CASE STUDY
ÉTUDE DE CAS
Healthie achieves HITRUST r2 certification seamlessly with Vanta
HITRUST r2, SOC 2, HIPAA, GDPR, USDP, Access Reviews, Trust Center, Vendor Risk Management, Risk Advanced Customization
As a provider of business critical healthcare infrastructure for leading healthcare delivery organizations, HITRUST r2 certification is an important way for Healthie to demonstrate their commitment to industry-leading protections for customer information.
Vanta’s Trust Center provides a centralized and organized way for Healthie to show their strong security and compliance posture. This can be easily shared with customers, who need this for health system and payer partnerships.
The Healthie team estimates that they saved 15% of an employee’s time by working with Vanta, equating to over 300 hours per year.
“We have a huge responsibility when it comes to security and compliance because we serve as back-end infrastructure for thousands of healthcare providers. Everyone at Healthie takes that responsibility extremely seriously.”
The company
All-in-one practice management platform and EHR
In 2016, Healthie’s two founders met in a business entrepreneurship class at The Wharton School of the University of Pennsylvania and began working on a collaborative, ongoing care experience for dieticians, nutritionists, and their patients. That platform, now called Healthie, has grown into an all-in-one electronic health record (EHR) solution that provides everything health and wellness providers need to manage their practices.
Today, Healthie is home to 115 employees who serve more than 30,000 clinicians, covering more than 11 million patient lives since inception. Because it is so crucial for healthcare practitioners to properly manage sensitive protected health information (PHI), the Healthie team is relentlessly focused on data security, privacy, and achieving compliance with key frameworks.
The challenge
Prioritizing compliance to fuel each stage of growth
It’s no secret that security and compliance are important for healthcare technology companies. After all, it’s essential to protect patient PHI from risks and vulnerabilities. It’s also required—HIPAA compliance is table stakes and without it, you couldn’t run a healthcare technology company.
{{quote-2}}
From day one, Healthie has focused on building a strong security program and protecting customer data. Using Vanta, they’ve been able to demonstrate their commitment to industry-leading standards, including HIPAA, SOC 2, GDPR. As Healthie and their customers continued to grow rapidly, they decided in 2024 to pursue HITRUST certification.
Their security and compliance team set out to run the HITRUST r2 certification process and welcomed John Norman to the team as VP of Security & Compliance. John previously led HITRUST certification initiatives at three other companies without a GRC solution.
“Taking yourself seriously in the healthcare industry is being compliant and doing as much as humanly possible to not just demonstrate that compliance, but live it in all of the day to day decisions that you make," says John.
The solution
Streamlining HITRUST r2 and scalability with Vanta
John decided that Healthie’s best bet in becoming HITRUST certified quickly was to use Vanta and their integration with HITRUST. With Vanta’s automatic evidence collection and cross-mapping capabilities, the team was able to re-use existing controls from the other frameworks they’ve already implemented. Additionally, Vanta’s integration with MyCSF meant that Healthie would not need to manually migrate evidence from Vanta into HITRUST’s audit platform. Jenna agreed—her experience using Vanta for other compliance audits made her realize that their entire GRC program could be tracked in one place.
“Vanta allows us to house everything in one place. We use it to keep track internally, but also to share our security and compliance approach with customers," says Jenna.
Healthie already had a strong security and compliance foundation—the team was now looking for a way to make the audit process organized and straightforward. Vanta’s platform provided an organized system that allowed for a comprehensive and accurate audit process. The industry-first partnership with HITRUST helped Healthie gain HITRUST r2 certification in a seamless and organized fashion.
John also saw the value of Vanta’s automation which would improve efficiency for the security team. As he began to plan the future of Healthie’s Security team, he decided to add Questionnaire Automation, which he estimates helps a full-time employee save 15% of their time by not having to manually answer security questionnaires.
The impact
HITRUST r2 certification backed by strict adherence to PHI security and compliance
By working with Vanta, Healthie was able to attain HITRUST r2 certification and demonstrate strict adherence to a prescriptive approach to PHI security and compliance. This certification gives Healthie evidence of their commitment, which fosters customer trust now and into the future.
“Compliance by spreadsheets is risky and constantly needs to be supplemented with manual processes and meetings,” said John. “With Vanta surfacing what gaps we have in our security program, it’s been a huge advantage.”
The Healthie team estimates that they save over 300 hours per year on becoming and maintaining compliance with these frameworks by automating security workflows like answering questionnaires, conducting access reviews, and completing vendor security reviews.
This partnership streamlined Healthie’s ability to become HITRUST r2 certified and improved workflows for the team, which opens the doors to better security, more customers, and improved efficiency as Healthie continues to grow.
{{quote-3}}
