Clients ask us a lot: What is the difference between TrueVault and HIPAA compliant hosts, such as Amazon Web Services (AWS)? The answer really comes down to risk. If you’re looking for a ready made solution to HIPAA compliance, use TrueVault. If you’re confident in your ability to build from scratch a secure and lawful platform that can store protected health information (PHI) — essentially, build your own version of TrueVault — then you’ll start with a HIPAA compliant host, such as AWS.
Background
In order to use health data, a business must comply with the HIPAA Security Rule, which has three core pillars: Administrative*, Physical, and Technical Safeguards.
- Physical Safeguards focus on the physical security of PHI. In today’s digital world, this translates to data center security, visitor access control, server security, storage media maintenance procedures, etc.
- Technical Safeguards refer to the behavior of the application that is storing the PHI data. User authentication, user authorization, audit logging, data encryption (in-flight and at-rest) are among them.
The Physical and Technical safeguards effectively ensure that PHI is stored in accordance with the law. But implementing these safeguards is no small feat. The Business Associate Agreement (BAA) under HIPAA allows businesses to sign agreements that specifies how PHI will be shared between them. But signing a BAA does not guarantee that a partner will provide comprehensive compliance to all three components of the Security Rule.
Comparing AWS and TrueVault
AWS is a HIPAA compliant host, meaning the data centers housing the servers that store PHI have implemented the physical safeguards required by law. TrueVault, built on AWS, has signed a BAA with AWS that guarantees compliance with these standards. But we’ve advanced beyond the physical safeguards offered by AWS to include more steps to increase data durability on behalf of our clients.
HIPAA compliant hosting is necessary for HIPAA compliance, but it is not sufficient. The behavior of the application must also adhere to the complex HIPAA technical safeguards.
Do you prefer DIY or turnkey?
A HIPAA compliant host, such as AWS, does not offer technical safeguards to companies that use their services. They won’t be able to help with developing an immutable audit log or a sophisticated user authentication and authorization process. This leaves a company with two options: build the application themselves according to the HIPAA requirements or use TrueVault.
Building an application on top of a HIPAA compliant host is similar to buying a bookshelf from Ikea, but without the instruction manual. You’ll receive the parts you need, but it’s up to you to construct the shelves properly. Further complicating matters is the need to meet certain legal standards — imagine if your bookshelf must also comply with federal codes!
TrueVault has already built the application for you. Our product is more like a bookshelf that has already been built, but by bookshelf-building experts, and in compliance with federal codes. TrueVault offers a turnkey data security solution that has been developed specifically with protecting PHI in mind.
Beyond compliance And toward advanced data security
It is true that a developer can competently develop a HIPAA compliant solution for their business in-house, but this is a burdensome process that carries immense liability if mistakes are made that could expose PHI.
Under the HIPAA technical requirements, an application must have:
- User authentication and authorization
- Emergency access procedure
- Automatic log off
- In-flight and at-rest integrity control
- In-flight and at-rest data encryption
- Audit controls
If one of these factors fails for any reason, or an auditor determines it is not up to standard, your company will be exposed to steep fines and legal liability for any mistakes or data beaches.
TrueVault built a data security solution that guarantees full compliance with the physical and technical safeguards under HIPAA. We’ve also instituted advanced security measures to make sure the PHI is not just compliant, but also extremely secure. Some of these features include: secure authentication with advanced security features; fine-grained and audit-friendly access control; comprehensive, tamper-proof audit logs; and industry-leading application security practices to prevent breaches. TrueVault secures our vault, and also secures our data with per-record encryption, so each and every file you upload is protected.
It is notable that TrueVault inherits potential risk by importing and storing PHI on behalf of our client’s businesses. Working with TrueVault means sensitive data will never touch your data centers, further limiting the scope of your company’s liability under HIPAA. We agree in the BAA signed with our clients to take on full responsibility for the data stored in TrueVault, guaranteeing compliance with the physical and technical requirements under HIPAA and staying fully covered under our Cyber Liability and Breach Insurance.
To learn more about TrueVault's secure and HIPAA compliant product, schedule a call with us below:
* For best practice and support achieving Administrative compliance, we recommend Accountable HQ as a quick solution to fulfill these obligations.