JasonWangRecent stories on compromised patient data from medical record systems, along with concerns from developers about FDA regulations, underscore the importance of up-to-date security for HIPAA compliance. Yet healthcare providers — many of whom have a vision for creating their own apps but are novices to software engineering and information architecture — may not have the expertise to secure such information. How can they still create apps that guarantee HIPAA compliance and safeguard patient health information?

At the most recent hxrefactored conference, Jason Wang presented TrueVault, an online service that takes care of HIPAA’s technical requirements along with a privacy and data breach insurance policy. While the service is geared towards developers, healthcare providers who create their own apps can take advantage of such services designed to make security easier to implement.

We spoke with Jason Wang, Founder and CEO of TrueVault. Wang studied computer science and business at the University of California, Irvine, and launched his company in Orange County. He and his team have designed TrueVault to help get new healthcare apps launched faster, taking care of the setup required for a HIPAA-compliant data center.

Many of our readers are pharmacists, physicians, dentists, and other healthcare providers who are creating their apps. Why should they care about Truevault?

Wang: Doctors should focus on the user experience, the iOS app, the web app. The last thing [doctors] should worry about is HIPAA infrastructure: disaster recovery, data access, redundancy, encryption. All that is necessary to have a successful application. But that’s not something a doctor can pick up very quickly. Their application just needs to talk to TrueVault. We handle HIPAA compliance for them and the data security and performance.

So we handle — out of HIPAA — physical and technical safeguards. All doctors have to worry about is the administrative safeguard: assigning a privacy officer, defining procedures.


Will our readers developing their own apps need to know how TrueVault is implemented? And all of the back-end details?

Wang: Primarily, we work with developers. So developers are familiar with TrueVault because our interface is very similar to other interfaces like Stripe, which stores credit card numbers. Most developers know how to store a JSON [JavaScript Object Notation, a data-interchange format] document. You retrieve data in JSON. You search data in JSON. It’s so easy that doctors themselves are learning how to write iOS apps.

How much will this cost?

Wang: You can sign up for free, [and] you only have to pay when you go live. We help our customers with architectural questions to help them design apps that are HIPAA-compliant. We explain HIPAA to them, get through the administrative safeguards, data liability stuff, the whole process. We walk them through that.

But other providers, such as Box, sound like they do the same thing. Box provides Dropbox- and Google Drive-style information storage with the added bonus of a HIPAA business agreement.

Wang: Box does HIPAA-compliant file backups. If you want to back up a PDF on your laptop, use Box.

We are a database for applications. So [we are designed for] applications talking to TrueVault, not backing up files. So doctors offices use Box to back up patient PDF’s. But for mobile apps, like a doctor’s patient engagement app, they need a database to store patient records, like structured data. That’s when they use TrueVault.

If anyone is building a mobile app, they need to be using TrueVault. It will save them six months of development time. For example, you’d rather buy a car than build your own.

Can TrueVault be used offline?

Wang: I don’t think this matters because they’re writing a mobile app that can connect directly to TrueVault. So you can connect through a cell phone’s wireless connection.

I’d imagine, though, that places such as rural remote areas wouldn’t have online access.

Wang: The EMR’s [electronic medical records, in rural areas] have a local cache that will download records from TrueVault before losing an Internet connection. Then when they regain connection, they can sync up.