Ask HN: Is there an industry preferred HIPAA compliance certification?

2 points by zanezone ↗ HN
Hi HN, I run an Australian digital therapeutics company launching in the US. Basically, being HIPAA compliant is easy enough these days but the trouble is demonstrating this to clients (health payers in particular). Although you don't need certification to be compliant, I wonder if there is a preferred non-official certification that insurers and the like consider highly and would help to make their due diligence of our program more efficient. Any help appreciated!

3 comments

[ 3.0 ms ] story [ 16.0 ms ] thread
When you actually get into contracts with these large cos, they may ask if you are HITRUST audited (very expensive). If only that were sufficient. Then they will still insist on sending you their 50 page checklist (draw, label, and explain how your NIDS works...) and finally they will want to have a review call (and likely followup calls).

More recently they will ALSO require you (not just your hosting provider, eg AWS) are SOC2 compliant even though there is 99.9% overlap across requirements. Why? Cuz someone in legal now requires that for all vendor contracts.

Efficiency is not their goal. Weeding out small players without the stamina and capital to survive a 36 month sales cycle is their goal.

Wow that's really helpful to know. Thanks!