TrueVault (YC W14) Brings Easy HIPAA Compliance to Startups and Health Apps

I&#x27;m the technical co-founder of a startup[0] that stores patient data, and I know a couple of people who are working on what they call &quot;Heroku for HIPAA-compliant applications&quot; (slightly different from what TrueVault is, though it serves a similar consumer base)[1].<p>When I first heard about this and started building our application, I was surprised nobody has tackled this space before. Building HIPAA-compliant applications on AWS is a lot easier[2] than most people think, but it&#x27;s a <i>huge</i> pain.<p>More importantly, it&#x27;s the <i>same</i> huge pain for almost everyone who goes through the process, and in a way that&#x27;s rather easy to &quot;factor out&quot;.<p>In that regard, it&#x27;s not that different from HR or payroll services, which startups almost never do in-house (once they are larger than a few employees, and until they get to be fairly large).<p>It looks like we&#x27;re a bit beyond the stage where TrueVault would make sense for us, but I&#x27;m glad that this space is starting to attract attention. Technical founders should spend their limited time on building amazing technology and amazing products, not duplicating the same compliance work that everyone else has had to go through.<p>[0] <a href="https://www.boardrounds.com/" rel="nofollow">https:&#x2F;&#x2F;www.boardrounds.com&#x2F;</a><p>[1] The company is Aptible: <a href="https://www.aptible.com/" rel="nofollow">https:&#x2F;&#x2F;www.aptible.com&#x2F;</a> (We aren&#x27;t customers of these folks, though we like their product)<p>[2] None of it would be too technically difficult for most of the people reading HN - it&#x27;s more the diligence of checking boxes, writing up policy docs, etc. It&#x27;s <i>important</i> to do it right, but it&#x27;s generally a matter of time (and money) more than anything else.

We are using TrueVault for Immunity Project. We have some bias since TrueVault is in our YC batch, but Jason and Trey worked 24&#x2F;7 to help us with our HIPAA compliance needs. They used their API to build a custom portal for us to securely communicate patient data over a weekend. We highly recommend them.

The TrueVault team is awesome and they have a killer API. If you&#x27;re building anything that touches patient health info, you should talk to them about HIPAA security.

having gone through many hipaa audits&#x2F;reviews both as customer and as vendor, in my experience when contracts are being signed&#x2F;renewed it is much more about the people and processes involved.<p>never had any customer ask specifics about encryption algorithms, apis, dev stack, tooling, or key managment. (&quot;do you encrypt data at rest?&quot; &quot;ok, check.&quot;) i wish they would. we spend a lot of time and effort on those decisions.<p>had lots of requests about hr policies and procedures, ongoing perimeter scanning and network intrusion detection, data loss prevention, patching process, hids, data destruction logs, physical security, breach notification plans, disaster recovery SOPs, and other stuff you would find in various NIST and FISMA specs.<p>but maybe that&#x27;s how it should be...smart, experienced people will more often than not make good decisions and use the right tools for the job (whether easy or hard) and be vigilant and introspective. give inexperienced folks the best&#x2F;easiest tools in the world that dont require them to understand the details underneath, and they can find clever ways to create huge gaping holes. and if they are looking for the easiest path, they are probably not well equipped to handle all the unknown unknowns that invariably pop up (usually friday late afternoon!)<p>honestly, i prefer to know my stack(s) intimately from the kernel sources up, and know how to evaluate and react to potential problems at all layers, than simply outsource all responsibility for these issues to someone. (ok I outsource some pieces, but only when it makes the solution better, not just easier.) ymmv.<p>also, fwiw, never had a breach from outside ... but had numerous incidents of employees who have lost or stolen laptops which just happened to have a sql dump of &quot;test data&quot;. human error&#x2F;laziness gets you every time.<p>still, good to see options evolving in the market! the more educated buyers become, the better questions they will ask! and the more rigorous vendors will get...we hope :)

Aptible is another young startup in the HIPAA space: <a href="https://www.aptible.com/" rel="nofollow">https:&#x2F;&#x2F;www.aptible.com&#x2F;</a> They support a PaaS model similar to Heroku.

Searchable encrypted records seems like a contradiction. Normally I&#x27;d expect that the fields you can search on are not encrypted (at least not in the search index), and given the obvious conscientiousness of TrueVault I&#x27;d expect to see that mentioned in the docs if it were so, but I don&#x27;t.<p>Can someone from TV elucidate how that works?

Good luck guys! At Spreedly we have the same type of approach for FinTech startups by removing all the PCI compliance headaches. Perhaps one day there&#x27;ll be a fit to work together. I imagine startups will love you if you pull this off!

Since when does AWS sign a BAA? I thought they disclaimed liability and said to treat them like a phone company or infrastructure provider w.r.t S3?