Servicing at the Edge of HIPAA Compliant Healthcare

Engagement Details
  • Recurring
  • 1 Product Manager
  • 1 Developer
  • 1 Site Reliability Engineer

LoyaltyGrades is a feedback tool for patients to review healthcare providers shortly after the time of service. Even though they are not a healthcare provider, LoyaltyGrades must adhere to HIPAA regulations because they receive patient health information (PHI) from their customers. This business risk is evaluated through a Business Associate Agreement (BAA) they sign with all customers. They came to us to maintain their application so that they could focus on solving new problems for the Healthcare industry. While we were stabilizing the platform with our best practices, we audited the app for HIPAA compliance, and ultimately found an oversized risk of leaking patient health and personal information (PHI and PII) in the case of a cybersecurity breach.

The Initial Challenge

LoyaltyGrades was going to lose their CTO. They needed to transfer operational expertise and looked to Vaporware because we had the experience and expertise to continue hosting the app while adhering e to HIPAA compliance. As we were initially auditing the app, we found several areas where we would need to increase costs to properly protect PHI and Personally Identifiable Information (PII). With a robust SaaS application, mobile device management, and email deliverability integrations, increasing costs was not a wise business decision. Therefore, we looked to other options to modernize the patient experience while protecting them.

Vaporware's Process

First and foremost we started with our SaaS hosting best practices through our Protect service. To increase email deliverability, we opted to transfer all hosting to our ideal operation partners. With our existing relationships, we can often save our clients 90% of expenses on things like Heroku Shield hosting, email deliverability, text messaging, hardware device purchasing, and all the supporting services. LoyaltyGrades posed a unique challenge since HIPAA compliance requires signing BAAs with all other vendors that have access to PHI or PII unencrypted, at-rest, or in-transit.

Vaporware’s Protect Best Practices

  • Heroku Platform as a Service
  • Sendgrid Transactional Email
  • Skylight Application Performance Monitoring
  • Bugsnag Exception Monitoring
  • Papertrail Logging
  • Meraki Mobile Device Management
  • Bandwidth Transactional SMS
  • Postgres Relational Database
  • DelayedJob Asynchronous Queue System
  • CircleCI Build Pipeline
  • Vaporware 12factor Staging/Production App Standards

Using our deep user experience knowledge and market understanding, we were able to creatively refactor the UI to deliver the same expected customer experience without capturing PHI from the healthcare providers. With additional, clear messaging to direct the user, in both English and Spanish, we were able to reduce self-entered PHI completely while still giving the customers the data they needed to respond to all feedback and concerns.

Finally, we helped normalize the captured data and provided an optimized integration between customer systems and the LoyaltyGrades platform, keying off of randomized personally identifiable information and providing the proper next-steps for positive, neutral, and negative reviews.

Wireframes
Wireframe representation of delivered product

The Results

Equipped with a lower-cost and more reliable system, LoyaltyGrades was able to successfully sell with an undisclosed ROI to a private investor that continues to operate the business at scale to this day.

Vaporware