Build vs Buy: 5 Factors to Consider for Achieving HIPAA Compliance


Build vs Buy (1)

Choosing between managing your digital health application’s data security and privacy compliance requirements in-house or working with an external compliance partner is an important decision. 

When evaluating which path to take, remember that the Healthcare Insurance Portability and Accountability Act (HIPAA) covers three distinct types of safeguards

  • Physical safeguards: data center security, disaster resilience
  • Technical safeguards: encryption, network security, backups, monitoring, audit loggingAdministrative safeguards: legal paperwork, policies and procedures, training

In this article, we will take a look at the following five factors to help you determine the best fit for your company:

  1. Time
  2. Cost
  3. Resources
  4. Expertise
  5. Ownership

1. Time

Developing any form of asset or service takes a tremendous amount of time compared to purchasing an outsourced alternative. And in the world of startups, the ability to move fast can make or break success.

Innovators who choose to manage compliance internally often face overshot schedules due to the many complexities associated with technical architecting and ongoing system maintenance to ensure that Personal Health Information (PHI) remains secure.

MedStack codifies the vast majority of security and privacy requirements so you don’t have to, freeing up your time to focus on building your application’s core functionality and delivering a superior clinical and patient experience.

If your company is ready to start partnering with or selling to insurance companies and hospitals, another important element to consider is the time associated with completing Vendor Security Assessments (VSAs). 

VSAs are a necessary part of working with healthcare enterprise systems. They prove your ability to uphold the stringent data security and privacy requirements that the healthcare industry demands. These assessments can be anywhere from 30 to 300 questions in length and can take several weeks to complete.

MedStack offers the ability to submit VSAs directly via our product dashboard.  With hundreds of completed assessments to date for some of the largest healthcare enterprises in North America, our AI-powered proprietary answer library can answer up to 90% of compliance-related questions in under 7 days.

2. Cost

Another important factor when considering any build vs buy decision is cost. When it comes to compliance, this is largely dependent on the scale of your operations and the lifestage of your company.

On average, traditional methods of managing compliance can cost upwards of $100K per year. Building your own compliance solution also comes with the additional cost of involving a team of lawyers. For early-stage companies with little cash runway and a host of other priorities, this can lead to some very tough choices. 

MedStack makes privacy compliance affordable, with tiered pricing based on the needs of your company’s stage of growth. MedStack combines privacy compliance, security, tooling and infrastructure into a single turnkey platform, at a fraction of the cost of building your own solution.

3. Resources

Approximately 10-15% of a digital health organization’s resources are spent on security and privacy compliance. This includes things like:

  • Configuring a secure cloud 
  • Managing vendor security assessments
  • Building and maintaining a secure deployment pipeline
  • Pursuing audits and certifications like SOC 2
  • Managing compliance across multiple regions

Often, these activities pose a significant distraction and can cause internal strain if resources are limited. 

Most early-stage companies choose to outsource their compliance needs so their teams can focus on what they do best. Developers rarely get excited about gathering screen shots for compliance evidence, and would rather spend time building product and features.

Working with a third party can alleviate this stress and ensure your company is able to seamlessly manage compliance expectations. MedStack’s out-of-the-box solution does the heavy lifting for you, with inheritable policies that are always up-to-date to ensure your application runs and manages data in the cloud with the highest standards of privacy and security in mind.

4. Expertise

Effectively managing healthcare data security and privacy compliance requires a fair amount of expertise. Healthcare regulations around the world are constantly changing and new cyber threats are emerging daily. 

It is possible to build a highly specialized department familiar with your company’s particular interests and requirements. Such expertise, however, requires significant ongoing investment. 

Working with an outside expert gives companies the ability to tap into relevant expertise as necessary without having to dedicate internal resources. 

As companies begin to scale and their compliance needs become more complex, hiring an in-house expert may eventually make sense. Still, working in tandem with a compliance partner can be beneficial and provide the support required for them to be successful.

5. Ownership

One of the biggest advantages of managing compliance in-house is full ownership over the decision-making process, including the freedom to implement systems and processes as you choose. But as the saying goes, with great power comes great responsibility.

Full internal ownership means your company must be willing to assume all of the liability and risk associated with managing compliance. Both healthcare enterprise systems and potential investors will pay close attention to the way risk is managed within your organization when evaluating your solution.

MedStack works with several of North America’s leading digital health companies to help balance their risk profiles, and abide by a concept we refer to as the “chain of responsibility”. 

We take compliance guarantees to a much higher level, all the way up to the Docker environment, and also expand those guarantees to critical elements like administrative access, logs, and security updates. 

“Having MedStack as a partner has been absolutely instrumental to our success,” says Luke Vigeant, President at Inkblot, Canada’s fastest growing mental health platform. “With MedStack’s understanding of the hurdles facing today’s healthcare industry and their unique, comprehensive approach to compliance, they’ve played a key role in helping us get quality mental health care to more people when they need it. MedStack is a must-have partner for anyone looking to build a secure and scalable digital health technology solution.”

Still unsure whether to build or buy? Book a free discovery call today to discuss what path is right for you.