Platform features
Most compliance platforms give you tools. Patient Protect gives you a system that runs itself. There is a difference — and it shows up the day you need to prove you were compliant, not just that you bought software.
The operating system
System, Defense, Operations, Network, Intelligence — each layer works independently. Together, they close every gap in your compliance standing automatically.
Auto-generates tasks from your SRA — closes itself when conditions are met
Your compliance queue builds itself from your SRA results. Tasks close automatically when conditions are met — no manual check-offs, no missed deadlines.
On-premises AI — your data never touches a cloud model
Ask compliance questions in plain English. The AI runs locally on the platform — your PHI never leaves the system, never touches a cloud model. Powered by the PIPAA architecture documented in our whitepaper. Learn more on our AI page.
Updates the moment a risk closes, not when you run a report
Your risk profile recalculates instantly as you close gaps. No waiting for quarterly reviews — you always know exactly where you stand.
Composite score across every module, always current
One score across all 20 modules, updated in real time. Present it to auditors, board members, or your own team — it’s always current.
Tied to specific compliance gaps, not generic notifications
Each alert maps to a specific gap in your compliance standing. You know what changed, what’s at risk, and what to do about it — immediately.
Immutable per-session, per-tab logs — export-ready for OCR
Every access event is logged with who, when, where, and what was viewed. Logs are immutable and export to the format OCR auditors expect.
Evaluates BAA partners against your current standing
Know which vendors are covered by active BAAs and which represent open exposure. Vendor risk feeds directly into your compliance score.
Models attack scenarios against your actual controls and gaps
Run what-if scenarios against your real configuration. See where a phishing attack, ransomware event, or insider threat would find your weakest point.
Nine defined roles — every endpoint enforces permissions
From administrator to patient, every role has defined boundaries enforced at every endpoint. No shared logins, no exceptions, no manual overrides.
Validated file handling with per-office storage tracking
Upload, version, and track compliance documents with validated handling. Storage is tracked per office so nothing gets lost in a shared drive.
Completion timestamped and stored as OCR-ready evidence
Deliver HIPAA training inside the platform. Every completion is timestamped and stored as audit-ready evidence — no spreadsheets, no guessing who finished.
Compliant patient and office document workflows
Patient intake, consent, and office documents handled in a compliant workflow. Every form submission is logged with timestamps and signatures.
BAA status gates content automatically — no manual settings
Send messages between providers and patients with automatic BAA gating. If a vendor’s BAA lapses, content is masked automatically — no manual intervention.
Send, track, and audit referrals across offices
Refer patients across offices with a full audit trail. Every referral is tracked from send to acceptance, with compliance documentation at every step.
Centralized records with role-based access controls
Manage patient records in one place with role-based access. Every view, edit, and export is logged — your audit trail builds itself.
Public compliance standing page your patients can verify
Give patients a public page showing your compliance status. It builds trust before they walk in the door and differentiates your practice.
Visualizes where PHI moves across your practice and vendors
See exactly where protected health information flows — between systems, vendors, and staff. Identify concentration risks before they become breaches.
Models penalty exposure based on current gaps and enforcement trends
Know your dollar exposure at any moment. The model uses your actual gaps and current OCR enforcement patterns to estimate potential penalties.
Reconstructs any compliance event from timestamped evidence
Replay any compliance event from start to finish using timestamped evidence. When an auditor asks “what happened?” — you can show them.
Nightly HHS OCR breach data and enforcement intelligence
Every night, HHS OCR breach reports are ingested, categorized, and contextualized for your practice type. Stay ahead of enforcement trends.
Your risk intelligence feeds your compliance engine. Your engine gates your network. Your network generates your audit trail. Everything connects.
Security architecture
Every architectural decision was made for practices that can't afford to get it wrong.
Invalid input is treated as evidence of malicious intent — detected, rejected, logged, and escalated. AppSensor detection feeds directly into Fail2Ban enforcement. Attack once, get watched. Attack twice, get banned.
The only HIPAA compliance platform with a locally-running AI assistant. Your data never touches a cloud model — no API calls, no training exposure, no third-party processing.
The same standard used for classified government data. Not just ‘we encrypt your data’ — authenticated encryption that proves data hasn’t been tampered with in session. TLS 1.3 in transit. No legacy fallbacks.
Every request validates that the person using the session is the person who started it. Browser fingerprint, IP, device — any mismatch means immediate termination. Critical for shared-device clinical environments.
Every database query uses PostgreSQL prepared statements. SQL injection isn’t prevented by filtering — it’s architecturally impossible. No ORM shortcuts, no string concatenation.
HHS OCR breach data ingested every night. Your dashboard reflects the live threat landscape — not last quarter’s.
Browser fingerprinting, per-tab tracking, lockout cascades, and IP banning — enforced before requests reach the application layer.
Built against OWASP Top 10 and NIST Cybersecurity Framework — applied as architecture by a former government CTO, enforced at every endpoint.
Zero Trust isn't a marketing term here. It's how every endpoint is built.
Platform flow
Compliance Operations
Risk visibility
Live breach intelligence from HHS OCR — mapped by state, trended over time, and contextualized for your practice type.
Three-category compliance scoring with trend indicators
Know if you’re improving or slipping at a glance
Compliance scores update the moment a risk closes
Compliance queue
A self-replenishing compliance queue that checks its own conditions. Some items close themselves when requirements are met.
Auto-generated from your risk profile
Prioritized by severity and deadline
Completion creates audit evidence automatically
Real-time standing
Real-time compliance visibility across every module. Current to this moment, updated as you work.
Score updates as you complete tasks
Every module contributes to the composite score
Evidence generated automatically
Access & Workforce
Nine defined roles
Nine defined roles, from administrator to patient. Every endpoint enforces permissions — no exceptions.
Role hierarchy: Ninja through Patient (0–999)
Every endpoint checks role before serving content
Unexpected input rejected silently — AppSensor on every endpoint
Workforce compliance
HIPAA training delivered and tracked inside the platform. Every completion becomes documented, audit-ready evidence.
Policy acknowledgment tracked per staff member
Training completion timestamped
OCR-ready workforce records at all times
Data & Records
BAA-gated communication
Six-state BAA lifecycle — from staging through digital signature to active status — with automatic gating of secure messaging until BAA is active. Non-BAA offices have message content masked. Patient sends hard-blocked without active agreement.
Six-state lifecycle: staging → pending → signed → active → expiring → terminated
BAA status controls messaging access automatically — no manual intervention
Full audit trail on every exchange and every state transition
Audit readiness
Audit-ready by default. Every access logged, every action timestamped, every anomaly flagged.
Immutable access logs
Per-session, per-tab tracking
Export-ready for OCR requests
Intelligence & Alerts
Nightly HHS OCR data
HHS OCR breach data ingested every night. Your dashboard reflects the live threat landscape, not last quarter’s.
National breach map by state
Sector and vector trending
CSV export for board reporting
Live status signals
Security alerts anchor urgency in specific workflow risk. Compliance scores update the moment a risk closes. Your standing is always current.
Security alerts tied to specific compliance gaps
Real-time score adjustments
Prioritization based on current threat landscape
What stays connected
Most platforms give you twenty separate tools. Patient Protect gives you one operating system that tightens itself.
Complete your SRA and the Autonomous Compliance Engine populates your task queue automatically — no manual task creation.
Until a BAA is active and vendor risk is evaluated, message content is masked for non-compliant offices.
Every staff signature on every policy version is timestamped and stored as OCR-ready, replayable evidence.
Nightly breach intelligence recalculates your penalty exposure model against current enforcement trends.
PHI flow paths feed directly into breach modeling — so you can see exactly where your exposure concentrates.
No module is an island. That's what makes it a system.
The platform connects with live healthcare threat intelligence. Browse the latest in HIPAA Pulse. Or read our research on the platform deficit—why documentation-only compliance fails.
FAQ
Twenty integrated modules across five layers — System, Defense, Operations, Network, and Intelligence. Core includes 14 modules at $39/month. Pro unlocks all 20 with unlimited AI and expanded training at $99/month.
Yes. The SRA wizard covers every requirement of §164.308(a)(1), generates scores across three categories, and auto-populates your compliance task queue.
Yes. The only HIPAA compliance platform with an on-premises AI assistant. Zero PHI exposure by architecture, not by policy.
Full lifecycle: create, send for e-signature, track status, renewal alerts. BAA status gates Secure Messaging automatically.
Built against OWASP Top 10 and NIST CSF. AES-256-GCM encryption, TLS 1.3, browser fingerprinting, AppSensor on every endpoint.
Next step
No contracts. No consultants. Starting at $39/month.
