[HN Gopher] Launch HN: Delve (YC W24) - HIPAA compliance as a se...
___________________________________________________________________
Launch HN: Delve (YC W24) - HIPAA compliance as a service
Hey, HN! We're Karun and Selin, co-founders of Delve
(https://getdelve.com). We help companies get HIPAA compliant fast,
with 1-click infrastructure, streamlined legal policies, and real-
time monitoring. Here's a quick demo: https://youtu.be/mQbb5mprsUA.
HIPAA is a US federal law passed back in 1996 that sets standards
for protecting sensitive health information. Here's an article that
breaks it down pretty simply: https://www.getdelve.com/blog/quick-
guide-to-hipaa. Most companies that process health information in
the US need to become HIPAA compliant, a process that can be long
and expensive. At our previous health tech company, we spent 6
weeks (and tens of thousands of dollars) on getting compliant. We
had to complete a lot of manual work, even after purchasing an
industry-standard compliance solution, and felt like we were
hitting checkboxes with little confidence in our security. We
realized that many parts of the compliance process could be
streamlined and simplified, which led us to building Delve. To get
HIPAA compliant, you need (1) secure infrastructure, (2) legal
policies, and (3) logging/monitoring. At Delve, we help startups
with all three. We provide 1-click HIPAA compliant infrastructure
deployed in your cloud and a CI/CD pipeline to update
infrastructure from git push (think Heroku but HIPAA compliant).
Then, we provide legal policies, paperwork, and a complete task
list customized to your infrastructure setup. Finally, we have a
real-time monitoring dashboard to help oversee compliance, track
system activity, and review logs. One thing we noticed the first
time we ever got HIPAA compliant was that we had to use many tools
along the way. We bought an industry-standard HIPAA compliance
solution, hired a HIPAA DevOps contractor to help configure secure
infrastructure, and worked with lawyers to adapt the boilerplate
legal policies that our compliance solution had provided. When
building Delve, we worked hard to give you everything you need in
one place, reducing the hassle and cost. We currently charge on an
annual flat-fee basis. However, we're still exploring our pricing
model (flat-fee vs. usage-based vs. combination of both), and if
you have any thoughts to share on that, we'd love to hear them.
We're really excited about making it easier to build in healthcare
and removing compliance bottlenecks. Thrilled to share this with
you and hear your comments!
Author : selinkocalar
Score : 59 points
Date : 2024-02-26 16:17 UTC (6 hours ago)
| rposborne wrote:
| How do you beat https://www.aptible.com/?
| selinkocalar wrote:
| Great question! Aptible is great for deploying HIPAA-compliant
| applications, but you still have to purchase another solution
| for completing the legal policies and compliance checklist,
| such as Vanta.
|
| Think of us like Aptible + Vanta. Because you deploy your
| application through us, we can give you deep insights into your
| security and compliance. For example, we give you legal
| policies that have already been customized to your
| infrastructure setup. Similarly, we provide a
| logging/monitoring dashboard that is designed to meet what
| auditors look for in your infrastructure setup. Putting all
| your compliance solutions in one place lets us streamline the
| path to compliance.
| fancyremarker wrote:
| Hi! Aptible founder here. I wanted to make an important
| correction here.
|
| Aptible has a built-in Security & Compliance Dashboard [0]
| that supports compliance automation and reporting (PDF and
| API exports) for HIPAA, HITRUST and other security
| frameworks. You can see a demo of the entire platform,
| including this Dashboard, in our "Aptible in 10 Minutes"
| video. [1]
|
| You can also integrate Aptible with Vanta, Drata or another
| compliance automation tool, if you're running the self-hosted
| version of Aptible that runs in your own AWS account. If you
| do, you can expect fully passing tests for HIPAA and SOC 2 in
| Vanta or Drata with zero additional configuration. Most
| Aptible customers find our built-in dashboard sufficient, and
| don't feel the need to buy Vanta/Drata separately to ensure
| HIPAA compliance.
|
| [0] https://www.aptible.com/docs/intro-compliance-dashboard
| [1] https://www.youtube.com/watch?v=mhNzGO9KbWY
| selinkocalar wrote:
| Thanks for sharing this! The demo is very neat and it's
| great to see other companies also prioritizing security and
| compliance.
| iends wrote:
| I didn't see the mention of BAAs anywhere. Do you handle getting
| that signed with vendors like AWS?
| selinkocalar wrote:
| Yes! We outline BAA requirements in our compliance checklist
| (i.e. we'll provide the exact steps of how to get a BAA with
| AWS and remind you to get BAAs with other 3rd parties).
|
| We're also building out a small network of 3rd party vendors
| that we work closely with to help our customers get BAAs signed
| quick and offer discounts to those 3rd parties' services.
| candiddevmike wrote:
| Do you enter into a BAA with all of your customers?
| selinkocalar wrote:
| Yes, we sign sub-BAAs with our customers.
| debarshri wrote:
| Every org that starts out with an compliance oriented SaaS in my
| experience ends up migrating out of it eventually because when
| they grow - they have more capital to build their own
| infrastructure as hire more engineers who do not want to deal
| with kinks of a SaaS abstraction.
|
| If you are using Vanta or Drata at early staging and opt for
| HIPAA framework, you do get the list of controls that you have to
| implement that also include cloud specific configuration changes
| that you need to do. And these changes are one time thing,
| continuously monitored by the framework.
|
| My argument is that, the target market you trying sell - early
| stage HIPAA compliance market is not difficult anymore.
|
| I hope this feedback helps you to foresee possible problems.
| selinkocalar wrote:
| Thanks for the transparency and thoughts on this!
|
| We provide a lot of active elements, such as our infrastructure
| logging/monitoring dashboard, email alerts, and code
| vulnerability scans every time you git push, so that we aren't
| just a one-time purchase. We help you be proactive about
| preventing breaches instead of just integrating with your AWS
| API and passively monitoring. One of the biggest things about
| HIPAA is that it isn't just your initial setup that matters,
| it's how you manage compliance on an ongoing basis that's
| important for maintaining security and privacy.
|
| We're also growing with our customers and moving upstream, and
| keeping in mind exactly what you said about preventing SaaS
| churn. As we do this, we're following the core thesis that
| compliance should bridge legal, DevOps, and cybersecurity, and
| when you combine all these you can get much deeper insights
| into security and can integrate deeper within an organization
| to provide more proactive measures.
| debarshri wrote:
| Solutions like this wont work in large orgs that have lead to
| huge ACVs.
|
| Would be more happy if you prove me wrong.
| ramzez wrote:
| is there pricing information?
| selinkocalar wrote:
| We charge a fixed annual fee -- zero usage-based costs.
|
| We deploy all on your own AWS cloud so you're not paying any
| marked up fees or being faced with surprise bills.
|
| If you have any thoughts on this would love to hear them!
| btoro wrote:
| I'd also like to see pricing info available.
| a_gnostic wrote:
| It does more than just protecting sensitive health information,
| it also governs how billing works, so if you've ever wondered why
| some Dr. you never met is sending you bills in the thousands of
| dollars; HIPAA is where you can find out why!
| selinkocalar wrote:
| Yes! HIPAA was initially rolled out for the portability and
| continuity of health insurance coverage.
|
| But over the years, with the enactment of the Privacy Rule,
| Security Rule, HITECH Act, Omnibus Rule, etc., HIPAA's
| implications have been shaped quite a bit.
| johnxie wrote:
| Very cool! Is there an equivalent for SOC2, GDPR, etc...?
| selinkocalar wrote:
| We're rolling out SOC2 in a month! GDPR, HITRUST, etc. are down
| the line.
| candiddevmike wrote:
| How does this compare to OneTrust and Tugboat?
| fishpen0 wrote:
| We have investor pressure to use specific cloud providers. This
| is the Healthcare version of Walmart not letting their partners
| use AWS. Due to their (Amazon, Google) vertical integration
| slowly moving in on healthcare turf, many healthcare
| partners/payers/investors are adding contractual pressure to exit
| AWS or GCP and move to Azure specifically. Wondering how your
| cloud support in general looks. Your previews are all AWS-centric
| technics256 wrote:
| Interesting, haven't heard of this. Always figured aws and gcp
| were ahead of azure in terms of Healthcare
| fishpen0 wrote:
| They are, so I want to smash my face in once a month or so
| when this boogeyman is dragged up out of hell during
| executive calls
| robertlagrant wrote:
| They're ahead technically, but, for example, Microsoft has
| its claws in a lot of the NHS in the UK.
| selinkocalar wrote:
| We currently support AWS but use terraform for deployment,
| which is pretty cloud agnostic. So far, we haven't gotten any
| major requests for expanding to other cloud providers and most
| of our incoming customers are already on AWS anyways.
|
| One of the main reasons why healthcare players were moving onto
| Azure was for in-built HIPAA compliant OpenAI access. We've
| been able to help our customers directly sign BAAs with OpenAI
| so this wasn't a concern.
| DaiPlusPlus wrote:
| > for in-built HIPAA compliant OpenAI access
|
| Sorry but _what_?
| selinkocalar wrote:
| A lot of healthcare companies are wanting to use GPT4,
| Whisper, and other LLMs from OpenAI, but these aren't HIPAA
| compliant out of the box. You still have to sign a BAA with
| OpenAI and get on their zero data retention (ZDR) plan.
|
| Because of the close partnership with Microsoft and OpenAI,
| Azure makes it easy to get HIPAA compliant access to
| certain OpenAI models without having to go through OpenAI
| directly. This is why a lot of AI healthcare companies were
| building on Azure at first. Hope this clarifies!
| agilob wrote:
| I'm in banking and we have similar pressure to leave AWS, but
| for different reasons. Simply too many banking services are
| already on AWS, and if a single could goes down it mustn't take
| most of banking infrastructure of a country.
| burnte wrote:
| Healthcare CIO/VP here. Some thoughts to help you improve your
| communication to potential customers, AKA what I look for when I
| am evaluating a platform for healthcare use:
|
| The website is too thin, it looks like you're really heavily
| relying on meetings to get customers rather than the product
| itself. I think you should dedicate some resources to fleshing
| out the website A LOT with more information because it actually
| looks like a potentially useful product, but I'm not going to
| commit to a presentation just for more info. This is a red flag,
| as in my experience companies with little public info and who
| want to share everything in demos/meetings have a lot of warts
| they try to hide by a highly curated meeting experience.
|
| Cancel the blog portion, it's 2024 and no one cares about company
| blogs. No one ever DID, but they were popular for a hot minute
| anyway, and that minute is gone. Don't blog and take that time to
| flesh out the website dramatically. Right now your sole blog post
| is a 2 minute intro to HIPAA. Anyone who doesn't know what HIPAA
| is will not be a customer, so this post isn't helping you at all.
| I think your #1 priority this week should be flooding the website
| with information about the product. How-To guides, detailed
| descriptions of features, videos, even an interactive demo would
| be great.
|
| I'm not sure if your product is narrow and focused on helping
| code compliant apps, or if you're a general compliance checklist
| suite. The latter is WAY more useful than the former. If you're
| the former, I'd suggest expanding your scope to get more
| business. when I thought this was an enhanced HIPAA compliance
| suite, I was ready to get more info, now that I see it may be
| focused on app development only, I don't care about it, as
| honestly getting computers compliant is a lot easier than getting
| humans and processes compliant. If you're not just focused on
| development, this reinforces the website problem.
|
| Kill your FAQ: "How is Delve different?" Please flesh this out to
| about 1,000-1,500 words on another page and go into more detail.
| "Has Delve been reviewed by HIPAA auditors?" Don't tell me, link
| me to your PDF compliance reports. "How do I know your
| infrastructure is secure?" Combine this with the question above
| and link me to your PDF compliance reports. Then make it it's own
| page like with the question above. "How can I show my customers
| that I'm HIPAA compliant?" Again, it's 2024, no one cares about
| badges, they want BAAs and compliance reports. People understand
| today that a little badge on a webpage means nothing. This isn't
| even a question you should be answering, actually. Only your
| customers can answer that through knowledge of their customer
| base.
|
| You look like a promising startup, I hope you accept this
| critique from a decision maker in your target audience in the
| spirit it's offered. It's not meant to say you're bad or dumb,
| you just need to spend some real time on the website and
| information shared with potential clients. Right now you look
| interesting, but not enough for me to reach out yet. A more
| detailed website would change that a lot.
| technics256 wrote:
| If it's only compliance then, why not go with the other vendors
| like Vanta etc?
| afro88 wrote:
| Looks great, and I wish this existed 2 years ago when I started
| building a HIPAA compliant product!
|
| But I immediately had a few questions and am hesitant to book a
| demo (I'm quite time poor):
|
| 1. What clouds do you support? 2. What does the infrastructure
| look like, what services does it use? 3. Do I get locked into a
| particular orchestration or deployment setup? We prefer k8s for
| example.
| selinkocalar wrote:
| Thanks for the question!
|
| 1) We've made the conscious decision to start with AWS support,
| as our ICP is primarily on AWS (80%+). We plan to roll out GCP
| and Azure once we have sufficient coverage on AWS services.
|
| (2) When you're onboarded, we deploy a series of base resources
| (IBNLT networking resources, notification services, logging
| services). You can then select from a library of supported
| resources for your application-specific environment.
|
| (3) To directly answer your question -- no you are not locked
| in and can change as you see fit. Also, because we deploy
| infrastructure in your own cloud, you're able to go in anytime
| and make custom modifications to your infrastructure.
| afro88 wrote:
| Many thanks for the answers. In reply to 3, can you clarify
| the details of what deployment snd orchestration tools you
| set up for your customers? And if we are able to make
| modifications to the underlying infra, is there some kind of
| process that prevents changes that break HIPAA compliance?
| selinkocalar wrote:
| Sure thing!
|
| Under the hood, we define infrastructure using Terraform to
| explicitly define logical relationships between resources,
| easily enforce deny by default behavior, and spin up
| resources with granular access logging by default. We then
| expose a subset of toggles that users can adjust (compute
| resources, service connections, silo'd application
| deployment). Some toggles that may have a business need,
| but would prove to carry excess risk (such as blanket
| public exposure of data store's), are explicitly
| disallowed. This is a decision that we've made and feel
| offers the ideal balance between flexibility and compliance
| enforcement.
| imglorp wrote:
| Sort of related: it seems like compliant providers and services
| are carrying the burden of patient privacy in good faith,
| securing the front door. Meanwhile, there are open tent flaps on
| the sides and back. It's hard to do the right thing while there
| are minimal regs and enforcement on the rest of the ecosystem.
|
| Eg, Tracking on medical sites let Meta go to town --
| https://www.theverge.com/2022/8/2/23288612/meta-hosptials-su...
|
| Eg, Patient data brokers: "Currently, under HIPAA there is no law
| prohibiting the use of healthcare data shared via marketing
| practices." -- https://www.beckershospitalreview.com/healthcare-
| information...
| selinkocalar wrote:
| Yes, you're correct in your assertion that infrastructure
| policies are just one part of the puzzle. In conjunction with
| our preconfigured deployments, we provide customers a set of
| legal policies we've worked with former US Attorneys to closely
| align with the spirit of HIPAA enforcement. We've all seen the
| countless byteDance and Meta cookie data leakage headlines on
| insurance and healthcare portals, and provide customers with
| notice to remove trackers, or sign BAAs with user metrics
| companies where possible.
| dekhn wrote:
| I remember early in Google Cloud I was working with a Google PM
| on health-related projects (Google Cloud Genomics). The PM was
| our ostensible expert on HIPAA, and explained many details (such
| as BAA). The one funny thing they said is "there is no such thing
| as HIPAA compliance, that term is meaningless". And I don't
| really understand what they meant, but I think they must have
| been wrong (even though they were supposed to be the subject
| matter expert).
| debarshri wrote:
| You PM is right. Unlike SOC2, you dont get a certification.
| More details here [1]
|
| [1] https://compliancy-group.com/what-is-a-hipaa-certification/
| dekhn wrote:
| Maybe. But Google Cloud has adopted the compliance
| terminology:
| https://cloud.google.com/security/compliance/hipaa
| selinkocalar wrote:
| Your PM was probably referencing the fact there is no audit
| requirement -- HIPAA is self attestation.
|
| HIPAA compliance can be boiled down to "implement best security
| practices, record every request & transaction, and enforce zero
| trust to the truest exist possible." Once you've done your due
| diligence with this, you can self attest compliance.
| Spooky23 wrote:
| It's a weird topic. I always laugh about how "difficult" HIPAA
| compliance is often portrayed as in online forums. It's a
| reminder to me of how important due diligence is. Of the
| various regulatory regimes, HIPAA is not particularly
| challenging, and if it is, I'd be concerned with doing business
| with the entity in other contexts.
| Aaronstotle wrote:
| Does this relate to HITRUST as well? I know the pain of those
| audits as I worked for healthcare companies that had them and a
| lot of the rules are similar.
| selinkocalar wrote:
| It's slightly similar but HITRUST is still more comprehensive
| and is built on the CSF framework.
|
| HITRUST was initially developed as the answer to HIPAA
| compliance, although the framework has now been rebranded as
| industry-agnostic. Hence, there is a good amount of overlap as
| you mentioned.
| stevenicr wrote:
| So this is for AWS style hosting, and there is no pricing info.
|
| I am interested in this and will be someone could be pitching
| this to many others, but I want it with cpanel cloud hosting not
| aws/git/whatever.
| selinkocalar wrote:
| You're correct, we are putting our engineering focus into
| designing an enjoyable experience with AWS as our launch pad,
| and broadening our supported cloud providers as we continue to
| build out.
|
| I've only seen and personally used CPanel for on-prem
| management (paired with WHMCS for billing), which is not
| something I've come across so far here. Happy to talk about
| this more though if you have time.
| user3939382 wrote:
| My 5 second reaction having managed a large organization in a
| compliance/regulatory driven environment is that these
| regulations need to be part of the orgs DNA or long term you'll
| be buried by an audit. It's not something you bolt on.
| selinkocalar wrote:
| Yes, exactly. This is a similar battle IT folks face with
| implementing best practices with it comes to cyber hygiene, and
| the sooner it's solidified, the better (shift left approach).
| That's been our current approach with helping early stage
| health tech startups, and will be a tough but rewarding battle
| as we move towards organizations with established practices (be
| it good or bad). Curious to talk more with you about this if
| you have time.
| user3939382 wrote:
| Sure. My email is in profile.
| hbcondo714 wrote:
| > Most companies that process health information in the US need
| to become HIPAA compliant
|
| I appreciated what Delve is doing for these kind of companies but
| what about non-tech small companies & individual therapists that
| process health data? We enlist the services of multiple
| behavioral / mental health providers and most of them use
| personal devices / SMS / GMail for transmitting PHI[1]. I
| understand this may not be the target audience for Delve but
| getting these kind of companies HIPAA-compliant is a real need.
|
| [1] https://www.hhs.gov/answers/hipaa/what-is-phi/index.html
| selinkocalar wrote:
| It's an interesting point you raise. You're correct in that our
| current target audience primarily covers the companies that
| provide services to healthcare providers instead of actual
| healthcare providers.
|
| For more context, HIPAA breaks companies into two categories:
| (1) Covered Entities, which are healthcare providers, health
| plans, and healthcare clearinghouses, and (2) Business
| Associates, which are companies that process PHI on behalf of
| Covered Entities.
|
| Behavioral/mental health providers fall into the Covered Entity
| category, and their requirements under HIPAA are different than
| those of Business Associates. Our services are currently
| focused on supporting Business Associate needs.
| eddywebs wrote:
| Congratulations on Launch! Would you be plan to expand to
| Salesforce platform ? I am Salesforce partner would love to
| connect if you looking for implementation partners.
___________________________________________________________________
(page generated 2024-02-26 23:00 UTC)