Does using TrueVault automatically make my web app HIPAA compliant?

Question

I am working on a health startup that deals with personal records of patients and it is essential for us to be HIPAA Complaint. I heard of TrueVault, a company that provides RESTful API for transfer of data.

Does using TrueVault for this automatically makes my web app HIPAA compliant? The company is not too open about it and as far as I have read the company seems to suggest this notion. Does anyone have any idea about if this is true or are there any other things I need to take care of?

My app is based on CodeIgniter Framework (PHP).

Answer 1

No, it does not. The HIPAA Security Rule covers all systems that deal with EPHI (electronic private health information), even if they do not store it themselves. Using TrueVault to store EPHI does not exempt you from HIPAA requirements; it just means you don't need to deal with some of the parts about data storage.

If you are unsure of how to handle HIPAA requirements, talk to a lawyer. (In fact, you should probably talk to a lawyer about this anyway.)

Answer 2

Disclaimer: I'm the founder and CEO of TrueVault.

The short answer is any data you store in TrueVault will meet all the HIPAA Technical and Physical Safeguard implementation details. However, there are other non-technical requirements you will need to put into practice. For example, you will need to make sure your organization meets all the Administrative Safeguards requirements as well (which services like Accountable is well suited).

Ultimately, it is each organization's responsibility to ensure it is fully HIPAA compliant even if certain covered activities are delegated to other Business Associates. So you should always talk to your Business Associates and inquire how they are meeting each implementation detail for you. And make sure your Business Associates will sign a Business Associate Agreement with you.

Don't hesitate to give us a call or email us if you have any TrueVault questions.

Answer 3

This question has been covered in detail on Quora as well - http://www.quora.com/Health-Insurance-Portability-and-Accountability-Act-HIPAA/Becoming-HIPAA-Compliant-Should-you-use-a-Backend-As-A-Service-or-a-HIPAA-Server-Why. Might want to look there for additional responses.