The HIPAA Security Rule has 55 safeguards, the Privacy Rule has its own framework, and most of what's written about both was written for hospital systems. If you're a digital health startup, a billing service, a clinic group, or a SaaS company that handles PHI, you need a compliance program that scales to your size — not a hospital-sized one.
The HIPAA penalty structure doesn't care about your headcount. A breach involving 500+ records is a federal report and an OCR investigation regardless of whether you have 5 employees or 500. The Business Associate Agreements you sign with your covered entities create downstream obligations most founders don't fully read. And 'we're HIPAA compliant' — written on your homepage — is a statement you can be held to in litigation.
Aegis is for the team that wants to be HIPAA-compliant in fact, not just on paper.
Guided assessment across all 55 Security Rule safeguards (18 Administrative, 10 Physical, 27 Technical). Tammie as your HIPAA-aware advisor. Evidence packet export when an OCR letter arrives or a customer's BAA review demands it. Full portal access for your team.
Everything in Self-Service, plus async Registered Practitioner review of your safeguards, your BAA template language, and your incident response procedures before they're final. The right-sized layer of human review for teams who don't have a HIPAA Privacy Officer on staff yet.
For teams who'd rather hand off the program. We run the engagement: scope assessment, write the policies, build the evidence, train your team, and deliver a complete HIPAA program. Includes annual maintenance and the documentation you'll need when (not if) someone asks for it.
Trained on the Security Rule, the Privacy Rule, NIST 800-66 implementation guidance, and OCR enforcement patterns. Ask her to draft a safeguard implementation, write an incident response procedure, or interpret a BAA clause your customer's lawyer pushed back on.
Every Administrative, Physical, and Technical safeguard gets its own assessment surface with evidence expectations, scoring, and notes. You build defensible documentation one safeguard at a time.
When a customer's security review asks for proof of your program, or when an OCR investigator opens a file, you can generate a complete package in minutes — not weeks.
A Registered Practitioner reviews your scoping, your BAA language, your incident response procedures, and your training program. Catches the language drift that would have made your 'HIPAA-compliant' homepage statement legally indefensible.
HIPAA isn't a one-time achievement; it's an ongoing program. We're built for the founders who understand that and want a partner who's still here next year, not a consultant who hands you a binder and disappears.
Twenty minutes of intake, a focused HIPAA gap analysis, and a real PDF brief you can use to plan, share, or hand to your board. Roll the $624 into Aegis within 14 days.
Get the Brief →