For practices with existing compliance vendors

Architecture does the work. Even when you don’t.

25 HIPAA requirements are enforced the moment your account exists — encryption, access control, audit logging, BAA-gated messaging, and MFA. No configuration. No clicks. The platform earns its keep before you do anything.

For less than 10 cups of coffee a month, your office gets the security-first compliance layer your current vendor doesn’t run. We work alongside them, not instead of them.

HIPAA requirements enforced at signup

Zero configuration

$39

Per month — no contracts

Cancel anytime

Clicks required for enforcement layer

Architecture handles it

See your HIPAA score — free See the full compliance gap

The floor and the ceiling

Documentation tools handle your binders. We handle your floor.

Many compliance vendors focus on documentation — risk assessments, policies, and training records. That work matters. It is the ceiling of your compliance program. But the floor — the technical enforcement controls that actually prevent a breach — is a different layer entirely.

Documentation platforms generally aren’t built to run encryption, enforce MFA, detect intrusions, or gate messaging by BAA status. Those are engineering problems, not documentation problems. Patient Protect is built to solve them.

The floor — active from minute zero

What runs without your involvement

AES-256-GCM encryption on every byte of ePHI
TLS 1.3 in transit with forward secrecy
Eight-role access hierarchy enforced at every endpoint
Immutable audit logging retained 6+ years
Multi-factor authentication with no option to disable
BAA-gated messaging — architectural enforcement, not a warning
AppSensor intrusion detection on every request
Session binding with device fingerprint verification
Brute-force prevention with progressive lockout
BAA signed and active from minute 6

The ceiling — 5 minutes a day

What grows as you engage

330+ item SRA

NIST 800-30 methodology with scored categories

48 CFR-mapped policies

Versioning, deployment, and workforce acknowledgment

80+ training modules

9 HIPAA curriculum categories with completion tracking

Compliance Advice engine

Scans your standing in real time, surfaces prioritized remediation

Vendor risk management

BAA lifecycle tracking for every business associate

Risk Analytics

Exposure score, risk matrix, audit readiness composite

The proof

25 HIPAA requirements. Satisfied at signup.

Every requirement below maps to a specific HIPAA citation and is enforced by platform architecture — not by configuration, not by user action. Whether you log in again or not.

Administrative Safeguards

§164.308(a)(1)(ii)(A)

Risk Analysis

§164.308(a)(1)(ii)(B)

Risk Management

§164.308(a)(1)(ii)(C)

Sanction Policy

§164.308(a)(1)(ii)(D)

System Activity Review

§164.308(a)(2)

Security Responsibility

§164.308(a)(3)(ii)(A)

Workforce Authorization

§164.308(a)(3)(ii)(C)

Workforce Termination

§164.308(a)(4)(ii)(B)

Access Authorization

§164.308(a)(5)(ii)(A)

Security Reminders

§164.308(a)(5)(ii)(C)

§164.308(a)(5)(ii)(D)

Password Management

§164.308(a)(6)

Security Incidents

§164.308(a)(8)

Evaluation

§164.308(b)(1)

BAA Management

Technical Safeguards

§164.312(a)(1)

Access Control

§164.312(a)(2)(i)

Unique User ID

§164.312(a)(2)(iii)

Automatic Logoff

§164.312(a)(2)(iv)

Encryption at Rest

§164.312(b)

Audit Controls

§164.312(c)(2)

ePHI Integrity

§164.312(d)

Authentication (MFA)

§164.312(e)(2)(ii)

Encryption in Transit

Privacy & Breach Notification

§164.502(b)

Minimum Necessary

§164.530(c)

Communication Safeguards

§164.408

Breach Awareness

Full requirement details with platform mappings available at /regulation-map

The difference

Documentation platforms vs. enforcement platforms.

This is not a competitive comparison. It is a category distinction. Most practices need both.

Capability	Documentation	Patient Protect
Risk assessment questionnaire	✓	✓
Policy templates and document generation	✓	✓
Staff training modules	✓	✓
BAA document tracking	✓	✓
Encryption at rest (AES-256-GCM)enforcement	—	✓
Encryption in transit (TLS 1.3)enforcement	—	✓
Multi-factor authentication (enforced)enforcement	—	✓
Role-based access on every endpointenforcement	—	✓
Immutable audit logging (6+ years)enforcement	—	✓
Intrusion detection (AppSensor)enforcement	—	✓
BAA-gated messaging (architectural)enforcement	—	✓
Real-time breach intelligenceenforcement	—	✓
Brute-force preventionenforcement	—	✓
Continuous compliance scoringenforcement	—	✓

Swipe to view full table →

What engagement actually looks like

5 minutes. Once a day. That’s the ceiling work.

Open your dashboard

Your compliance score, threat level, and any open items are visible immediately. No digging.

Review today’s advice item

The Compliance Advice engine has already identified your highest-impact gap and surfaced it with context.

Remedy or acknowledge

Jump to the relevant module and fix it, or acknowledge it with an attestation. Score updates in real time.

What we won’t pretend

Your score won’t hit 100% on autopilot.

The 25 architecture requirements are real and they run without you. But HIPAA has 75+ requirements. Policies need to be reviewed. Staff need to complete training. Your Security Risk Assessment needs answers that only someone in your practice can provide. Physical safeguards need to be confirmed by someone who has walked your office.

Patient Protect makes this work manageable — the Compliance Advice engine surfaces one item at a time, ranked by impact, 5 minutes a day. But we will not tell you the platform does your work for you. It does 25 requirements on day one. The rest builds through consistent engagement. That is the honest pitch.

Your EHR covers 4 of 75 requirements

Your EHR handles their infrastructure. This page shows exactly what it leaves to you — vendor by vendor.

Deep dive

HIPAA Regulation Map

Every Security Rule, Breach Notification, and Privacy Rule provision mapped to specific Patient Protect modules with CFR citations.

Explore the map

FAQ

Common questions from practices with existing vendors.

Do I need to switch from my current compliance vendor?

No. Patient Protect works alongside other compliance platforms. Your vendor likely handles policies, questionnaires, and training documentation. Patient Protect adds the enforcement layer — encryption, access control, monitoring, and architectural controls that many compliance platforms weren’t designed to provide.

What happens if I sign up but never log in again?

You still get the 25 architecture requirements. Encryption, access controls, audit logging, MFA, intrusion detection, BAA-gated messaging, and session security run without your involvement. Your compliance score won’t hit 100% without engagement, but the enforcement layer is active from minute zero.

What does Patient Protect do that my compliance vendor doesn’t?

Your compliance vendor produces documentation: policies, risk assessment reports, training certificates. Patient Protect runs enforcement controls: encryption, role-based access, audit logging, intrusion detection, BAA-gated communication, and continuous monitoring. One describes what should happen. The other makes it happen.

How much does it cost to add Patient Protect?

$39/month for Core (14 modules) or $99/month for Pro (20 modules). No contracts, no setup fees, cancel anytime. The average OCR fine is $50,000. The average Patient Protect subscription is $468/year.

Is this just a pitch to get me to replace my current vendor?

No. If you have good documentation but no enforcement controls, you have half a compliance program. If you have enforcement controls but no documentation, you also have half. The pitch is: complete the other half for $39/month.

Complete the other half

Your binders are handled. Your floor isn’t.

$39/month adds the enforcement layer your current vendor wasn’t built to provide. 25 requirements from minute zero. No contracts. Works alongside what you already have.

Start 14-day free trial See pricing

14-day free trial · $39/month Core · $99/month Pro · No contracts · Works alongside existing vendors