HIPAA Compliance

startupdoc · January 30, 2018, 1:11am

I’m a doctor fairly fed-up with some of the software we have to use in my practice. To that end, I built a small SAAS solution to improve our workflows in quality improvement and billing. It may never have much appeal-- but it solves a problem for me. The biggest hurdle to launch is now HIPAA compliance. Ideally, I’ll get there without spending too much money-- the budget’s seriously limited. Unfortunately there’s not much available about what exactly is needed.

Does anyone have experience in this area, or a recommendation for good resources?

andrey · January 30, 2018, 2:00am

I may be mistaken, but I want to say I remember reading somewhere that @patio11 may have dealt with this. Pinging him just in case. Others on here may have had experience with this as well.

intelligentcoder · January 30, 2018, 4:02pm

From my experience, HIPAA will consume a lot of time and money. It’s not the ideal type of bootstrapped business because everything is 3-6 times more expensive. And you’ll also spend a lot of time writing all your policies, documenting your periodic risk assessments, training, etc.

You will also have to sign a Business Associate Agreement with all your clients, and your service providers (hosting companies, cloud providers, etc.) will have to provide you with a BAA as well.

I’m not saying it’s impossible, but you will be competing against funded companies that usually have a compliance department.

HHS is probably the best resource to learn about HIPAA: https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html

rfctr · January 30, 2018, 6:48pm

I remembered vaguely that some hosting provider offered “HIPAA-compliant hosting”.

Just googled… errr … ddg it, and there are a number of them.

Ken · January 30, 2018, 7:39pm

I have experience in this area. If you have specific questions, feel free to DM me. There’s really too much to try and give a concise summary in this thread.

Not that you were implying it, but I want to make sure all readers are aware…

Using HIPAA-compliant hosting doesn’t give you a rubber stamp to then declare yourself or your SaaS HIPAA compliant.

Ken · January 30, 2018, 7:45pm

100% agree with this.

rfctr · January 30, 2018, 7:51pm

I was kinda implying it being duped by the misleading marketing copy of those hosting providers.

How much the true HIPAA-compliance different from just hosting there?

mj_langford · January 31, 2018, 2:47am

Aptible came up when looking for a medical server. It seemed to be a fairly turnkey solution for the server level. Their entry option is 1k a month and doesn’t get you past understanding your required behaviors either. We didn’t end up needing one for the project after all though, so that was just the final candidate round in a search we did.

AWS itself does have a BAA agreement but you do need to learn each of the different things you have to do about logging, encryption at rest, and auditing on your own. Here is the AWS guide which does have list of steps they recommend: https://d0.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf

You will want to look into insurance. DM me if you want some referrals in that direction

jdc-cunningham · January 31, 2018, 10:43am

I’ve looked into this briefly. The HIPAA servers are very expensive several hundred to above $1K per month.

If possible you could consider taking a zero-knowledge approach and minimize breach impact by encrypting everything that is stored as well as separating resources.

Encrypted resources can introduce extra overhead as everything has to be decrypted when searching against for example.

Just my opinion

edit: granted these servers are also beast, not a little VPS single core deal

startupdoc · February 1, 2018, 7:23pm

Thanks for the replies. I’d love to be solving another problem and not drudging through HIPAA legalese-- but this one’s close to home. I didn’t even know where to get started, but it looks like HHS is the best source.

@patio11 offered some advice in 2013, http://discuss.bootstrapped.fm/t/how-big-of-a-pita-is-hipaa-compliance-for-a-web-based-app/742/5.

AndyDent · February 2, 2018, 8:44am

I met Hoala Greevy at a Founder Institute event in San Francisco back in 201. He impressed me than and I’ve since seen steady progress with his Paubox startup which they say is the easiest way to send and receive HIPAA Compliant Email.

From the articles I’ve seen him publish, he’d be an excellent person to talk to. You can tell him Andy Dent from Perth says hi, but he probably won’t remember me.

DavidLogan · February 5, 2018, 5:53pm

If the costs are prohibitive to obtain the HIPAA servers, we can help you crowdfund the capital. An added benefit is that you would develop a local following for SAAS solution that could ultimately help get other practices to use it. If you are interested we would be happy to help. Umergence . com