HIPAA Compliance

Where we are on HIPAA today.

Transparency on every item — what's live, what's in progress, and what we're scheduled to deliver. Updated quarterly.

Talk to ComplianceDownload Security Questionnaire
Updated 2026-05-09 BAA Q3 2026 NDA on request

Compliance status by item

The 14 controls on our HIPAA Compliance Checklist, with current status. We don’t mark anything “live” until it actually is.

In Progress

HIPAA Security Risk Assessment (SRA)

Formal SRA underway with our compliance counsel. Findings will inform our final policy set and Practice-tier launch checklist.

In Progress

Written policies and procedures (20 docs)

Drafting the full HIPAA policy set: access control, sanctions, workstation use, device/media, contingency, and more. Targeting completion ahead of BAA launch.

Scheduled Q3 2026

BAA template reviewed by HIPAA attorney

Template drafted and queued for outside-counsel review. BAAs will be available to Practice-tier customers at launch.

In Progress

Subprocessor BAAs signed

Hosting provider BAA in active negotiation. Email and backup subprocessor BAAs follow on the same Q3 2026 timeline.

Scheduled Q3 2026

Workforce HIPAA training completed

Annual HIPAA training program selected. All workforce members will complete training before any PHI is handled under a customer BAA.

Scheduled Q3 2026

Cyber liability insurance ($1-2M coverage)

Quotes secured. Policy will be bound and in force before the first customer BAA is signed.

Live

Encryption at rest (AES-256) verified

Postgres storage-layer encryption is enabled today. Document blobs are stored in encrypted object storage with US-region pinning.

Live

Encryption in transit (TLS 1.3) verified

TLS 1.3 only, HSTS preloaded, no clear-text protocols anywhere in the document path. Verified via external scanners.

Live

Audit logging operational

Signing audit trails are live on every envelope; application logs flow to journald with retention. Wazuh-equivalent SIEM hardening is scheduled for Q3 2026.

In Progress

MFA enforced for all admin/operator access

Admin sign-in is currently magic-link based. TOTP-based MFA enforcement for all admin and operator accounts is scheduled for Q2 2026.

In Progress

Incident response plan documented

Detection, triage, containment, and notification workflows are drafted. Final tabletop exercise and sign-off scheduled before BAA launch.

In Progress

Breach notification procedures documented

Drafted to align with the HIPAA Breach Notification Rule (72-hour notice where required) and applicable state data-breach laws.

In Progress

Business continuity / disaster recovery plan

Daily encrypted backups are operational today. Full DR runbook with documented RTO/RPO targets is on track for Q3 2026.

Live

Access controls and role-based permissions enforced

Admin and superadmin roles are enforced in code. Per-account isolation prevents cross-tenant document access by default.

What this means for you

If you’re evaluating us for a HIPAA-covered workflow, here’s the truth: we are not BAA-ready today. The Practice tier — which includes the HIPAA BAA — is on track for Q3 2026 launch. If you sign up for Practice now, you join the BAA waitlist with locked-in early-access pricing.

Want our security questionnaire response?

Email [email protected] — we respond within one business day.

Email Security
CAIQ, SIG-Lite, custom — all welcome. NDA on request.