Day 24 — Building toward HIPAA Compliance (Pt. 1)

One of the looming questions that’s been on my mind since building out the Invincible App has been data security. Specifically, HIPAA Compliance.

I started this work several months ago, and today I picked it back up today. Over the next few weeks I intend to start chipping away at the work required to get us to HIPAA compliance.


HIPAA lays out a series of administrative, technical and physical controls to ensuring protected health information (PHI) is secure. These guides do a much better job at explaining than I can:

High-Level Approach

For this work, I’ve separated the administrative from the technical/physical controls.

  • The administrative controls are policies and procedures we need to follow internally, including things like training, risk management, documentation, vendor audits, etc. I can working on these now.
  • Technical Controls outline the things we’ll accomplish through our technical infrastructure (e.g., encrypted storage at rest/transit). We’ll most likely use a vendor for these.
  • Physical controls ensure that the computers / servers / etc. where the information is stored are secure. We’ll mainly inherit controls from AWS.
High-Level Work to be Done

1 — Administrative Controls

There are a few tools that offer out-of-the-box controls, policies, and procedures, but I found Aptible to be by far the best. The tool is super useful — and best of all, it’s free.

Out-of-the-box documentation on Aptible

Aptible also provides a ticketing tool to drive the work, but I found it pretty clunky and confusing, so I ended up pulling out key work activities and creating tickets in JIRA.

The Mountain to Climb

2 & 3— Technical & Physical Controls

When I first started considering how we might become HIPAA-compliant, I had assumed we could just set some configurations in AWS and we’d be good to go.

Boy was I wrong…

Without a huge dev team and a boatload of money, the consideration quickly switched to 3rd party providers. I met with some vendors over the past few months to better understand the work effort required.

  • The good news is that they should save us a ton of time and money.
  • The bad news is that they aren’t cheap (basically about $1K/month starting costs).

Here were my favorites:

HIPAA Vendors for Implementing Technical Controls

What’s Next?

I plan to make some small but meaningful progress in the morning and then call it quits for Christmas.

Happy Holidays!




Startup founder surviving in his parent’s basement.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Golang Design Patterns — Observer

How To Design A Cross-Platform Mobile Application?

How to achieve parallelism with Ruby MRI with I/O bound threads

How To Write Serverless Python REST API With Azure Functions

How to create a Real-Time Chat using Laravel and Firebase

Writing custom metrics exporter for Kubernetes HPA

Unit Testing — HOW method and WHAT method

Reflections on my 2020 Data Projects — Part II

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bob Weishar

Bob Weishar

Startup founder surviving in his parent’s basement.

More from Medium

Adapting to Endure🦄

Can You Run A Successful Business With a Chronic Illness?

Premium Pricing Strategy: Tesla Vs Gucci

Hustle vs. Health | Knight’s Newsletter on Mental Health

B2B Mental Health tools market map