HIPAA and The Cloud from a Startup’s Perspective

As someone who wants to build a great healthcare app I am dumbfounded by the effect of HIPAA.  Of course this app will be built on the latest and greatest technology, such as “The Cloud” and mobile.  But as I navigate the waters of the implications of HIPAA I question if targeting healthcare is really worth it.

Over the years we have seen startups create great apps in a variety of categories from social media to games to navigation.  Much of this was possible due to low startup costs.  Cloud services allowed these innovative companies to buy what they need at very reasonable costs.  The days of paying ten thousand dollars for a couple of servers were gone.  A server could be had for $25/mo.

Recent changes in the HIPAA law become a real challenge to the startup.  Whereas the prior law was somewhat vague as to whether a cloud provider needed to be involved as a business associate (one held responsible for privacy of data), the new law strongly infers that cloud providers are a business associate.  So, if a startup wants to build a healthcare app on Amazon Web Services, the startup must have Amazon sign a business associate agreement (BAA).

That’s all well and good, but I see inconsistencies.  The HIPAA laws are complicated (and I don’t pretend to understand them).  I’m not sure if the cloud providers do either.  As I explored some providers I find a wide range of inconsistencies.   For example, consider encryption of private healthcare information (PHI) as stored in a database.  Some providers require it and some don’t.

So far I have looked into three cloud providers and here are the difficulties of each from a startup’s perspective:

Amazon Web Services (AWS) – Amazon will only sign a BAA if dedicated instances are used.  A dedicated instance is roughly 30 times more expensive than a non-dedicated instance.  This will, by itself, eliminate AWS from consideration by startups as a $50/month server becomes $1500/month.

Our Prior ISP (Navisite) – Navisite was very reliable for us over the years as we used them for managed services.  However, to build a HIPAA compliant system would minimally add thousands of dollars a month in costs.

Google Cloud – Earlier this month (Feb 2014) Google announced a willingness to sign BAAs.  According to a Google rep, Google Compute Engine and Google storage are HIPAA compliant.  However, what I find strange is the process one must go through to have a BAA signed.  The app must first be installed in the Google Cloud and then Google evaluates the app.  This seems a little backwards to me.  Before an app is architected, Google should be able to determine if it meets its requirements.  And since Google has a history of changing its mind (in terms of apps its supports), I would be hesitant to build anything on Google technology without an understanding in advance.

Microsoft Azure  – I still have to check on Azure.  I will update this post when I learn more.

The good news is that we are early in the process and can take the new HIPAA laws into account.  I can see how retrofitting an older application could be very difficult.

We will also have to divert some of our crucial capital to lawyers and consultants to help us navigate the waters of HIPAA.

For those startups that are seeking HIPAA compliance on a cloud platform I have one piece of advice.  Speak to the provider in advance and determine their specific requirements for signing a BAA.  Then you can make the correct decision as to how to proceed.


February 28, 2014 at 2:36 pm Leave a comment

How to get a new iPhone every year

I don’t understand why there is so much confusion in terms of phones and subsidies.  Basic math reveals how to get new iPhone every year for minimal cost and without being locked into a contract.

The key is to buy the iPhone and not rely on a subsidy.  Let’s take a look at the cost comparison.

First there is the cost of the phone.  Let’s use the iPhone 5S (16GB) as an example.

  • iPhone 5S from Apple: $650
  • Subsidized iPhone from AT&T: $200

Second, there is the cost of service.  For purposes of comparison, let’s select common features: unlimited talk, unlimited text, and 2.0 to 2.5GB of data per month.

  • No-contract plan (TMobile with 2.5GB data): $60/mo or $720/yr or $1440/2yrs
  • 2 year contract (AT&T mobile/share plan with 2.0 GB data): $95/mo or $1140/yr or $2280/2yrs

Let’s examine the total costs over one year with each option:

  • No contract plan: $650 (phone) + $720 (service) = $1370
  • 2 year contract: $200 (phone) + $1140 (service) = $1340

And the total costs over 2 years are:

  • No contract plan: $650 (phone) + $1440 (service) = $2090
  • 2 year contract: $200 (phone) + $2280 (service) = $2480

These numbers reveal that the break even point for buying a phone is roughly a year.  During the second year one pays the phone company about $400/yr or $35/mo for the convenience of subsidizing the phone.

There are numerous non-financial advantages with purchasing the phone and going no-contract.

  • One can switch carriers on a whim.  If service is poor in your area you can easily switch.
  • If you leave the country for a while, you can terminate service while you are gone.
  •  One can upgrade their phone every year. If you are a gadget hound, you may find this appealing.
  • Some smartphones retain value. This can be a significant financial advantage when selling your old phone.  You can apply your proceeds from your old phone to a new phone.

Note that there other factors to consider.  Some of the data sharing plans can offer pricing advantages if you have multiple devices.  Shop around to compare these plans.  Also, the numbers will differ based one the number of phones and plans one purchases – with family plans, for example.

The T-Mobile plans typically include tethering, which is a nice feature.  If tethering is important to you then take that into account when comparing plans.

I recently switched from AT&T to T-Mobile after purchasing an iPhone.  I found the process of not having to read over a lengthy contract to be refreshing.



Here are the current (12/11/2013) rates AT&T prepaid plans.



Here are the current (12/11/2013) rates for Verizon prepaid plans.


Here are current (12/11/2013) rates for Sprint prepaid plans.


December 11, 2013 at 2:21 pm 3 comments

Response to Senator Paul Ryan about Accountability

Dear Senator Ryan,

I’ve received an email from you this morning that had the subject “Hold Them Accountable”.  I’ve included the text of the email below.  I find the message to be both amusing and hypocritical.

First, as a disclaimer, I am neither Republican nor Democrat.  I’d like to keep my voting record private, but I will admit I’ve always voted for Republican presidents, except in the last election.

Your email places a focus on holding Democrats accountable.  However, I find Republicans to be lacking in accountability and to be acting irresponsibly.  Face it, Republicans lost the battle on Obamacare nearly three years ago.  Now you want to have the federal government default on paying its bills in an attempt to repeal Obamacare.  In sports, there is a name for this type of behavior: sore loser.

I suggest the following tactic to Republicans for affecting change in the future: Win elections.  If your party can get its act together and actually take control of Congress or the executive branch then pass a repeal of all the laws you want…including Obamacare.  But I don’t see how a minority party can hold the rest of the country hostage.

I was not a proponent for Obamacare.  But I’ve accepted the principles of democracy.  It is a law, except it and move on.  Yes, I’d like an alternative, but the Republicans appear to be in a downward spiral.  The way the party “leads” is distasteful and it has few appealing leaders.

Letter from Senator Paul Ryan
Subject: Hold Them Accountable

Last week, the Republican-led U.S. House of Representatives passed a government funding bill that delays and defunds ObamaCare. Period.

The fight has now moved to the Senate, where Harry Reid and vulnerable Democrat senators have a choice: Stand with their constituents or stand with President Obama.

Republicans have remained true to our principles throughout this fight. ObamaCare is a gross overreach by the federal government that the American people didn’t want then, don’t want now, and do not want to see continue.

ObamaCare will raise premiums, restrict access, and hurt jobs.

Because the House took action, there is nowhere for vulnerable Democrat senators to hide.

The foundation of our democracy is built upon accountability. And the Republican National Committee has made it their mission to hold accountable each and every Democrat who chooses to embrace the President’s health care train wreck at the expense of their constituents.

Last week, House Republicans stood with the American people.

If Harry Reid and Senate Democrats refuse to do the same, we must help the RNC elect a Republican majority in the Senate that will.

Please contribute $14 today to keep up the fight and elect a Republican Senate in 2014!

Paul Ryan

September 27, 2013 at 10:51 am Leave a comment

Is Bone Density Testing over-utilized or underutilzed?

There is some controversy about the utilization of bone density testing.  In general, I find too many instances of misleading or factually incorrect reporting.  In this case, it is too bad because it adds an extra burden to patients and primary care physicians who simply want to know whether a test is needed.

DISCLAIMER: I am not a physician, but work in the medical imaging field.

Take this article, in MedPageToday, for instance.  The headline states that bone density testing if over-utilized. I consider the headline to be misleading and believe the author did a vast disservice to patients and physicians.

First, one could write an article with the title, Bone Density Testing Is Underutilized, and produce facts to back it up.  According to the National Osteoporosis Foundation, “Studies also suggest that approximately one in two women and up to one in four men age 50 and older will break a bone due to osteoporosis“.  In addition, the Bone Mineral Measurement Act of 1998 suggested all women older than 65 are eligible for a bone density scan.  Yet, approximately 1 in 6 actually ever have the test.

Second, the article referenced by the author focuses on bone density testing for patients already on treatment for osteoporosis.  The article questions the value of follow up bone density testing in order to observe changes in such patients. The headline for the MedPageToday article , however, omits the significant fact.

It is too bad the author, and the publication, did not take greater care in creating an accurate headline.  As it is, the headine is somewhat alarmist and I find it misleading.

September 24, 2013 at 12:08 pm Leave a comment

CustomCell with GWT to show multiple items in one DataGrid or CellTable cell

While working in GWT, I recently I had a need to show multiple items in one cell of a DataGrid.  The documentation was a little sketchy and I didn’t quite follow some of the postings out there on the topic.  However, they were helpful in nudging me along.  I ended up with the following sample.  Hopefully others will find it helpful.

I tried to stick closely to the documentation and my understanding of how cell widgets work.  Specifically, a row in a table (CellTable and DataGrid) is of one constant type, typically an object  (DTO), and a column represents on “field” or “attribute” of the DTO.  In this case, with a cell containing multiple items, the implication is the field is a list of some sort.

This example shows a list of Drivers and the cars they own.  A driver may own multiple cars.  One driver is displayed per row, with the cars shown in one cell.  When run, the application looks like this.


The data structures are as expected.  There is a many to one relationship between Drivers and Cars. Here they are, summarized.

public class Driver
 private int id;
 private String firstname;
 private String lastname;
 private String manufacturerPreference;
 private ArrayList<Car> owns = new ArrayList<Car>();

public class Car
 private int id;
 private String manufacturer;
 private String model;

In terms of implementation, the main thing I found confusing is the definition of the Column and Cell.  I’ve defined the Cars column as a list, many examples simply use a String to represent that cell. Here is what I ended up with.

private class DriverColumn extends TextColumn<Driver>
 public String getValue( Driver driver )
  return driver.getFirstname() + " " + driver.getLastname();

private class CarsCell extends AbstractCell<ArrayList<Car>>
 public CarsCell()
  super( "click" );

Once these definitions are established, the rest of the code makes sense – at least it seems more consistent with the documentation.

The full code can be downloaded from here. This is a full working example.

December 7, 2012 at 1:49 pm Leave a comment

Web App Design With Google Web Toolkit (GWT)

I’ve been exploring Google Web Toolkit (GWT) for a little more than six months now.  I’m in the process of a rewriting an older web application, which was developed based on more of a traditional architecture – with forms and form handlers.  It was written in ColdFusion and Java.  The CF layer is used as more of a scripting language, with most of the work done by several Java class libraries built for the app.

While using GWT I’ve started to experience a change in how I think about the design of web apps specifically built in GWT.  In particular, the management of application state is quite a bit different.  That leads to a different way of executing various actions, which would typically be persistence related (ie. reading and writing to a database).  I would be curious to hear feedback about this, particularly from other GWT developers.

First, let me review how I think of “traditional” web app development.  We all know that HTTP is stateless.  In other words, one page knows nothing about prior or successive pages served by the web server.  Fortunately, there are cookies and sessions to circumvent this limitation.

For purposes of discussion, let’s use a bookstore web app as an example.  Assume the online bookstore allows books to be browsed and purchased.  A shopping cart stores purchased items.  The bookstore also includes informational material – say on authors and publishers, etc.

With the bookstore, information typically needs to be remembered when a user visits.  For example, the collection of books in the shopping card must be remembered until the user checks out.  Typically, this is done in session variables.  The session variables are actually stored on the web server (and managed by the application server).  Each user has there own set of session variables.

It would be possible to build a web app without session variables.  One way is to simply store all state on the URL.  For simple apps this isn’t too difficult.  For more substantial apps it can lead to some ugliness in design.  For example, consider the bookstore shopping cart.  The following could appear in the URL to represent books in the cart:


Note the part after the question mark.  The “booksincart” argument is a list of book ids.  This would have to appear as part of every URL in the online bookstore.  It proves to be rather ugly to implement.  Fortunately, session variables provide an easier way to store information in a stateful way.

With GWT, I am beginning to see an alternate way to store state.  A GWT app appears, from the programmer point of view, like a Java app that runs in the browser. It is really Javascript (and that is part of the magic of GWT), but conceptually think of it as a Java app.  Java apps can store all sort of variables – global variables, class variables. static variables.  I am learning that this is a great way to store application state and it replaces the need to store state in the session.

Compare a “traditional” web app with a GWT web app.  A traditional web app stores state in the session.  The actual session data resides on the server.  With GWT, state is stored in the app, which is on the client (in the browser).  This is a bit of a revelation for me.

The location of app state (on the client) then leads to a change in how I think about performing actions (on the server).  The server side operations (ex. save cart or place order), are stateless.  The client has to pass all state to the serve (or RPC).    This can even include the user, which is typically store in a session with a traditional web app. The operations then become very web-service-like in form.

Another way to think of this is going back to the comparison with a traditionally designed web app.  To get rid of most session variables, one could store all state on the URL (as discussed above) in arguments.  GWT could be thought of as a much more convenient way to store application state.  A well designed GWT provides for better conceptual design and state management.

March 29, 2012 at 2:49 am 4 comments

A Case of Coaching Scared: Bill Belichick

Bill Belichick will go down in history as a great football coach, as he should.  We all have our demons within, however.  They hold us back and keep us from becoming even better.  Belichick’s demon is coaching scared on the defensive side of the ball.

The coach disagrees with my assessment. In this clip from the A Football Life series he states, “one thing I’m not is scared”.  The statement is in reference to Belichick being willing to go for it on fourth down.

His fourth down decision making does not in and by itself determine coaching fortitude, however.  There is more to not coaching scared than one’s approach to fourth downs.  It would be like saying I have a healthy diet because I eat broccoli once a week.

The truth is in the pudding.  The Pats defense is soft and has been for many years.  The statistics reflect poor and passive defensive play.  It is soft because Belichick is scared of the downside of an aggressive defense.

Aggressive defenses give up big plays occasionally.  It is the nature of the beast. A blitz at the wrong time can give up a big pass play.  Man to man defense can given up a big play if a defensive back simply slips.  That’s the risk.

Ah, but when one obsesses on the risks, as Belichick does, the rewards go unfulfilled.  An aggressive defense makes significant plays that can drastically affect a game’s outcome.  There are the obvious benefits, like sacks and turnovers.  But the subtle side of an aggressive defense is more important.  Consistently giving a quarterback a half second less to make a decision and bumping a wide receive at the line leads to incompletions.  An aggressive defense leads to what appears to be an incoherent offense.

Instead, Belichick defenses typically make mediocre quarterbacks look like All-Pros.  Some notable performances against Belichick defenses include such heralded offensive juggernauts such as Seneca Wallace, Chad Henne, Colt McCoy, Ryan Fitzpatrick, Rex Grossman, etc.

Belichick’s fear of giving up the big play is his demon within.  It determines every decision he makes – from strategy to execution.  His patented “bend but don’t break defense” is simply a revamped prevent defense.  He often times play this type of defense for entire games!  The results are gobs of yardage given up, a defense that becomes fatigued from being on the field for long drives, and worst of all, it keeps the ball out of the hands of his best player, Tom Brady.

In short, Belichick’s defensive style becomes one where he plays not to lose.  A soft and passive defense is the product of his obsession with giving up the big play.  It is his demon within.

January 3, 2012 at 3:46 am Leave a comment

Older Posts Newer Posts

RSS Twitter Timeline

  • An error has occurred; the feed is probably down. Try again later.
June 2018
« Apr