HIPAA
Rick (00:00.104)
Countdown. Is it countdowning? what's up this week, Tyler?
Tyler (00:02.225)
yeah, it's going.
Not much. What's going on with you?
Rick (00:07.492)
not much. I I have a update that I forgot I was gonna tell you about. I think I already told you, but I launched my new website.
Tyler (00:09.315)
Yeah.
Tyler (00:14.455)
Okay.
Yeah, yeah, I looked at it. It looks great.
Rick (00:18.76)
I did a pretty good job. I mean Claude did a pretty good job.
Tyler (00:20.846)
Rick Lindquist dot com for anyone out there.
Rick (00:23.728)
Rick Clinkwist dot com and it's got even got our podcast on there. So if you click on the top menu item podcast, it's got a picture of you and me.
Tyler (00:29.175)
podcast, yeah.
Ooh, you got that from Riverside, huh? Do you have access to our Riverside account?
Rick (00:34.45)
Yep, sure did.
Rick (00:38.876)
Every time I log in?
Tyler (00:41.01)
right, you're just a guest, but okay. I I guess I've never seen the guest experience. interesting, okay.
Rick (00:43.186)
Yeah, so but it it gives me assets every every episode after after we it they're pretty smart. Like that's a small little like brand word of mouth thing that they're doing right there. I don't know. That I I that's that to me is like a sneaky, impressive growth hack.
Tyler (00:51.202)
Yeah.
Tyler (00:58.476)
Yeah, agreed. so yeah, the the site looks great. I'm curious, like you you said Claude did it. How much were you telling it, no, not that, I want it this way, that way, ver like how vibe coded was this?
Rick (01:10.14)
Well, I I would caveat this. Like, if you're trying to build your own website from scratch, I think this is a different endeavor. I already had a website on Squarespace that was publicly available. So I pointed Claude at that and said, Hey, I want to update this to be more modern and have more flexibility and lots of like context. and it was pretty like I would say off base the first couple of iterations, but I really liked the UI. So my approach was get
I focused very much on the user experience and navigation and like site map or like kind of site tree. And then once I got good with that, I I had to spend a good amount of time going through each section of the site saying the messaging doesn't make sense, the layout on this page doesn't make sense. let's redo it. And then the hardest part to get Claude to stop improving was like rewriting and adding stuff to my existing articles and notes. I'm like, this is original content, please stop.
Please stop trying to change it. It's like, I want you to take it verbatim. And then it was like, it took it verbatim, but then it left out all the the links. it's like, no, I the links are important. Please put the links back. And then it would be like then we I had all these tags, you know, on the old blog post. And so it would change the tags. I'm like, no, let's talk about that before you before you make these you these decisions. And so I think there was kind of this calibration process of of me understanding the latitude it was taking and then
ra you know, reining it in. and then but but for the most part, the latitude that it did take gave me ideas that I wouldn't have had otherwise. So I think there's a trade off there. so I don't know. It would it was pretty it was pretty solid, honestly.
Tyler (02:43.981)
Yeah. And
Yeah. I do think that's stuff that like when we talk about AI coding is a skill, it's kind of an amorphous, like what does that mean? But I do think some examples of this, and I'm saying this based more on theory than practice. I've done maybe more than you, but not like enough that I feel like I'm really good at it. But like it might forget stuff because you're you're not doing context management and the context is getting compressed eventually. Maybe you need to update the
Claude.md or agents.md file to give it these instructions. Like there are things you can do to set up those guardrails. Not to say you should given the scope of the project, but like those are solvable, I think.
Rick (03:25.255)
Totally. And I my I've I'm trying to decide when and how to invest in skills and and context files. And my my general approach right now is do the thing without over engineering the the the back end context, provide the context in the prompt. And then as things start to work, like turn that into a skill versus trying to over engineer the skill up front. Unless I I just haven't had a huge project where that type of investment is is worthwhile worthwhile.
Tyler (03:54.616)
Yeah, I mean I I I think a lot of people just don't even use skills anymore. I I don't know. such a hard thing here is it's moving so fast that investing sorry, when you're talking about skill, you're talking about like a markdown file referred to as a skill, right? As opposed to you Rick building a human skill. But like all I don't know. The other day on Blue Sky I was posting some complaints about an AI thing and someone replied with
A very thoughtful, interesting, like here's what I do. And it's like I have all these different models and I have it A B test stuff and then I review what the quality is, and then if the cheaper model's good enough, then I use that. Like this really sophisticated workflow. And it's like that is cool, that is interesting. And I think for 95% of us or 99% of us, like those problems will just eventually get solved automatically, and it's not worth getting good at any of that. Like there's no reason Cloud Code can't do all of that for us.
Rick (04:47.517)
Totally.
Agreed. Agreed. what's the leverage in doing it in the short term? I don't know. I'm trying to avoid as much of it as possible. And if I do it, I want Claude to do it for me versus me s cons like trying to write context documentation manually. the I guess like the other thing that was a couple of observations from this project. this is a free site now hosted on Vercell. Now the Claude subscription is not free, so like whatever like
Tyler (04:58.231)
Yeah.
Tyler (05:05.494)
Yeah, absolutely.
Rick (05:19.301)
a claude subscription is is what it took to build this thing. And I probably will keep that claw subscription whether I build this website or not. So like I guess I I I'm gonna say that I saved a full Squarespace subscription so far, which was I think forty dollars a month or something like that. That's not chunk change, man. Like that's that adds up. what's that like six hundred dollars a year?
Tyler (05:43.381)
No, four eighty, right? But yeah, that's
Rick (05:48.862)
I'm not that bad at math. No, it's $800 a year. No, you're right. Four four eighty. You're right. Four eighty. Yeah. Sorry, I don't know what I was doing in my head.
Tyler (05:51.021)
Forty times twelve?
Tyler (05:55.102)
but that's still, yeah, that's for for a hobby project that's meaningful, I will say for a even a very, very small business that's meaningless. Like I I don't think the Yeah, for a personal hobby it's great. I don't think like thinking of it from a business standpoint, the cost savings of the hosting is probably not like the main benefit, but you got to build the exact website you wanted. You probably have better newsletter behavior than you wanted. Like I think control over the experience and empowering a I
Rick (06:05.671)
But for a personal hobby.
Tyler (06:24.929)
I know you're like you have a technical background, but you don't work techno in a technical role right now. So I'm gonna call you non technical. Like for a non technical person to be able to execute this and have complete control, that's the real unlock to me.
Rick (06:38.437)
Yeah, so this is an interesting part. So I have I my website just became a collection of everything I wanted to post about. Like it was consulting. It was, you know, we didn't I didn't have a page about the podcast. So I I was glad to add that. when I was trying to teach myself to code during the pandemic, I did a project where I created a dad joke generator. Do you remember this? Did I ever tell you about this? I built like a front end j I built a front end JavaScript like based
Tyler (06:57.099)
No, I don't. I maybe it's vaguely ringing a bell, but
Rick (07:04.753)
website page where you click a button and it genera calls an API and it generates a dad joke generator.
Tyler (07:09.163)
Okay, so th some other API has a list of all these dad jokes and you're just like pulling one r like from the API? Okay.
Rick (07:14.417)
Yeah, I just created a little interface for me to like anytime I wanted to tell a dad joke, I could go to my website and like generate a dad joke, you know. so this is where Claude Code just like frickin' shined. When I so I was it I was in Winfall, I was over at Winfall in San Francisco and was writing to the airport with one of our one of my par coworkers and he was like, All right, I was talking about the site migration, he's our VP of engineering and and he was like, really? You're doing cloud code? I'm like, Yeah, I'm doing cloud code, but it's like all front end, just wanna be very clear.
And he said, he's like, dude, like please tell me you're not leaving behind your dad joke generator. And I had totally forgotten about it because it's not linked anywhere on the site. I was like, You are right. I need to, I need to figure out how to transfer that. That was the easiest page to transition. Not only did it transition fully, the Claude like made it so much better from a user interface standpoint. it added like like enter and space clicking to generate a new dad joke. You could it added a copy functionality button.
Tyler (07:53.185)
Mm-hmm.
Rick (08:12.42)
I was very impressed with like how much better my dad joke generator got.
Tyler (08:17.005)
That's what really matters here.
Rick (08:17.989)
Yes. So if you wanna see my dad joke generator, go to the footer on my website. It's in the playground. and then you can click on the dad joke generator and it will tell you all sorts of really painful painful jokes.
Can February March? No, but April, May.
Tyler (08:33.335)
Yeah, looks good. What did one plate sorry. okay, sorry. I just got what did one plate say to the other plate? Dinner is on me. All right, very nice. Yeah, I we can move on, but like I it is incredibly useful, it is mind blowing, and I love the fact that it still sucks if you don't do stuff.
Rick (08:45.661)
Yeah.
Rick (08:55.987)
So can I ask you a question? Like, okay, so I did you told the reason I did this was I wanted to do this for a long time, but I was thinking I was gonna have to do Webflow. The the thing that you challenged me on a few weeks ago, maybe it was a month ago, I don't remember, but it was like you were basically saying, Hey, you need to install the desktop app on Claude and actually try to use cowork and code. Like do something. Like you're it will blow your mind. And so I did that, and that's what like this is a result. When I was building out the project plan with Claude at the beginning.
Tyler (09:18.701)
Mm-hmm.
Rick (09:26.315)
the two things it wants to do next, and I just want to stress test whether I should do this for the experience. I pay convert kit like six fifty dollars a month for 3,000 subscribers, which is a ripoff to my to me. because I don't really use any of their core functionality other than email. and I'm so it's like, hey, let's replace Convert Kit with your custom newsletter like sending service. and then I publish, I write all my content and all my like ideas are in notion in like a personal notion space.
And right now all of the pages on the website are marked are basically marked down files that get converted HT to HTML. and so he was it was it was it's saying like let's connect Notion to this site and have Notion actually push these pages to the site. Are do you have any thoughts on those two projects as good projects for me to work on for like expi experiencing the code the clawed code factor?
Tyler (10:21.165)
Yeah, I guess it depends on what your goals are.
Like you've seen it. You know what it can do. What why do you even want more skills than you've got right now? Why do you want to keep going deeper?
Rick (10:42.707)
It's a good question. I haven't thought about that. I mean I'm curious. and I just wanna like like the there's like a yeah.
Tyler (10:44.621)
Yeah, okay. If you're just having fun and you want a project, then great. but if you're like this is I'm not where I need to be yet, or something like that. Like one day I'm gonna take this and apply it to leg up health, but I'm I'm not there yet, or something like that. I might say, Yeah.
Rick (11:00.133)
Okay, so let's talk about that. I would I would like to be in a position where I c you trusted me to make improvements to the leg up health code base at some point in the future. Is that gonna happen this year? Probably not. But like it seems like there's a a pathway for me to be able to do that.
Tyler (11:16.511)
Yeah, now I might push back on that only to say not that that couldn't happen, that certainly could, but like I have a hard time imagining that's ever what you what what the b if the business is like we can get an extra ten hours of Rick's time, let's have him code when I'm already here not doing anything because we don't even have any ideas.
Rick (11:22.589)
Set a good use of time.
Rick (11:29.809)
Yeah. I know. Yeah, ex okay. Touche.
Tyler (11:38.449)
but again, I think curiosity is a perfectly fine reason to do this. It's just different from like I have a skill that I need to build for some like practical purpose.
Rick (11:48.94)
well I do think that like this is a required skill a year from now, probably. I think I probably have enough right now and even just like my day to day use of Claude at my day job and also for leg up, like I'm deepening that every day.
Tyler (11:58.829)
Yeah.
Tyler (12:06.389)
Yeah, I think like doing more ambitious stuff with Claude Cowork and not like not building software or something might be a higher leverage thing here. Having said that, if you were gonna do one of those two things, I would do the email one, not the Notion one. My reason being it's gonna be harder. to get the email stuff set up, you're gonna have to like set up an AWS account, which I don't think you have right now. It's like
Claude can't really do that all for you, at least not with you setting up a bunch of Rails, which would be a different type of challenge. You're gonna have to go in and find SES and turn it on, and then you're gonna have to set up all these DNS records for your domain. There's stuff that's not just purely like give it a prompt and it magically does it. I think that would give you more of a sense of the whole stack and what's like Vercel is doing a lot of the work here that you don't have to think about. so that would be my advice. It's harder. I don't think it's worth it. I don't think like it's worth saving 50 bucks a month, but
You'd learn more it
Rick (13:04.669)
So here's here's kind of like where I feel like I never completed my journey. you can go back if you're listening, you can go back to some some era of the podcast where I was learning how to code, trying to teach myself how to code. And I got kept getting stuck on off and like security, like getting ri like I could write back end code and I can write front end code, but like getting it to talk to each other and make make utility out of that, like that's where i where I was getting stuck. So like I
I feel like there's this like last frontier that I still need to figure out. And I feel like Claude Code is a shortcut for me understanding that. Cause what I'm doing when I'm coding all this is like, Claude, stop. Explain to me what you're doing. What are you pushing to get? Like, what are you Yeah, what are you doing? And so like there's this like depth of understanding that I have now, even on front end that I didn't have before.
Tyler (13:43.851)
Yeah, yeah. yeah, it's great for that.
Tyler (13:54.328)
But so let's go back to that the learning you tried to do pre AI. My memory is you didn't even have a back end. You had you were using Airtable as your back end. And so you
Rick (14:03.035)
No, I was doing real coding projects. Like yeah, I probably didn't tell you this. Like I was I was like doing I had a whole dev setup and I w I had I was trying to build like fake apps based on coding courses. and it was I was doing yeah.
Tyler (14:07.339)
Okay.
Tyler (14:15.015)
okay. Yeah, I I guess either I don't remember that or okay. Okay. Okay.
Rick (14:25.241)
No, that was Leg Up Health. That was specifically Leg Up Health. this was like side project teaching myself to code. I still haven't like crossed that like full like I like I understand how it actually works. I conceptually I'm like, yeah, I get it. Like, you know, there's a front end, there's a back end, they need to talk to each other. There's security considerations so that people don't like get access to your back end. and there's hosting and then there's, you know, DNS and
Tyler (14:51.863)
So here's one of the really dangerous things about AI, I think, is you you can like do the 80 20 version of learning something so quickly and so effectively. No doubt you would be better at learning that stuff with AI than without. Like it would help. But this like superpower feeling you have right now that makes you feel like, maybe I'm a week away from knowing all of that stuff, I don't think you are. Like there's so much I I think about this for myself, especially in terms of like a less annoying hiring new employees.
Cause our traditional way of hiring is we hire people who don't know who basically don't know how to code and we teach them everything. And even with pre AI, people who have been here for years, it's really, really hard to get them to understand the full stack. Like something will come up with user sessions. And I'm just like, Yeah, like that it's a cookie, and then the cookie maps to a row in this database, and then that database pulls out a JSON blob, that gets decoded, and then that's in the session variable in PHP. Like, of course, we all know that, right? And everyone else is like, no.
We just had this session variable that we could use and it just worked. there's like a thousand different little things like that. I don't I I just feel like it it again, if you're curious, if you're interested, great, but there's a lot there that might be invisible to you.
Rick (16:07.451)
Yeah, but isn't that true? Like, isn't a computer isn't there a lot there that isn't visible to us and we use a computer? Like so I I think
I think I I my goal is to be able to wield the tool if I want to. I think that's my that's my outcome. I don't feel like I have that yet. And maybe maybe maybe that's what I'm curious about is like, can I wield the tool if I want to? And maybe that is a completely useless thing to answer right now because I could go figure that out when I actually need to wield the tool. But Yeah, exact exactly.
Tyler (16:20.139)
Yeah.
Tyler (16:33.015)
Yeah.
And cause the tool might be much better when that time comes. Here's I I've actually seen people discuss this though, and the answer that I found compelling was it's like, isn't this just another level of abstraction? Right. So so I'm gonna restate what you just said. Back in the day, people had to write machine code, ones and zeros. And then they came out with assembly. And you it's basically machine code, but with words. And then they come out with low level like C, or there's probably other things in between those, but and then they come out with object oriented programming, and then they come out with stuff.
That does memory management for you and on and on and on. And we're just like layers of abstraction on top of each other. And people like me, well technically I did take a class in assembly, I don't know it. Yeah. But do we remember it? No, not really.
Rick (17:12.785)
I took a class at assembly. I mean a lot of w zeros and ones.
Tyler (17:18.443)
Yeah, like go to. but my point being like, so there th this is a common argument that like do AI is making it so we don't understand certain things. Isn't that okay? We've always done this. We've always put a new layer of abstraction in. But the difference is AI is non-deterministic. It's not perfect. It doesn't like I can just trust that Java's memory management will work. And so I can use Java instead of C. There's still reasons to use C sometimes, but
Rick (17:35.419)
Mm.
Tyler (17:47.81)
Java is a safe choice. With this AI stuff, you can vibe code stuff and it might work. But like exactly what you were saying 10 minutes ago, then you ask it to make a change and something else breaks. it's not the same type of abstraction. And therefore, right now, there's an argument that you still need to know all the same stuff you always need to needed to know.
Rick (18:08.455)
This you could take this a whole like you could take this up to like a phil philosophical thing where it's like, how predictable are humans? Like I I think we're pretty predictable. right, like and and therefore AI is predictable. and therefore if you if you do the right things with the AI, you will have a predictable result. I know that's not like like there's a big difference between gravity, physical like gravity, and you know
Tyler (18:17.983)
Rick (18:37.883)
a a human emotion, but like I anyway, that I Okay. Okay.
Tyler (18:38.315)
Yeah. Okay, but let's let's take that example though. No, I let let's have this conversation. I know I know this is like bogus woo-woo, but so okay, the the more concrete response to what you just said is the difference like imagine the difference between being a non-technical person managing programmers and being a technical person managing programmers. Maybe that's the way to think about what this AI thing is. It's not another layer of abstraction like automatic memory management is. It's like
If I'm managing a team of developers versus if you're managing a team of developers, I'm doing a lot more architectural planning and choosing the direction that things are going in. Whereas when you were at Zane Benefits, you called me in to fly out to Park City once to talk to your dev team because they were giving you advice that you knew was bad, but you couldn't argue with them. And then you called me in to argue with them. You remember that?
Rick (19:26.291)
Mm.
Yep. I should've called you in before we did the whole refactor and rewrite. Yeah.
Tyler (19:33.398)
Yeah, rewrite the whole thing. I believe an Angular is what they wanted to rewrite it in, which is funny because that's more or less a dead framework now. anyway, like yes, you can you can be a non-technical manager managing an engineering team, but it's different and it's harder and it's i it doesn't give you the same like level of control as if you know this stuff, right? But I think that's what the abstraction layer is providing is like I'm a better manager, not
I never have to think about this stuff, it happens automatically.
Rick (20:04.551)
You you understand how it works, therefore you can manage manage it better. Okay. Thanks for going down that rabbit hole with me. We could talk I would love to get some beer sometime and talk more about this. Yes. Yes.
Tyler (20:14.711)
Can I do one more micro rant before we move on? There are so many takes online of like AI isn't this. It isn't, it doesn't actually think. It doesn't actually reason. It doesn't actually have opinions. and they're all, all of these arguments are based on the assumption that the person writing this take knows how the human brain works and that it works differently. And we don't. My wife is a psychology slash neuroscience professor at a
Very good school. Her and her colleagues I've talked to are all like, we know, even though we've dedicated our lives to studying the brain, we know nothing about how human reasoning works.
Rick (20:51.493)
It's like what wha wha what what percentage of the brain do we understand?
Tyler (20:54.849)
Yeah, like if you can put it that way, I bet I bet Shelly would say single digit percent. I mean, that's a simplification. So it's it it it it reminds it seems very similar to like a more kind of spiritual spiritual argument about a soul. Like humans have souls and computers don't. And it's like, I agree computers don't have souls, but you're gonna have to convince me that humans do first.
Rick (20:59.731)
Yeah, that's probably what it said too. Yeah.
Rick (21:15.027)
Yeah, this gets into like I mean probably not a podcast conversation, but like I wanna have some beers and talk about this with you 'cause I think we would go down some rabbit holes. 'cause cause fundamentally it's it's a worldview and like how do you what what's the purpose of all this? Are we in a simulation? so I No, I I I I I love it and I would
Tyler (21:22.315)
Yeah.
Tyler (21:30.859)
Yeah, yeah. Right. Yeah. Okay. I I'll we can pull out, but I that that bugs me every time I see that, it bugs me.
Rick (21:44.081)
When are we gonna get together in person?
Tyler (21:47.379)
I am not in a good position to travel it. You can, I got the impression you're pretty busy right now.
Rick (21:47.485)
Can I come see you?
Rick (21:52.529)
Yeah, but like I mean, I sh still like live life.
Tyler (21:56.746)
Yeah, great. I'd I'd love to host you for a weekend or what whatever makes sense for you. I'll t I'll take a few days off. No, no, that sounds great. I just I'm in a tough like I've got a handful of little travel things that I kind of committed to long ago and they're all kind of hitting at once. so I'm I'm out of commission for a while. All right.
Rick (22:00.327)
I would love to do that. I know I put you on the spot on the podcast. Sorry I shouldn't have done that. but
Rick (22:13.521)
Yeah. Yeah, just I'll I'll I'll follow up with you offline. I'm I'm sorry, I'm sorry, I should have I should have I publicly pressured Tyler to hang out with me. I feel guilty. All right, Tyler, over to you. I just like dominated half this episode on my coding journey. If you can call it that.
Tyler (22:22.997)
No, no, that's the whole pure peer pressure is a powerful force.
Yeah. That's great. yeah. So last episode I talked about how we're going after health insurance agents. slight stumbling block there. The main a big part of the kind of approach we were gonna take is to go to, you know, a couple big conferences per year. Not necessarily big conferences, but like big to us. Spend a lot of money, try and get a lot of, you know, brand recognition.
The main one we targeted as like the perfect conference for us. They're just not replying to any of my emails about trying to be a sponsor. they have like a website that's like it's twelve thousand five hundred dollars. Click this button to to become a sponsor. I filled out that form, I emailed a separate email address, they're just not replying. So that's a bit of a bummer. They don't have I looked for a phone number. They don't or I I can look harder. I I could try calling them.
Rick (23:15.515)
You need someone who's willing to get on the phone to get this stuff done. That's
Tyler (23:25.567)
Anyway, it it might happen, but i i we might have to find another one. Minor stumbling block. The bigger thing with that is since the beginning of the company, I mean customers always ask us for HIPAA compliance. And and we always say no. We're like, of course not. increasingly, as we were talking about the health insurance push, it's like
Rick (23:39.877)
No
Rick (23:48.582)
yeah.
Tyler (23:49.665)
How can we in good conscience go after health insurance agents and not be HIPAA compliant? Like that that's a weird mismatch.
Rick (23:55.751)
Yeah, they need to be able to sign a BAA with you.
Tyler (23:58.23)
Yeah. so that doesn't mean we have to do it. Options are don't do it, but still go after health insurance agents. We have a thousand fifteen hundred health insurance agents using us right now, without a BAA. option B is don't do it and don't go after health insurance agents, like consider this a deal breaker for the strategy. Or option C is do it, go all in, do the hard thing. still deciding between those.
Rick (24:28.007)
Yeah, one one's sort of like what's your values question, like how do you operate question. And then one is like more of an order ordering, like do it if you if you do it if and when you need to. I feel like first you have to decide like where you sit on like whether this is a ne a necessity to feel good about yourself.
Tyler (24:40.108)
Yeah.
Tyler (24:46.933)
Yeah, and we we do have some sense of that. It's not like we're brand new in the health insurance space. Like we've we've been working with insurance agents this whole time. They are our biggest industry. It's still only 10 to 15% of our total customer base, but we know for sure a lot of them do not give a shit about HIPAA and will use us anyway. And we also know a lot of them do care about HIPAA and don't use us. We get we get asked all the time and we say no, they leave.
Rick (25:14.203)
I think the re I mean, ca have you scoped like how much effort this actually is? I feel like this is actually not that much effort. Yeah.
Tyler (25:19.883)
Yeah, so I've been doing that, thinking the same thing. So yeah. Let me run through. So do you know the company Delve?
Rick (25:29.267)
I feel like I do. That sounds very familiar. It's a g it's a great it's a great company name.
Tyler (25:30.466)
You've probably heard them in the news, and it's normally not good. It's a good name. they so them and then Vanta is the the other not as controversial big player. Both of these companies are like, we will help you get HIPAA compliance very, very easily. we actually were going to use the the difference between Delve and Vanta is Delve like way cheaper. We're going to use Delve six, twelve months ago because they're they're like, just put a
You know, give us a week of time and you'll have HIPAA compliance at the end of that week. And we're like, okay, sure, we'll try it. Anyway, they have very credible accusations of basically committing fraud and not actually getting HIPAA compliance for anyone. Are you looking at the headlines right now?
Rick (26:12.337)
Geez.
Y no, no, I was just saying that sucks. Like it's it's I this is where pr I just wanna say like this is where professional services can get really out of whack. Like if you have a software enabled service and you're making promises that are dependent on humans to do certain things, you can really mispromise stuff. Ugh.
Tyler (26:18.465)
Okay.
I think as far yeah, sorry, good.
Tyler (26:34.187)
And the the ripple effects of this are pretty serious. So Vanta still exists and they have not been accused of this type of fraud, but I'm still like having d like gone deeper into this, I'm looking at what it takes and I'm like, there's no way their marketing promises are real. Like and and also another th as part of this, I've been looking at like, what if we accidentally I will not deliberately get anything wrong, but what if we get something wrong? What are the consequences of it? my impression is basically all these companies saying they're HIPAA compliant are just not doing anything.
They're just wildly out of compliance. The enforcement mechanism is broken. and so it's I I am not going to do this out of a sense of personal like respect for myself. But I think the rational thing to do is to say you're HIPAA compliant, do absolutely nothing. If you have a data breach that you get caught on, the government comes and tells you to fix it and fines you like fifty thousand dollars and you just pay it.
That's probably what most of these companies are doing. And I think that's kind of what Vanta is selling, is they're like, we will give you a checkbox saying you tried to become HIPAA compliant and you don't actually have to do anything.
Then there's so, but looking at all this, I was like, well, okay, what did we do at Zane Benefits when we wanted HIPAA compliance? We hired some very expensive, was it an accounting firm or a consulting firm, something like that? and they came in and audited us, and it was, I believe, a mid six figure price range, if I'm not mistaken. Were you involved in that?
Rick (28:04.315)
Yeah, I I don't remember. I think it was before I think this was b more when I was more of like a sales rep. Yeah.
Tyler (28:10.689)
Yeah, you were just on sales. Okay. I was involved in the sense that like the consultants came and talked to me and were like, show me the database. What is like I had to I wasn't leading it by any means, but I was kind of doing some of the work. Yeah. So anyway, I'm I'm I'm now asking the question well, okay, Delve is completely fraudulent. Vanta, I I'm not gonna call them a fraud, but I think they're not actually giving you HIPAA compliance for real. The other options, it's really expensive consulting firm. Can AI just do this for us? Can it
Rick (28:20.411)
You were answering a lot of the questions, yeah.
Tyler (28:38.259)
Ask all the questions that the consulting firm would ask?
Rick (28:40.859)
Yeah, a hundred percent. And I would say what is HIPAA compliance is I think a made-up term. so there is an obligation on the insurance agent in this case to protect their clients' data. And fundamentally, they need to be able to sign an agreement with you to protect the data that they put in, any P H I that they put into the system. Like
I'd I and and you are basically saying you want to be able to represent to them that you're doing what they whatever they need to be com safe, and compliant on their end. I I don't think this is that complicated. I think like it's scary and stuff, but like I think I think you could probably do this with a lot of a lot it's I think I I just don't think this is that big of a deal.
Tyler (29:33.25)
Yeah. So I've started doing it to test, not not to like I've decided we're going to do it, but one of the amazing we've talked about this before with coding. One of the amazing things with AI is instead of spending months planning something out, just go build it the wrong way and then go say, like, well, what did we get wrong? Let's go do it the right way. So I just started working on it. I agree from what I've learned, assuming it's you always have this question of is AL is AI lying to me. And I'm trying to like cross-reference, I'm I'm always like,
Rick (29:35.079)
Yeah.
Tyler (30:00.641)
Give me an actual checklist on a real website that I can compare your advice to. I'm doing stuff like that. I think a a lot of what you said is correct that it's like HIPAA is very vague. It doesn't specify specific stuff. I think we already have good security. But there are a few specific things that HIPAA that there's no wiggle room about. So, for example, one of them is if we're sending PHI to a third-party vendor like AWS is where our data is stored, we have to have a BAA with them, right? A lot of these companies either will not sign a BAA or
Rick (30:25.009)
You need to be A with them. Yeah.
Tyler (30:30.881)
They Yeah. Or or you have to be on the enterprise plan. So like I reach out to Slack, like what would it cost to get a BAA? And they're like, basically $10,000 a year beyond what you're currently paying. I emailed Front, what would it cost? And I think that was $15,000 a year. Well, th they don't necessarily, but so like Front
Rick (30:31.06)
so you have sub processors that don't support HIPAA. That is a problem.
Mm.
Rick (30:46.247)
Why why does Slack need to process PHI?
Okay. But then you have to build b you have to build governance. Okay. So you're so let me summarize. There's like one on one end spectrum you could just go get BAA with everyone and basically create a world in which you don't have to worry about this really. On the other end, you get BAA with some, but you have to create guardrails and actually operational infrastructure and friction and guardrails to protect yourself. Yeah.
Tyler (30:55.551)
Yeah, we have to have policies and
Tyler (31:15.745)
Yeah, so let me give you concrete example with Slack. We we don't really share any customer data in Slack with one exception, which is if a customer has a bug and a developer is working on fixing it, sometimes a bug can't be reproduced or it can't be fixed with generic data. They need access to the customer's data. For obvious reasons, we do not give all the developers access to the production database. So they will write a query, DM one of the admins, like me, Robert O'Bracken, in Slack.
And then we will run the query and send the results back to them in Slack. This almost never has actual customer data or what would be PHI. It's almost always like, give me a list of IDs that I can look up or something like that. But in theory, one of these queries could be like, I need the body of this one email that didn't log correctly. And if that email happened to have PHI in it, then boom, that that's a HIPAA violation. now, again, I think what every other company's doing is they're just like, whatever.
Fuck it, that's not gonna be a problem. but what you're supposed to do is say, Okay, we have like we have to have a whole new way for these queries to get run where the data's getting back to the developer not through Slack anymore.
Rick (32:27.439)
Yeah, there and that's the so so I I'm just gonna say this out loud. I'm not I'm not saying this is what you should do or what I think you will do, nor what is it something that that I would do. But a lot of these companies, the reason that Vanta and whatever was it Durable? No, not Delve. the reason that they take the approach they do is generally like most of this is like do you have policies and procedures that exist and like
Tyler (32:44.695)
Delve, delf.
Tyler (32:54.411)
Yeah. If someone breaks the policy then whatever.
Rick (32:57.285)
Yeah, what's your pro what's your process for handling the the the breaking of the process? So and then if the breaking of the process never gets reported, like you know, does it you know, did a di if a bear shits in the woods, you know, and you weren't there, did it happen? You know? like that's that's how this works.
Tyler (33:10.647)
Right.
Agreed it is how it works. I I can't do that. I'm not gonna do that. Yeah.
Rick (33:17.359)
No, I I I d I would not be able to do that either. I'm just saying like that's why Vanta and Delve exist and what they were doing is basically creating the yeah, CYA. Yeah, for a hundred percent.
Tyler (33:22.796)
Yeah.
It's like a cover your ass checklist. So for us, th the what I just said, not that hard. We can just build a little web a like vibe code a little web app that's like instead of pasting the result in Slack, we're gonna paste it in this homemade system and then send a link to the developer and they can get the data from there. Okay. Easy fix, one day of work probably for a developer. The problem is there's like twenty of these, some gnarlier than others. So it's where I'm landing is it's very it's definitely doable.
I actually feel really good confidence that we would do it well. I'm not worried at all that like the fact that we would be using AI would make us less compliant. Like I'm looking at the templates online and I'm like, we're gonna blow this out of the water, but there's no real v business value to blowing it out of the water. Like customers just want a yes no answer. Are you HIPAA compliant? Give me a BAA and move on. So anyway, I'm st I'm leaning towards doing it, but i
It's a it's a pretty big lift and a pretty big distraction from what our stated strategy was at the beginning of the year, which I'm nervous about.
Rick (34:33.063)
This is the type of thing that aligns the entire company around a beachhead. And it's like everyone is going to contribute to us taking this beachhead. And if we fail, we will go find another beachhead. Like, let's not leave anything to chance or what ifs. We have to take this beachhead. Let's go. to me, like this is the right CEO call. I feel so much conviction that like you have to like.
Tyler (34:45.879)
Yeah.
Tyler (34:52.384)
Okay.
Rick (34:57.639)
You have to take the beach head, man. Like, and if th if you're saying that some percentage of insurance agents say no to you because of this and you don't f feel good about it, do it.
Tyler (35:06.155)
Yeah. So let's I I think I agree, but let lem let's s given that there's a podcast and there's listeners, let's talk about this a little more. All right, let's go do it. no, I was listening
Rick (35:13.255)
There's nothing to talk about, Tyler.
No, seriously, like like it's a like you have to like I feel like your strategy here. This is me talking to you about it, by the way. Your strategy here is like we have to take the beach. Like we you said, like we are gonna go focus on some some key verticals. And like if you if you don't give your full and best effort to the beach head, you don't you you will lie awake 10 years from now knowing, wondering like, did we did we fail because we didn't do the HIPAA thing?
Tyler (35:44.814)
So let me give the argument against this, which is our big strategy is our organic channel is already growing nicely. We believe it's you know, we know who our ICP is, we've got good product market fit, and we have high confidence in features we can build to make us even better for that ICP, and HIPAA's not one of them. yeah. Mm-hmm.
Rick (36:03.325)
Can I ask a question about HIPAA quick? Sorry, I I I'm derailing this, but like, have you noticed that anytime you go to a software subscription, there's like starter, medium package, and then pro, and then there's like, you want HIPAA compliance? It's unlimited. It's like, you have to have a sales rep call. Okay. But like, do you can I ask you just a question before you get there? Is there actually like any change to how you're gonna serve that customer? Or is it just like you trying to recoup some of the over
Tyler (36:14.816)
Yeah.
Tyler (36:20.139)
All right, I'm I'm gonna get there. I'm gonna get there.
Tyler (36:31.477)
Almost none. I think it's p so I I had a long conversation with Claude about this. Like let's interrogate this question. Cause so okay, I'll just jump ahead. Sorry, sorry. I'm gonna real quickly summarize the steps before I get there.
Rick (36:32.723)
Okay, that's what I
Rick (36:39.793)
Okay. Yeah, go go sorry, I know I know, I just wanted to get it out before I lost it. And it sounds like you're gonna go there anyway.
Tyler (36:44.661)
Yeah. So what I was gonna say is like we have this other strategy. The going after insurance agents was meant purely as a marketing thing, not a company wide that wasn't our main strategy. Insurance agents is just like, well, what do the marketers how do they s who do they specifically market to? And we picked that. And then that kinda we kinda like tailwagged the dog into doing HIPAA here. But separate from that, I was listening to Mostly Technical, the podcast. They had Jesse Hanley on, yeah.
Rick (37:07.771)
I for for the record, I believe marketing should wag the dog. by the way, like it okay.
Tyler (37:12.653)
Sure, sure. Yeah, I I think we're gonna do this, but but that's the argument against it. Is like this isn't actually our top priority. Insurance agents are only 10 to 15% of our total customer base. I was listening to Mostly Technical, the one where they had Jesse Hanley on, the founder of Bento. And Aaron, the like the host who's interviewing him, is saying, You are a single person email service provider. This is a really hard business to run. What like you're crazy? Why'd you do that? And I'm kind of gonna embellish what he said, but he was basically like,
You're a fucking idiot if you think you get to run an easy business and have it succeed. You've got to do the hard thing. Yeah, it's great. Yeah. And I know that. I've known we've said that on the podcast before, but the way he said it just like sometimes you need to hear the the thing at the right moment. This was like the first day of me considering HIPAA, I listened to that episode and I was just like, well, Jesse just directly called me out. So I mean he didn't know he was doing it, but that's what I heard.
Rick (37:46.245)
I love that answer. I love that answer. It every business is hard.
Rick (37:59.912)
Yeah, yeah.
Tyler (38:12.129)
But then I, you I talked about this with Bracken. Should we do this? And his he's not against it necessarily, but he's always like the voice of reason here. He's like, just because you have to do hard things doesn't mean you have to do every hard thing. Like, you're gonna grind yourself to dust just doing things because they're hard. Is there actual opportunity here? Right. So then we look we look at the market, and this is getting to the point you were just making about the pricing. Who else is offering HIPAA and at what price? And
The answer is at least as there may be like little tiny nobody CRMs, but like of the major the ones I actually have heard of before, the cheapest HIPAA compliant CRM you can get is Zoho for $40 a month, and you have to talk to sales to get it. That's more than twice our price. After that, it's like over a hundred bucks a month. and in many cases, like HubSpot, it's thousands. to your point, like everybody puts it in the most expensive tier for Salesforce, it's the $350 per user per month tier.
Rick (39:09.373)
So f effectively what you're saying is like I'm I'm just gonna just totally simplify this. You're you have the option to basically say, You want HIPAA compliance, it's an add on, and you that is basically what you're paying for us to sign a BAA with you and take on the risk.
Tyler (39:24.439)
We have that option, or we can make it not an add-on. Like that's a the the interesting question to me is why is nobody offering an affordable HIPAA compliance CRM? Is it because it's too much risk, it's too much work? Like, is there an actual reason why it can't be done or is it pure price discrimination?
Rick (39:43.079)
Probably a combination of both.
Tyler (39:45.314)
Probably yeah, there are definitely some real costs here in the sense that again, we've got to pay for if we want BAA, a BAA with Slack, we have to pay them an extra 10K or whatever. There are costs. They're not that high. And once the once everything's going, I really your question earlier was, do we like service these customers in a different way? The answer is almost entirely no. They're very minor product changes, like email notifications can't have
notes and event descriptions in them because those might contain PHI and email is not a secure channel. Very, very minor things. You know, when you get the email from your bank that's like, you have a message waiting for you. Yeah. So for for the customers that have HIPAA enabled, we have to change some of the notifications. But pretty minor, pretty minor.
Rick (40:20.603)
Yeah, you have to log in to view the message.
Rick (40:26.173)
There are gonna be feature they're gonna be feature considerations. that's that's good. Yeah. I okay, I I mean, to me, like the most important thing to solve with this HIPAA thing is being able to offer a HIPAA solution. Whether someone takes you up on it is a completely separate thing. So to me, like, if you're gonna it you should do this and you should charge more for it.
Tyler (40:47.425)
That I I've I've definitely been th having that discussion as well. Should we charge more for it? I could give an argument both ways, but give your argument.
Rick (40:51.41)
Yes.
Rick (40:56.936)
it's so like it it it is it is valuable to the end user first and foremost and it's valuable to a clearly valuable to a subset of your end users. it requires a significant operational investment that you need to figure out how to fund. And then third, it requires consideration and extra attention and risk that you need to take on for each one of these customers you turn it on for.
If you turn it on for everyone, your risk, like it just it doesn't make sense. Like unless you think that the benefits of turning it on for everyone outweigh, like somehow give you like this massive brand boost on your like what you stand for and the word of mouth piece. I don't think it does.
Tyler (41:46.338)
Yeah. Well, that's the question. I agree. When Bracken and I were talking about this, and he was saying you don't have to do every hard thing, we we said, okay, let's pause for a second and figure out what we we have a business. It's working. That means we've done some hard things. But if you look at it like it's not obvious what they are. Like nothing about our product is it's it's maybe well designed or whatever, but it's not we don't have any kind of crazy features that we super engineered or whatever. What our answer to what is the hard thing we do is is it's
Just offering a really, really high quality, even though it's very few features, it's very simple and basic, but it's high quality at a very low price. That's the hard thing. It's a hard thing to do. And like, so that that logic could be like offering a 30 let's say it's a d double the price for HIPAA. I don't know if that's the right price, but for the sake of discussion. Offering a $30 a month HIPAA option is a hard thing. Offering a $15 a month HIPAA thing is a harder thing.
Rick (42:23.857)
Yeah, that's what that's a very hard thing to do. It's very har yeah.
Tyler (42:43.905)
There's a s a voice in my head is saying like stop being a wuss and and fucking do it. Like
Rick (42:49.575)
Give it away.
Tyler (42:51.398)
Yeah, like you said we have to fund it. We fund it with the fifteen dollars we already make. we have to fund every feature we build, right? this this would be well it w
Rick (43:01.031)
This wouldn't be turned on for everyone. It would be turned on in a in a setting somewhere. If you want HIPAA compliance, you gotta turn this on. Yeah. So I to me like that's a perfect upsell path, like to say, like, this is valuable, we're gonna charge more for it, and we're gonna have to explain this to you.
Tyler (43:04.703)
Yeah. You gotta go turn it on.
Tyler (43:13.687)
But we're not differentiated in that world. Then it's like we're basically the same price as Zoho. You know, it's us or Zoho versus Well, a bit. But it it gets quickly in there versus the like, all these other people are trying to rob you blind. There's no reason they need to be charging extra for this. This is crazy. We're we're the one you trust. Like you're we're not selling to big insurance agents. We're selling to independent people that honestly most of them are gonna say, I'll just use Excel. Like I'm not even thirty dollars a month is out of the budget of a lot of these people.
Rick (43:18.993)
No, you have to you can still undercut Zoho. Yeah.
Tyler (43:43.393)
I've gone back and forth on this. I'm I'm taking this side because
Rick (43:44.808)
I th I think there's a I think there's a middle path here. You you want to provide you you want to provide like I think the answer is yes, you want to provide the option for someone to turn on HIPAA compliance. You don't want it on by default for everyone. But then it's like if you you know, if if what what health insurance if you someone's a health insurance agent and you're not turning on HIPAA compliance, like are you doing the right thing? Like to me, like if you're if you're not charging for it, you have no reason to like gate it. Like so turn it on for every you hip hippo compliance on for everyone you suspect needs it.
Tyler (43:57.227)
No, of course.
Tyler (44:13.505)
Well, well, turn it on means they can go sign a BAA. And when they sign the BAA or for customers, BAA is just a contract. They click a button saying I agree. when they do that, it converts their account into HIPAA mode, which means like these emails are a little worse. We have to turn off a few of our features because they just can't be done in a HIPAA compliant way, stuff like that.
Tyler (44:36.791)
So yes, when when we say turn it on for everyone, it's not everyone's account is HIPAA enabled. It's anyone could go do it.
Rick (44:39.717)
It's signing a yeah, so there's some yeah, there's some process in which someone who wants hip a compliance needs to turn it on and sign the BIA. and then you do something with based on that. T to me, that is like one, like if if there like what you're gonna run into is like, Hey, I think you should have h this HIPAA thing turned on because you're a health insurance agent.
Tyler (45:07.073)
None of them are gonna none of our current customers are gonna pay more. Right? They've already dis they've already decided they're they're okay with yeah.
Rick (45:09.787)
Yeah.
Yeah. And the and the liability is on them for how to use the software in a way that doesn't violate their their obligations. I don't know. I would I I think there's a middle path here where that preserves your pricing hard hard, you know, sort of strategic to choice and also like r is rational.
Tyler (45:36.631)
Sounds you're not talking about the middle path, you're talking about there's there's a left path and a right path and the right path is charged more.
Rick (45:41.148)
I think there's a luck piece. I I don't think your path is right. I don't think my original path is right. I think there's some version of this which is like maybe it's like a to turn it on, it's $500. Yeah. I I don't know. Like there's some version of like, hey, like this is gonna cost money for us to to do for you. Like, and we're we're like, like, let's not pretend this is like standard for all customers. It's not like this is not something every customer needs. This is something that only a subset of our customers need. It requires work.
It requires like education most likely, because you're gonna call me and ask me what a BAA is. You should know what a BA is, but I'm gonna educate you on what a BAA is. I'm gonna explain to you these features. Like to me, this is so naturally like going to cost some amount of money to explain. I could see like trying to be an Azoho $40 per month thing being like not not aligned with your strategy. But like the other end of the spectrum of like just including this $15 doesn't make rational sense to me. So I'm like, I'm trying to get to like, maybe it's not a subscription, maybe it's like a
hundred dollars to turn on. I I don't know.
Tyler (46:39.917)
See, that just adds friction in the wrong direction though, right? Like if it's a hundred dollars to turn on, no one uses it, 'cause
Rick (46:46.301)
That's not true. If someone cares about this, and wants to be do like meet their compliance obligation.
Tyler (46:51.159)
But the they have to care about it and choose us. The point that they're like, I have a budget to spend, they're we are dealing with people who are part time agents, they they don't know what HIPAA is, they don't care. they they might know I have to have HIPAA, but they're like they're not choosing between us and HubSpot, you know.
Rick (46:54.502)
Yeah.
Rick (47:11.613)
Man, I this is a hard one. I I see your I see your argument very well. I would I I think I would start trying to charge for this. and and back off of that versus the other way around. That's my bias. I think it's a lot easier to go to free from this if if you're fighting this is creating friction, versus like going from free to charged.
Tyler (47:33.581)
I just hate having like the overhead in communicating. well, it's like going for if we already had pricing tiers, no question. This would go in the upper tier. Absolutely no question. But going from Yeah. And then when someone's.
Rick (47:40.901)
Yeah. Yeah, you're losing your one price for everyone. But you're no you're gonna you but d like correct me if I'm wrong, but like that is part of your plan, right? You're going to have okay. Okay. Okay. Well that maybe changes it for me.
Tyler (47:51.382)
Not anymore. It it has been, I've talked about that before. when we raised prices from ten to fifteen, the hope was that this would cover everything we need. There's certain stuff that's usage based, like if we ever do VoIP or SMS marketing or something, you have to charge usage based for that, but not like another tier.
Rick (47:59.516)
Yeah. Okay, that might change it for me.
Rick (48:10.117)
Okay, that ch that that that changes things for me.
Tyler (48:10.134)
Rick (48:15.323)
I still maintain that like this is such a unique feature for a subset of customers that it it's going to require extra effort for those customers that is like uniquely tied to this feature, which makes it ripe for a simple explanation of why you're charging more for it. Like in a much more transparent, better way. Yeah.
Tyler (48:30.871)
No question.
Tyler (48:38.827)
We we can justify it. I I 100% agree agree we can justify. But when you're doing this hard thing, do a hard thing, it's like how hard, right? Like, should the price be zero or should it be ten thousand dollars a month? And it's like, well, you have to find this balance. And there's no question you can justify charging more for HIPAA. It is harder and therefore more defensible to charge less, whatever less means. Yeah.
Rick (49:03.589)
Listen, like like only you can make this call. this is this like like the to me, this is the essence of the CEO's job is like decisions like this. I would I would be very careful. Like what I would want to do here is like balance, like max like so to the two objectives I would optimize for when making this decision, because ultimately you're the one making this call. Like, like this is a Tyler decision, everyone. This is a CEO decision. Like everyone has to get on board with whatever Tyler chooses here. So it's like, okay, what are my considerations?
Tyler (49:10.166)
Yeah. Yeah.
Rick (49:32.711)
First and foremost, like the most important thing for me to consider with all this is my beachhead experiment compromised in any way by making a certain decision? And it it's like I take all those off the table. So like to me, that is the most important thing. Obviously, like I guess, am I compromising our values and our sh our strategic sort of advantages? Like that's first and foremost, but like the like to me, like the next level down is is this insurance agent
experiment compromised by certain decisions. And if so, they are off the table. And then it
Tyler (50:06.605)
Right. I don't think it compromises that. I think it compromises the values, if anything.
Rick (50:10.287)
Okay. Well then then that's that's a that's a higher level thing that is probably but then I would say like i is your higher level values compromising at conflict with this beachhead experiment, in which case you need to revisit the beachhead experiment and the core values and make them more aligned. so anyway, that's where I would probably f yeah. Yeah. No, I g I gotta go. but does that make sense?
Tyler (50:26.849)
Yeah. I realize we're out of time here, but I mean I can go long, but if I assume you gotta go gotta run. Okay. Thank you for your thoughts here. Yeah, no, I I appreciate being pushed on this. I'll just conclude like, well, yeah. I'll I'll I'll we'll talk about this again in some other episode.
Rick (50:41.085)
When you do your HIPAA stuff, can you please spell it right? H-I-P-A-A, not H I P P A.
Tyler (50:48.203)
Yes, but also we're gonna do SEO for both.
Rick (50:50.683)
Okay Hippah spelled incorrectly? Like you have to like like my god, that's terrible. That's brilliant.
Tyler (50:56.609)
We ha we own less annoying Cr C R dot com as well, 'cause peop sometimes people mistype it.
Rick (50:59.855)
Okay. good. That's smart. That's smart. sorry, sorry I I feel like the we got rabbit holed today, but it was really fun.
Tyler (51:08.716)
Yeah, that was great. cool. I'll talk to you later. See ya.
Rick (51:11.7)
All right, see later.
