A Reminder of Our Message



We’ve noticed that our message is really resonating with people these days, so I wanted to share it with the community to remind everyone what MedStack is all about.

Before MedStack, Simon Woodside (our Co-Founder and CTO) ran an application development agency. They had become experts in building digital health apps from the ground up that meet the requirements of the industry. However, because of the extra complexities of healthcare, building these apps and working with privacy lawyers to get the proper privacy policy documentation in place took up to 6 months longer to build, and could cost an additional $100k in the first year of a startup’s life. This turned many developers and entrepreneurs away from healthcare and is the reason that the healthcare industry lags every other in terms of software innovation and app penetration. Simon began solving this problem by building some automation tools to aid in the app development that they were already doing. When meeting Balaji Gopalan (Co-Founder and CEO) a vision was sparked to make healthcare app development as easy as in any other industry so that applications can transform the industry for better patient care. Together they founded MedStack.

In order to make app development in healthcare as easy as in any other industry we couldn’t just solve some of the legislated requirements, we had to solve all of them. So we tackled all three pillars of HIPAA compliance–physical safeguards, technical safeguards, and administrative safeguards.

  1. Physical Safeguards – These are mostly met by the major public cloud providers (i.e. Amazon Web Services (AWS) and Microsoft Azure). They ensure that the proper protocols are in place for security guards, security cameras, data centre disaster recovery and prevention, etc. AWS and Azure contractually agree to meeting these requirements for all MedStack-provisioned infrastructure through a Business Associate Agreement (BAA).
  2. Technical Safeguards – Using our DevOps compiler and automation engine, MedStack takes the infrastructure from AWS and Azure and wraps it into our security and compliance layer that meets HIPAA’s technical requirements. This includes technology that we’ve built for things such as encryption of data both at-rest and in-transit, audit logging, backups, our active monitoring dashboard, network security, access control, port control, identity management, and much more. We then sign a BAA with our clients to ensure that we are meeting the technical requirements, including the promises that AWS and Azure have made to us around physical safeguards.
  3. Administrative Safeguards – These are policies and procedures that need to be implemented into the operations of a Business Associate’s (BA) organization. These are things like employee training, physical device password protection, breach notification procedures, and organizational access controls, for example. Working with our privacy partners, we perform a complete gap analysis, ensure that these policies and procedures are in place and provide HIPAA training to the BA’s employees and designated privacy officer within the organization.

Even putting all of these safeguards in place was not enough. As a BA, your organization needs to have the privacy policy documentation in order to prove that all of the safeguards are being met in case of an audit. But even more likely than an audit, presenting this privacy policy documentation is the first step when the BA is being evaluated by a hospital, payer, provider, government body, or healthcare enterprise. In fact, 95% of startups that approach these entities lose their chance at the first meeting because they don’t have this documentation on hand. MedStack provides fully complete privacy policy documents that outline the physical and technical safeguards right out of the gate. During the gap analysis, the remaining administrative privacy policies are constructed from templates through coaching with a privacy expert.

We began by building the MedStack platform to meet the requirements of HIPAA in the US because these are some of the most stringent healthcare regulations globally. With a few tweaks we are able to meet and exceed the Canadian privacy legislation (PIPEDA) and the various provincial health data privacy regulations (ex. PHIPA, PIPA, PHIA, HIPAA, etc.), as well as GDPR in the European Union.

By adopting the MedStack platform, our clients are reducing the extra time and cost that it takes to build a healthcare app from 6 months and $100k down to a couple weeks and a simple monthly cloud hosting fee. Our intelligent DevOps compiler ensures that as our clients grow and their infrastructure changes, that all of the technical safeguards remain intact and their compliance status is up-to-date. With the new Self-Service and Compliance Manager tools that we’ll be launching later this year, this will be further simplified to almost instantaneous HIPAA compliance.

The best part is that it’s working! Our customers are building amazing digital health products, getting to market quickly, and positively impacting the lives of patients and clinicians across North America and around the world. We thrive on watching our customers continue to grow and drive innovation in healthcare, and couldn’t be more proud to be part of their success.

If you’d like to learn more or just want to share your thoughts, please send me an email at jacob@medstack.co. I’d love to hear from you!