I doubt you could sign a BAA with offshore workers who don't have to comply to such US standards. Furthermore, this space will get shaken up in 2018 in Europe when EU General Data Protection Regulation (GDPR) goes into effect.
Re 3rd party audit -- yes, a Pen Test by a 3rd party & BAA should be the standard for healthcare companies dealing with service provides. If Expensify has any healthcare companies using their service they are either too small to employ such due diligence or Expensify is headed towards a disaster aka Equifax #2.
Either way, tech companies should take privacy more seriously.
Saw that you were super active in this thread, so I googled your username. It looks like you're their competitor and you're acting like you're an unbiased/concerned person. Pretty dishonest - I'm sure it's great, but you should disclose that you're shilling for your company.
Not once did I "shill" for my company here. And yes I am concerned about this and people affected. Should I not be? Calling me dishonest is just poor form mate.
Re 3rd party audit -- yes, a Pen Test by a 3rd party & BAA should be the standard for healthcare companies dealing with service provides. If Expensify has any healthcare companies using their service they are either too small to employ such due diligence or Expensify is headed towards a disaster aka Equifax #2.
Either way, tech companies should take privacy more seriously.