TrueVault: Helping Digital Health Apps Grapple With HIPAA
Look on Apple’s app store, and you’ll find endless columns of exercise counters, baby trackers, cardio monitors, personal medication diaries…and many, many butt workout regimens.
Consumers use these digital health apps to stay fit, but there are pitfalls both for their users and their developers, says Jason Wang, CEO of San Francisco-based TrueVault. For one thing, hackers are interested in all those personal records people are generating about themselves with their wearables and mobile devices, he says.
“Health care data is worth 10 to 20 times more on the black market than credit card data,” Wang says.
For app developers, there’s a danger of running afoul of regulatory requirements designed to protect the privacy of patients’ health information, he says. The privacy law, HIPAA (Health Insurance Portability and Accountability Act) applies to doctors, hospitals, and pharmacies, as most of us are aware. But it also covers businesses that share information with those health care providers.
“The moment the information is shown to doctors, everything being disclosed has to be HIPAA compliant,” Wang says.
Most startup app developers aren’t experts in data security, let alone the complex terms of the HIPAA law, Wang says. The digital health developers’ dilemma looked like an opportunity to enter the growing field of cybersecurity after TrueVault was founded in 2013.
“HIPAA is our beachhead,” Wang says. The company aimed to create a HIPAA-complaint security system that would be easy to implement, and inexpensive for small businesses.
Consumer fitness apps collect information that might be useful to criminals, such as a user’s daily jogging schedule and route away from home, Wang says. Pilfered medical records are even more valuable to data thieves, because they contain social security numbers, addresses, and other information that could be used to assume the victim’s identity and create fraudulent accounts, he says.
HIPAA compliance has become at least a prominent feature for a number of other companies that seek to connect patients with doctors, such as Cary, NC-based startup SmartLink Mobile. Other startups concentrate on helping digital health entrepreneurs insure that they’re covering the regulatory bases. Some examples are Brooklyn, NY-based startup Aptible and Fort Worth, TX-based Accountable—both recent participants in the San Francisco incubator program Rock Health, a notable backer of digital health entrepreneurs. Aptible has designed an automated process to build HIPAA compliance into mobile and Web applications.
Wang says TrueVault rarely competes with Aptible, but is more often an option for app developers who might otherwise rely on Web hosting environments provided by Rackspace, Google, or Amazon, augmenting them with privacy safeguards as needed.
TrueVault’s software as a service includes data encryption, a mainstay function of cybersecurity systems. It also provides data storage—the data captured by apps goes straight to TrueVault’s servers. The system also addresses key HIPAA concerns, such as making sure the data can’t be read or intercepted by someone other than the doctors involved in a patient’s diagnosis and treatment.
TrueVault doesn’t feed patient data straight into a doctor’s e-mail inbox, where it might be exposed to people who can get a glimpse of the doctor’s laptop or smartphone screen. TrueVault instead sends a message telling the physician that the information is ready. The doctor must use a sign-in procedure to see it.
Wang says HIPAA compliance is one way an app can distinguish itself in the burgeoning marketplace of digital health offerings for consumers. But TrueVault’s potential market goes beyond those consumer apps, he says, because health care providers themselves are increasingly investing money into apps and devices that help them monitor their patients’ health and keep them on track with their treatments.
One of TrueVault’s users is Ardeshir Rahman, research coordinator for the UCLA Gambling Studies Program, which is developing an app to support established therapies for people with gambling addictions. Through their smartphones, patients report when they’re feeling a strong urge to gamble, and the researchers use the data to figure out what triggers the urge for each individual. The app also suggests coping mechanisms, such as calling a therapist or replaying videos of themselves talking about the reasons why they desperately wanted to change their behavior.
Rahman says data security for this sensitive personal information has always been a top priority for the researchers, and it’s a requirement of several UCLA research oversight boards. The study team had started to create its own software to guard the data when they read an article about TrueVault. The project signed on as a customer in early 2014.
“It made our development team very happy because they were able to work on other things,” Rahman says.
TrueVault charges start at $100 per month and increase with the rise in the number of patient records the company handles. Wang says the company doesn’t disclose the names of most of its customers, or the number of customers it has attracted so far. Demand has been strong enough that TrueVault gains most of its business by word of mouth, he says.
TrueVault has raised a total of $3.2 million from outside investors including Y Combinator and angel investors including Zynga founder Mark Pincus.
Wang says the company’s next venture will be to expand beyond health care to other sectors such as banking and the Internet of Things. Cybersecurity seems like a key element for consumers whose thermostats, heaters, and cars are sending data about the family’s personal movements to the Web, he says.
“They know when you get home, and when you leave,” Wang says.
Trending on Xconomy
By posting a comment, you agree to our terms and conditions.