undefined | Better HN

0 pointstfjaeckel8y ago0 comments

Thanks for that input. Totally agree that HIPAA certification is a good approach to prove full coverage of what you've mentioned.

0 comments

didgeoridoo8y ago

Is "HIPAA certification" an actual thing? As far as I know, the various HIPAA "certificates" offered by private companies are not universally recognized, nor do they have clear legal relevance. See TrueVault's FAQ: https://www.truevault.com/hipaa-compliance.html

mbesto8y ago

It's not. You typically sign whats a called a BAA[0] with an entity that is covered by HIPAA compliance. In other words, if a hospital wants to use the software they would make the SaaS provider sign a BAA. This then subjects both the hospital to HIPAA as well as the BAA. The best you can do is basically get audited by an external firm, not dissimilar to how PCI compliance works (which also doesn't have a certification, but has QSA certifications).

[0] - https://www.hhs.gov/hipaa/for-professionals/covered-entities...

j / k navigate · click thread line to collapse

0 comments

didgeoridoo8y ago

mbesto8y ago

[0] - https://www.hhs.gov/hipaa/for-professionals/covered-entities...

j / k navigate · click thread line to collapse