HIPAA is the US federal law governing protected health information (PHI), enforced by the HHS Office for Civil Rights through its Privacy, Security, and Breach Notification Rules.
US-facing health tech, digital health, and any vendor that handles PHI as a covered entity or a business associate.
The core of what HIPAA asks you to put in place.
HIPAA has no certification — you attest to compliance. A risk analysis and remediation program commonly runs a few months, with compliance maintained continuously.
We run your HIPAA Security Rule risk analysis, implement administrative, physical, and technical safeguards, get your BAAs in order, and build documentation you can show a customer or regulator — often alongside a SOC 2 report.
See Security and Compliance, or compare estimated HIPAA cost in CAD. Based in Toronto and led by a published CVE researcher, we deliver across Canada and the US with our partner Lorikeet Security.
No. HIPAA compliance is self-attested. There is no official government HIPAA certificate; you demonstrate compliance through documentation, a risk analysis, and safeguards.
The US Department of Health and Human Services Office for Civil Rights (HHS/OCR).
A contract required whenever a vendor handles PHI on behalf of a covered entity, binding the vendor to HIPAA safeguards.
Many health tech vendors do both. HIPAA is the legal baseline for PHI, while SOC 2 is the report enterprise buyers ask for.
Unauthorized acquisition, access, use, or disclosure of unsecured PHI generally triggers notification to individuals, HHS, and sometimes the media, on statutory timelines.
Book a free discovery call. We will tell you whether HIPAA fits, what it would take, and roughly what it would cost.