1

I am working on a health startup that deals with personal records of patients and it is essential for us to be HIPAA Complaint. I heard of TrueVault, a company that provides RESTful API for transfer of data.

Does using TrueVault for this automatically makes my web app HIPAA compliant? The company is not too open about it and as far as I have read the company seems to suggest this notion. Does anyone have any idea about if this is true or are there any other things I need to take care of?

My app is based on CodeIgniter Framework (PHP).

halfer
  • 19,824
  • 17
  • 99
  • 186
user3720088
  • 93
  • 1
  • 5
  • Check this: http://stackoverflow.com/questions/5980423/hipaa-compliancy-what-do-i-need-to-know – Giacomo1968 Jun 08 '14 at 17:07
  • This question appears to be off-topic because it is requesting legal/compliance advice. – halfer Jun 08 '14 at 23:15
  • (I've removed the supplementary question as we prefer one question per topic - and it was probably a bit broad anyway. I suspect this is off-topic too, but if it closes it will at least still have the existing answers below). – halfer Jun 08 '14 at 23:19

3 Answers3

4

No, it does not. The HIPAA Security Rule covers all systems that deal with EPHI (electronic private health information), even if they do not store it themselves. Using TrueVault to store EPHI does not exempt you from HIPAA requirements; it just means you don't need to deal with some of the parts about data storage.

If you are unsure of how to handle HIPAA requirements, talk to a lawyer. (In fact, you should probably talk to a lawyer about this anyway.)

4

Disclaimer: I'm the founder and CEO of TrueVault.

The short answer is any data you store in TrueVault will meet all the HIPAA Technical and Physical Safeguard implementation details. However, there are other non-technical requirements you will need to put into practice. For example, you will need to make sure your organization meets all the Administrative Safeguards requirements as well (which services like Accountable is well suited).

Ultimately, it is each organization's responsibility to ensure it is fully HIPAA compliant even if certain covered activities are delegated to other Business Associates. So you should always talk to your Business Associates and inquire how they are meeting each implementation detail for you. And make sure your Business Associates will sign a Business Associate Agreement with you.

Don't hesitate to give us a call or email us if you have any TrueVault questions.

Jason
  • 4,232
  • 3
  • 23
  • 31
-1

This question has been covered in detail on Quora as well - http://www.quora.com/Health-Insurance-Portability-and-Accountability-Act-HIPAA/Becoming-HIPAA-Compliant-Should-you-use-a-Backend-As-A-Service-or-a-HIPAA-Server-Why. Might want to look there for additional responses.

Travis Good
  • 112
  • 1
  • 6