Guaranteeing Privacy Standards Adherence with Active Compliance



The challenges faced by the healthcare industry due to the events of the past few months have brought the promise of digital health technologies to the forefront and proven their ability to assist in delivering better, faster and smarter care.

And yet, the adoption of digital health solutions within healthcare enterprises is still an uphill battle, due in large part to the very stringent data security and privacy compliance requirements governing sensitive patient data.

At MedStack, we’re tackling this problem head-on by building audit support into the core of our offering to make evidence generation simple.

We call our approach to this Active Compliance.

Our Active Compliance system is an entirely automated process of disclosing, maintaining and proving compliance for our customers and their downstream stakeholders, such as health systems, payers, government agencies, investors, channel partners and certification auditors.

How do audits normally work?

According to industry sources, a staggering 95% of digital health startups find themselves unprepared for onboarding and ongoing cloud data security audits with enterprise customers, hindering sales readiness and their ability to successfully scale.

Put another way, only 5% of early-stage digital health vendors meet today’s healthcare’s data security and privacy requirements.


“Only 5% of early-stage digital health vendors meet today’s healthcare data security and privacy requirements.”


For an organization with limited dedicated resources, building compliance into its offering can seem like a daunting task. The SOC 2 certification process, for example, can easily cost upwards of $100K a year with effort required in:

  • Cloud architecture design and documentation
  • Security protocols development
  • Security monitoring
  • Software and operational security maintenance
  • Privacy policy construction with escalation procedures
  • Privacy and security assessments
  • Documentation and implementation of legal liability frameworks
  • Employee privacy training

Auditing procedures revolve around the submission of large amounts of evidence in a very manual fashion.

Typically, this process involves taking a large number of screenshots to prove that the systems in question are appropriately configured.

Aside from being incredibly labour intensive, since the snapshots are, quite literally, a shot of a moment in time, providing ongoing assurance to third-party auditors that protections remain in place can be difficult.

This is time, money and resources that most startups don’t have.

The winners in the race to commercialization are the companies that find a way to focus on developing their technology’s core unique value proposition in interface experience, integrations, data analytics, etc: the drivers of better patient value.

How does Active Compliance work?

MedStack makes it easy for healthcare app innovators to tie technical and administrative practices directly to auditable policies during healthcare enterprise onboarding evaluations.

When hospitals and insurance companies are looking to buy, they require vendors to complete long questionnaires.

Our Active Compliance system is a proprietary software system that automatically and uniquely does the heavy lifting, delivering better assurances for digital health companies and their stakeholders.

All of our policies are code-generated and machine-readable, and the majority are real-time auditable. This means we can generate evidence at the click of a button and save our customers months of work.

We write and maintain all of our policies in a private Git repository.

The advantages of this approach are:

  • It’s easy to follow. All of our policies are clearly mapped in relation to one another, with clickable references and links to ISO 27001, HIPAA, GDPR, PIPEDA and SOC 2.
  • We can easily generate readable versions, both for ourselves, our customers, and our customers’ auditors.
  • We have mechanisms in place to ensure that our policies are always up-to-date.

Using intelligent text matching, we’ve also developed the ability to run custom queries and easily answer audit questions on our customer’s behalf.



It sounds simple, right? In reality, we’ve been developing and refining our Active Compliance system for several years, and will continue to do so as our customers’ needs mature.

Soon, our customers will even be able to generate an entire evidence set using MedStack Control’s self-serve capabilities, all at the click of a button.

Curious to see our Active Compliance system in action? Click here to schedule a demo.

Image by Mohamed Hassan from Pixabay