Less than a year after COO and chief information security officer Grant Elliott left Voxiva to found his own company, Washington, DC-based Ostendio, it has launched its first product, MyVirtualComplianceManager (myVCM), in open beta. The product is a software-as-a-service offering currently aimed at helping health IT companies better achieve and prove HIPAA compliance. Elliott said it came directly out of his experience at Voxiva.
"[At Voxiva] I learned a huge amount about [HIPAA] itself, working with lawyers, specialists, and peers throughout the industry to develop that knowledge," Elliott told MobiHealthNews. "What became clear to me during that process as I continued to evolve Voxiva's information security system is we were not only developing a compliance managing program above and beyond most of the organizations in the space (and we got that feedback from many many customers of ours) but it seemed to be there weren't very many tools in the marketplace that could help people like ourselves, and there were lots for larger enterprise companies."
MyVCM is aimed at small to medium businesses that might not have as many resources to devote to HIPAA compliance as larger enterprises. It's priced competitively to appeal to those smaller businesses -- it starts at $20 a month.
The recent HIPAA omnibus rule made it clear that business associates of hospitals -- including the IT vendors Ostendio markets to -- will share liability for mismanaged data and be subject to HIPAA audits. Because of the possibility of audits, companies need to not only manage patient health information in a HIPAA-compliant way, but also need to have a "paper trail" that proves they've done so.
As such, MyVCM helps organizations manage training, update policy documents, and complete risk assessments. It also keeps records documenting that all those steps have been taken. Elliott says the software will help companies in the event of a HIPAA audit, but it also allows them to confidently and quickly assert their HIPAA compliance to a potential partner.
"Most offerings have been designed by IT professionals or people in the compliance management space," Elliott said. "What makes our platform really different is I built [what] I would have wanted when I was a chief information security officer and chief operations officer... You can use our tool for policy management but you can also use it for document management. You can use it for compliance training, but you can also use it for general training. We wanted to make the product as flexible as we can."
Ostendio is targeting health IT companies initially. Early customers include mprove Health, Luminate Health, and Infield Health. But the platform is regulation agnostic, Elliott says, and other potential customers have approached him about using it for NGO regulations and government contractor regulations. The company is self-funded, but Elliott thinks they may need to raise money soon if demand is high. Though the cloud-based software is currently accessible via mobile devices, a dedicated app is in Elliott's plans for the future.
"The reason I was so passionate about doing what we're doing is that, though regulation is necessary, regulation seemed to be getting in the way of small companies innovating," Elliott said. "We're taking one of the obstacles small businesses have, and we're helping them solve one of those problems."