HIPAA doesn't regulate code or even infrastructure. It regulates organizational policy and behavior. HIPAA consists of things like: have a security policy. Enforce that security policy. Update it periodically. Update a change tracking document every time you do something to your infrastructure. Read your logs periodically and be able to prove that you do so. Have an appropriately empowered person in your organization designated as the HIPAA compliance officer. Do periodic mandatory security training for your employees. Perform periodic risk assessments. Control access to your facility. (It doesn't actually require that you do so in a particularly secure way, just that you do so.) Have and enforce a policy for disposal of media. Write it down every time a device containing PHI is moved.
These things are organizational behavior. I don't understand how you can claim to sell this as a SaaS solution.
Actually HIPAA is pretty strict on application and infrastructure security. HIPAA's Security Rule has 3 main sections: Administrative Safeguards, Technical Safeguards and Physical Safeguards.
Administrative Safeguards = basically encompasses what you described.
Technical Safeguards = encryption, authentication, authorization, audit control, etc.
Physical Safeguards = media (e.g., HD) disposal/reuse, data backup/restore, access control and validation procedures, etc.
TrueVault handles Technical and Physical Safeguards. Companies like AccountableHQ.com does a great job taking care of Administrative Safeguards for their customers.
I'm not buying the assertion that theses things are too difficult to build in-house. While I would want a lawyer's approval for peace of mind, and the administrative safeguards are actually nontrivial, I'm pretty sure Wikipedia meets the technical safeguards.
The Access Control requirements: Everyone should have an individual user account protected by some kind of authentication, limited to the permissions its user actually needs, and should log off (and/or be automatically logged off) when they're not actively using that account.
Duh? Every multiuser system designed by a remotely competent solo developer does this. Your local Starbucks's POS implements this. So does my small-town public library. And Wikipedia.
Transmission integrity: as far as I know, you have to explicitly go out of your way to not get this for free from TCP. If you're using HTTPS, even better.
Audit controls: Wikipedia seems to nail this one, since Mediawiki is built around versioned storage with nice visualizations of diffs and reporting on changes. Even without considering security, the natural paradigm for a clinical EHR system is read-and-append-only since you are documenting interactions and the past doesn't change. (Sure, mistakes happen, but that's probably worth acknowledging with an explicit correction.) Otherwise, what's so hard about throwing in a logger.log() describing what's happening when a user does something interesting?
I've skipped encryption, but encryption is "addressable" so you don't have to encrypt anything if it would be too difficult. (So long as you document that choice.) Use HTTPs where feasible, like you should be doing anyway? Encryption of database servers doesn't make much sense since they key would be in memory all the time anyway, but maybe pick "encrypted LLVM" when you install the OS? And that's the technical safeguards.
The guide claims that my line of thinking is a trap people fall into, but you don't making a compelling case as to why the technical safeguards are too hard to do yourself or even a burden.
HIPAA isn't talking about static analysis, formal verification, vulnerability research, strong cryptography, hardened kernels, airgaps, side channels, timing attacks, HSMs, 2-factor authentication, etc. It isn't about secure code, nor any of the interesting/"real" security that HN likes to talk about. A HIPAA security audit is a checklist and a very expensive Nessus scan. This isn't Bruce Schneier-level stuff. I'd be surprised if any HIPAA violation was even interesting enough for DEFCON. HIPAA isn't like the FIPS rules. On the technical/software side, it's more like an idiot-check. At least, that was my conclusion after doing a bunch of research for one of my employers.
If I were running a business involving PHI, the thing I'd want most is a lawyer to tell me what I actually need to change based on what the law actually is. It doesn't really seem like help is necessary to implement the technical safeguards.
These things are organizational behavior. I don't understand how you can claim to sell this as a SaaS solution.