Compliance Framework

HIPAA Compliance

HIPAA is the US federal law governing protected health information (PHI), enforced by the HHS Office for Civil Rights through its Privacy, Security, and Breach Notification Rules.

Talk to us about HIPAA Security and Compliance

HIPAA for Canadian startups · HIPAA cost in CAD

Who needs HIPAA

US-facing health tech, digital health, and any vendor that handles PHI as a covered entity or a business associate.

Key HIPAA requirements

The core of what HIPAA asks you to put in place.

  • Administrative safeguards: risk analysis, workforce training, and access management
  • Physical safeguards: facility and device controls
  • Technical safeguards: access control, audit logging, encryption, and integrity
  • Business Associate Agreements (BAAs) with vendors handling PHI
  • Breach notification procedures under the Breach Notification Rule
  • Policies, documentation, and ongoing risk management

Typical timeline

HIPAA has no certification — you attest to compliance. A risk analysis and remediation program commonly runs a few months, with compliance maintained continuously.

How we help with HIPAA

We run your HIPAA Security Rule risk analysis, implement administrative, physical, and technical safeguards, get your BAAs in order, and build documentation you can show a customer or regulator — often alongside a SOC 2 report.

See Security and Compliance, or compare estimated HIPAA cost in CAD. Based in Toronto and led by a published CVE researcher, we deliver across Canada and the US with our partner Lorikeet Security.

Start the HIPAA readiness →

HIPAA questions

Is there a HIPAA certification?

No. HIPAA compliance is self-attested. There is no official government HIPAA certificate; you demonstrate compliance through documentation, a risk analysis, and safeguards.

Who enforces HIPAA?

The US Department of Health and Human Services Office for Civil Rights (HHS/OCR).

What is a Business Associate Agreement?

A contract required whenever a vendor handles PHI on behalf of a covered entity, binding the vendor to HIPAA safeguards.

Do we need HIPAA and SOC 2?

Many health tech vendors do both. HIPAA is the legal baseline for PHI, while SOC 2 is the report enterprise buyers ask for.

What triggers HIPAA breach notification?

Unauthorized acquisition, access, use, or disclosure of unsecured PHI generally triggers notification to individuals, HHS, and sometimes the media, on statutory timelines.

Move on HIPAA with a team that has done it

Book a free discovery call. We will tell you whether HIPAA fits, what it would take, and roughly what it would cost.

Book a call Contact us