not their goal. Weeding out small players without the stamina
and capital to survive a 36 month sales cycle is their goal.

~~~
zanezone
Wow that's really helpful to know. Thanks!

------
rman666
HITRUST certification

