TrueVault – HIPAA compliant data storage

[res0nat0r]

FYI:

HIPAA & PCI

TrueVault is in the process of being audited by a third-party auditor. We will soon be verified to be HIPAA compliant for the HIPAA technical safeguards. TrueVault will go through PCI Service Provider Level 1 certification soon thereafter. Feel free to contact us for details.

https://www.truevault.com/documentation.html

[dekhn]

There is no such thing as "HIPAA compliance".

Also, do they sign BAAs?

[jason_wang]

Hi - Yes, TrueVault does sign a BAA. We also carry a comprehensive cyber liability insurance that covers any post-breach costs and regulator fines (hopefully it'll never come to that).

[debacle]

Do you add clients as named insureds on that coverage?

If not, it's not really worth the paper it's printed on for your clients.

[jason_wang]

We will on a case by case basis. But there are other contractual indemnification options as well. Ping us and we can tell you all about it.

[cbhl]

Yes, they do sign BAAs -- it's the last point on the page.

[chasb]

Sure there is. You find out whether you're compliant when OCR moves to the resolution phase of your enforcement action.

[erikig]

Thanks, that's certainly worth noting, I think self-audits are a non-starter for HIPAA and PCI service vendors. If I were to recommend this to clients or implement as a storage option in one of our solutions, it would also be nice to have access to their SSAE16 docs.

[eitally]

They should know and expect that. It's a pretty standard request from enterprises' IT and/or Compliance depts when signing deals that involve storing data outside the firewall.