HIPAA
Your HIPAA report, 3–5 weeks from now.
HIPAA isn't a certification — it's a legal obligation if you touch protected health information. We implement the Security Rule administrative, physical, and technical safeguards, set up your BAAs with downstream vendors, and document everything your HHS auditor (or enterprise customer security review) will ask for.
What you get
Everything in your HIPAA program
Built specifically for health tech, telehealth, digital therapeutics.
HIPAA Security Rule implementation across all 18 standards (administrative, physical, technical safeguards)
Privacy Rule policies and Notice of Privacy Practices template
BAA template ready to send to customers; BAAs in place with all your downstream subprocessors (AWS, GCP, Azure, etc.)
PHI inventory and data-flow mapping — auditors love this and most companies skip it
Encryption-at-rest and encryption-in-transit verified across every system that touches PHI
Workforce HIPAA awareness training + acceptance tracking
Breach Notification runbook with 60-day customer + HHS notification timers
Annual HIPAA risk assessment (required by 45 CFR §164.308(a)(1)(ii)(A))
Pricing
Fixed price. No annual contract.
Setup gets you to the report. The retainer keeps you compliant. Cancel any time.
One-time, fixed-fee
- Full HIPAA program build
- Auditor introductions and prep
- 3–5 weeks to BAA-ready
Cancel any time
- Continuous control monitoring
- Quarterly access reviews + risk refresh
- Drift remediation by our team
- Annual re-audit support included
Audit fees paid directly to your auditor (not marked up). We negotiate fixed-fee quotes from our auditor network.
Stack frameworks, save money
Reuse your HIPAA work across other frameworks
Most controls overlap. Your second framework costs a fraction of the first.
HITRUST CSF
40%HIPAA evidence accelerates HITRUST certification. Talk to us for the upgrade.
HIPAA questions, answered
No. HHS does not issue HIPAA certifications. What we deliver is a complete, documented HIPAA compliance program plus an annual third-party assessment letter you can show enterprise customers and use to defend yourself if HHS ever audits you.
Yes. We sign a BAA with you for any service we operate that could touch PHI (managed hosting, support tooling, etc.). It is included with the retainer at no additional cost.
All three offer HIPAA-eligible services and will sign a BAA with you. We help you scope your environment to only HIPAA-eligible services, set up the BAA, and configure encryption + access controls so the cloud provider holds up its end.
3–5 weeks for a typical SaaS that needs to start signing BAAs with healthcare customers. Faster if you already have SOC 2 in place — most controls overlap.
HIPAA is the federal floor. State health-data laws sit on top. We flag where state laws require more (e.g., shorter breach notification windows in CA, broader definitions of "covered entity" in TX) and add the controls. Talk to us if you're operating in multiple regulated states.
Ready to ship your HIPAA?
Tell us your timeline. We'll scope the work, give you a fixed price, and start this week.