Most lead routing platforms couldn't pass a HIPAA audit if their life depended on it.
We're building one that can.
Thread on what I've learned building HIPAA + SOC 2 compliance from scratch 🧵
HIPAA doesn't require certification. But you need BAA-approved vendors for your database, hosting, storage. Miss one and you're exposed.
SOC 2 requires pen testing and a formal audit. Encrypted data at rest is table stakes. The real move is splitting PII and PHI into separate stores with an encrypted key linking them.
We're multi-tenant. Users build businesses on top of us. So we built compliance floors at the super admin level. Tenants can tighten settings but can never go below the floor. The system won't let them.
This is what it looks like. 20/22 HIPAA requirements met. 10/11 SOC 2. BAA tracker built in. All at the architecture level.
From what I can tell nothing like this exists for legal intake lead routing. Still in closed beta. Infrastructure is built to pass. Audit is next.
If you're handling health data or enterprise leads and not thinking about this stuff, you should be.
P.S. we're fully compliant and going through the audit process. But all our data on the platform for now isn't HIPPA related. Cause I'm sure some of you will say "hey it's not 100%"
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.