You said that TrueVault will "handle HIPAA" and that "using TrueVault makes you HIPAA compliant."

I don't see how those claims are true. If the developer is a business associate, they're still required to have a risk analysis, policies, and training. If they're not a business associate, they don't need to be compliant.

So I guess I'm not seeing how TrueVault helps a developer avoid becoming a business associate. jph's case is marginal - if the covered entities all sign BAAs with TrueVault, maybe the developer can argue that they do not "create, receive, maintain, or transmit" PHI. Good luck arguing that with the covered entity, btw.

The steps you will need to take to comply with HIPAA when using TrueVault will vary based on your implementation.

If you use our JavaScript widgets so that you never actually touch PHI, then you may be able to avoid the Administrative Safeguards. But, if you handle PHI and then send it to TrueVault you will need to comply with the Administrative components of HIPAA.

The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

HIPAA compliant hosting handles the Physical Safeguards, a set of rules and guidelines that focus on the physical access to protected health information (PHI).

TrueVault handles both the Physical and Technical Safeguards (Encryption and Decryption, Key Management, Key Rotation, Access Control, Unique User Identification, Emergency Access, Automatic Logoff, Audit Controls, Mechanism to Authenticate Electronic PHI, Person or Entity Authentication, Transmission Security, and Integrity Controls). This is all stuff that you would have to build yourself if you use AWS, FireHost, or Rackspace.

You’re right; Administrative Safeguards should not be ignored. The administrative components are really important when implementing a HIPAA compliance program; you are required to assign a Privacy Officer, complete a risk assessment, implement employee training, review policies and procedures, and execute Business Associate Agreements (BAAs) with partners you share protected health information (PHI) with. I think that Accountable does a great job with the Administrative Safeguards. Accountable offers HIPAA compliance management tools that keep your business legal. Checkout -- http://www.accountablehq.com/

So a developer who uses your JavaScript is no longer a business associate?

Again, the steps you will need to take to comply with HIPAA when using TrueVault will vary based on your implementation. I’m happy to jump on the phone and answer any questions that you may have. We can go over the use case that you have in mind and the HIPAA implications. Feel free to email me directly at trey@truevault.com.

To clarify, a Business Associate is any entity that uses or discloses PHI on behalf of a Covered Entity. Furthermore, a Business Associate is any person who, on behalf of a Covered Entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.

I'm not confused about what a business associate is. I'm confused as to how you can say:

"[TrueVault] gives developers the freedom to create applications that require regulatory compliance without worrying about regulatory compliance."

I'm just asking for one example where that is true, and where a sophisticated covered entity agrees.