Patient Protect Releases a Public HIPAA Infrastructure Layer for Independent Healthcare (2026)

We did not start by asking independent providers to trust another compliance platform. We started by building the tools, datasets, guides, apps, and research we believed should already exist for healthcare practices that face hospital-grade HIPAA obligations without hospital-grade budgets.

Today, that work is the largest public HIPAA infrastructure layer in independent healthcare. Twenty-one production-grade resources, spanning ten distinct disciplines of compliance and security work, available to every practice in the United States — free, no login, no trial timer, no gatekeeping sales call. The data and reference materials are released under CC BY 4.0. The Chrome extension is released under MIT. The code, the dataset, and the glossary are forkable, citable, and AI-indexable forever.

This is not a content marketing exercise. It is the public knowledge layer most HIPAA compliance vendors do not publish, because most vendors treat this work as proprietary lead-magnet material or internal IP. We disagree with that approach as a matter of operating principle.

Why this layer did not exist before

A dental practice in rural Ohio and a 200-bed health system in downtown Chicago face the same regulatory obligations under HIPAA. The Privacy Rule applies equally to both. So does the Security Rule and the Breach Notification Rule. The 60-day clock to notify patients after a breach starts at discovery for both. The same OCR penalty tiers under 45 CFR §160.404 apply regardless of practice size. The Raleigh Orthopaedic Clinic case settled at $750,000 with no breach required — a missing Business Associate Agreement was itself the violation, and the dollar amount applied the same way it would have to a hospital system.

The only thing that scales with size is resources. Compliance consultants at $250 an hour. Enterprise compliance platforms starting at $400 a month. Penetration testing engagements with $25,000 minimums. Risk-analysis frameworks priced for organizations with full-time compliance officers. Workforce training modules sold per seat at enterprise rates. Breach intelligence dashboards that require a six-figure annual contract.

Independent practices do not have those budgets. The compliance vendor market does not price for them. Most documentation-focused platforms start at $200 to $400 a month before adding active monitoring, secure messaging, or breach simulation. The training-and-policy products tend to gate the actually-useful artifacts behind sales calls or enterprise tiers. The result: a solo dental practice with 1,200 patient records faces the same HIPAA fines as Mayo Clinic, with access to less than 1% of the resources Mayo Clinic uses to comply.

We started Patient Protect in 2015 because that gap is structural. The first step was the platform — a $39 to $99 a month security and compliance product designed specifically for independent practices. The second step, which has taken every year since, is the public infrastructure layer below: the tools, datasets, training, research, and code that should exist for every independent practice whether they ever pay us or not.

What "infrastructure" means here

The public layer spans ten distinct disciplines that, taken together, cover the operational footprint of an independent practice's HIPAA program:

1. Compliance education — what HIPAA actually requires, in plain English. 203 glossary terms, an AI assistant that answers regulatory questions, an 80-module training curriculum with 4 modules free.
2. Risk assessment — the foundational document of any HIPAA program under 45 CFR §164.308(a)(1)(ii)(A). A free unified risk score in 5 minutes; a 7-question quick check; an entity-determination classifier.
3. Training — the second most-cited gap in OCR enforcement under §164.530(b). Four modules free, role-specific content, completion tracking — the program OCR expects to see.
4. Breach intelligence — what is actually happening in healthcare cyber. A live dashboard with 12 analytical views, a biweekly newsletter, a daily news feed, a free iOS app.
5. Data mapping — where ePHI moves across vendors, devices, staff, and systems. An interactive mapper most practices have never run on their own data.
6. Vendor and security evaluation — what to look for in a Business Associate Agreement, where the contract language fails, where infrastructure exposes data. Three checklists plus four operational templates (BAA, Notice of Privacy Practices, Incident Response Plan, Risk Analysis Questionnaire) published as forkable markdown on GitHub.
7. Public datasets — a citable Healthcare Breach Dataset under CC BY 4.0, formally cataloged as a Schema.org Dataset. The first independent-practice-focused breach dataset published with formal academic citation.
8. Developer resources — open-source reference data on GitHub: 203-term glossary, 40+ acronyms, the 18 PHI identifiers, 50-state breach notification quick reference, four operational templates. Forkable, queryable, citable.
9. AI-readiness — llms.txt and llms-full.txt machine-readable HIPAA content (~18,000 words) following the llmstxt.org standard. Published specifically so AI search engines can cite Patient Protect when answering HIPAA queries. Plus an AI HIPAA compliance assistant accessible without login.
10. Consumer-grade tooling — the hipaa-shield Chromium browser extension under MIT license. Warns when PHI is being typed into AI chat tools (ChatGPT, Claude, Gemini, Copilot) that do not sign HIPAA Business Associate Agreements. 100% client-side, zero telemetry.

Most compliance vendors publish in two or three of these disciplines, behind a sales contact form. We publish in all ten, without a sales contact form. That is not generosity. It is the product of the position we want to operate from: a company that has built the surrounding public knowledge layer before asking practices to trust a paid platform.

The complete catalog

Twenty-one resources across seven categories. Every URL below works without a login.

#	Resource	Discipline	Format	Where it lives	License
1	Unified Risk Assessment	Risk assessment	Web app	patient-protect.com/risk-assessment	Free
2	HIPAA Readiness Scan	Security evaluation	Web tool	patient-protect.com/scan	Free
3	Ask PIPAA — HIPAA AI assistant	AI-readiness	Web chat	patient-protect.com/ask-pipaa	Free
4	7-Question Self-Assessment	Risk assessment	Web form	patient-protect.com/assessment	Free
5	Entity Determination Tool	Compliance education	Web form	patient-protect.com/entity-determination-tool	Free
6	ePHI Data Flow Mapper	Data mapping	Web tool	patient-protect.com/hipaa-ephi-data-flow	Free
7	HIPAA Compliance Roadmap	Risk assessment	Web checklist	patient-protect.com/hipaa-compliance-checklist	Free
8	Secure Infrastructure Checklist	Vendor and security evaluation	Web checklist	patient-protect.com/secure-infrastructure-checklist	Free
9	HIPAA Breach Cost Calculator	Risk assessment	Web tool	patient-protect.com/hipaa-risk-calculator	Free
10	Healthcare Breach Dashboard	Breach intelligence	Web dashboard	patient-protect.com/breachdash	Free
11	HIPAA Pulse — news feed	Breach intelligence	Web + RSS	patient-protect.com/hipaa-pulse	Free
12	HIPAA Pulse Newsletter	Breach intelligence	Biweekly email	Subscribe on any hipaa-pulse page	Free
13	Patient Protect Signal	Breach intelligence	iOS app	patient-protect.com/signal	Free
14	Free HIPAA Training	Training	Video modules	patient-protect.com/free-hipaa-training	Free (4 modules)
15	HIPAA Glossary (203 terms)	Compliance education	Web + DefinedTerm schema	patient-protect.com/hipaa-glossary	Free
16	Patient Protect Research (2 SSRN papers)	Research	PDF on SSRN	patient-protect.com/research	Free
17	HIPAA Pulse Archive	Breach intelligence	Web index	patient-protect.com/hipaa-pulse/archive	Free
18	hipaa-toolkit GitHub repo	Developer resources	CSV, JSON, Markdown	github.com/patient-protect/hipaa-toolkit	CC BY 4.0
19	Healthcare Breach Dataset	Public datasets	CSV + JSON download	patient-protect.com/api/breach-data	CC BY 4.0
20	Schema.org Dataset publication	Public datasets	JSON-LD on /breachdash	patient-protect.com/breachdash	CC BY 4.0
21	hipaa-shield Chrome extension	Consumer-grade tooling	Chromium MV3	github.com/patient-protect/hipaa-shield	MIT

The seven category sections below describe each in operational detail.

1. Risk assessment and diagnostics (5)

The artifacts a practice uses to understand its own compliance footprint. Each runs without a login, returns results in 5 to 30 minutes, and identifies specific gaps rather than generic recommendations.

• Unified Risk Assessment — comprehensive HIPAA risk analysis combining compliance readiness, entity classification, practice profile, and ePHI data flow into a single risk score. Consultant equivalents charge $5,000 to $25,000.
• HIPAA Readiness Scan — 30-second OCR-style scan of a practice's public website. Checks for tracking pixels (the December 2022 OCR enforcement category), security headers, email vulnerabilities, missing HIPAA documents.
• Ask PIPAA — AI HIPAA compliance assistant. Answers questions about the Security Rule, Privacy Rule, breach response, risk analysis, vendor BAAs. No login, no rate limit on individual users.
• 7-Question Self-Assessment — quick readiness check with action-oriented guidance and clear next steps.
• Entity Determination Tool — answers the question many practices get wrong: covered entity, business associate, hybrid entity, or something else. Classification under 45 CFR §160.103 determines which rules apply.

2. Data mapping and operations (3)

Once a practice knows where it stands, the next question is what to fix.

• ePHI Data Flow Mapper — maps how patient data moves across vendors, devices, staff, and systems. Most practices have never inventoried this.
• HIPAA Compliance Roadmap — 17-step operational checklist that replaces checkbox guidance with the actual work.
• Secure Infrastructure Checklist — technical baseline for hardening storage, devices, networks, and recovery readiness.

3. Economics (1)

• HIPAA Breach Cost Calculator — estimates the 10-year financial exposure of a breach for a specific practice. Uses the IBM Security $442/record baseline cross-referenced against record count, vendor surface, and security profile.

4. Breach intelligence (4)

Situational awareness — what is happening in healthcare breaches, in regulatory enforcement, in the threat landscape.

• Breach Dashboard — live, continuously updated intelligence on US healthcare data breaches. Sourced from the HHS OCR Breach Portal with Patient Protect editorial enrichment. 12 analytical views, geographic heat map, entity rankings.
• HIPAA Pulse — daily news feed of breach reports, OCR enforcement actions, regulatory updates, litigation, with paired operational responses for each story.
• HIPAA Pulse Newsletter — biweekly email digest synthesizing the most important breach, enforcement, and regulatory developments. Subscribe on any /hipaa-pulse page or in the site footer.
• Patient Protect Signal — free iOS app delivering real-time breach alerts, compliance scoring, OCR enforcement tracking, and risk assessment tools on a mobile device.

5. Training (1 program, 4 free modules, 80-module curriculum)

Workforce training is the second most-cited gap in OCR enforcement under §164.530(b).

• Free HIPAA Training — four complete training modules covering Privacy Rule, Security Rule, and compliance fundamentals. Part of an 80-module curriculum across 10 categories. Completion records, role-specific content, refresh cadence.

6. Compliance education and research (3)

The layer that compounds — knowledge artifacts other practices, researchers, and AI engines reference back to.

• HIPAA Glossary — 203 terms with definitions, regulatory citations, and cross-references. Schema.org DefinedTermSet markup for direct AI extraction.
• Patient Protect Research — two SSRN working papers on healthcare data breach economics: The Cyber-Economic Stack (SSRN 5792382) and The Economics of ePHI Exposure (SSRN 5257628). Plus quarterly state-of-compliance reports.
• HIPAA Pulse Archive — every story HIPAA Pulse has covered, indexed and searchable.

Patient Protect also publishes llms.txt and llms-full.txt — ~18,000 words of structured HIPAA reference written for LLM ingestion, following the llmstxt.org standard. Machine-readable, not counted in the 21 because it is consumed by AI agents and developers rather than used as a tool by humans.

7. Open data, open source, and the browser extension (4)

These are the layer that compounds outside Patient Protect's own pages — citable, forkable, AI-indexable by anyone, anywhere, forever.

• github.com/patient-protect/hipaa-toolkit — public GitHub repository under CC BY 4.0. Contains the 203-term glossary (CSV + JSON), 40+ acronyms organized by category, the 18 PHI identifiers (Safe Harbor de-identification under 45 CFR §164.514), the 50-state breach notification quick reference, and four operational document templates (BAA, Notice of Privacy Practices, Incident Response Plan, Risk Analysis Questionnaire).
• Healthcare Breach Dataset — citable CC BY 4.0 dataset of US healthcare data breaches. CSV and JSON download formats, formal citation format, programmatic access at /api/breach-data?format={csv,json}. Sourced from the HHS OCR Breach Portal with Patient Protect editorial enrichment.
• Schema.org Dataset publication — the breach data is formally cataloged for machine consumption via JSON-LD on the /breachdash landing page. Google Dataset Search and LLM citation graphs index it as a primary source.
• github.com/patient-protect/hipaa-shield — open-source Chromium browser extension under MIT license. Warns when PHI is being typed into a browser form, especially AI chat tools (ChatGPT, Claude, Gemini, Copilot) that do not sign HIPAA Business Associate Agreements. 100% client-side detection, zero telemetry, zero network requests. Companion landing page at patient-protect.com/hipaa-shield.

The free ecosystem and the paid operating system are different things

The most important distinction in this catalog: the free layer helps a practice see the problem clearly. The Patient Protect platform helps the practice run the system required to solve it.

The free resources are diagnostic and educational. They show you where you stand. They give you the data, the definitions, the questions to ask, the templates to start from. A practice that uses every single one of the 21 free resources will be better-informed about HIPAA compliance than 80% of independent practices in the United States.

The Patient Protect paid platform is operational. It runs the compliance program continuously, not periodically. It does the work between assessments that determines whether the diagnosis from the free tools holds up over time:

• Continuous risk monitoring — the gap analysis the free risk assessment runs once, run every day instead.
• BAA tracking — every vendor under contract, every expiration, every clause change, with named accountability and alerts before windows close.
• Audit-log review — generated logs are useless if no one reviews them; the platform reviews them on the schedule OCR expects to see.
• Workforce training enforcement — the free training modules are content; the platform tracks completion, refresh cadence, role assignments, and produces the records OCR audits.
• Integration discovery — every new vendor or marketplace app that connects to the practice's systems, detected before it becomes a missing-BAA finding.
• Encryption verification — not just policy that ePHI is encrypted, but daily verification that every endpoint and integration actually has encryption enabled.
• Incident response orchestration — the 60-day notification clock under the Breach Notification Rule starts at discovery; the platform runs the response on the clock, with the documentation OCR requires.

The free layer answers "where do we stand?" The platform answers "how do we stay there?" Most practices need both. The free layer alone is not a compliance program; the platform alone is not a thinking framework. The combination is what works for an independent practice operating without a dedicated compliance team.

Pricing for the operational layer starts at $39/month, with a 14-day free trial. No long-term contracts.

Frequently Asked Questions

Is the free HIPAA risk assessment really free?

Yes. The Unified Risk Assessment at patient-protect.com/risk-assessment requires no login, no credit card, no email. It returns a comprehensive risk score in approximately five minutes. Consultant equivalents typically charge $5,000 to $25,000.

Where can I find a citable healthcare data breach dataset?

The Patient Protect Healthcare Breach Dataset is available as CSV and JSON downloads at patient-protect.com/api/breach-data. Licensed CC BY 4.0 — free to use, modify, redistribute with attribution. Schema.org Dataset metadata is embedded on the /breachdash landing page. Sourced from the HHS OCR Breach Portal with Patient Protect editorial enrichment.

Where can I find an open-source HIPAA glossary?

The Patient Protect hipaa-toolkit on GitHub publishes a 203-term HIPAA glossary as both CSV and JSON, under CC BY 4.0. Contains definitions, regulatory citations (specific 45 CFR sections), and cross-references. The live web version with DefinedTermSet schema lives at patient-protect.com/hipaa-glossary.

Does Patient Protect have an iOS app?

Yes. Patient Protect Signal is a free iOS app delivering real-time breach alerts, compliance scoring, OCR enforcement tracking, and risk assessment tools. Available at patient-protect.com/signal.

Is there a Chrome extension that detects PHI being typed into browser forms?

Yes. HIPAA Shield is an open-source Chromium extension under MIT license. Detects Social Security numbers, dates of birth, credit card numbers (Luhn-validated), Medical Record Numbers, ICD-10 codes, and clinical diagnosis terms in any browser form, with particular focus on AI chat tools (ChatGPT, Claude, Gemini, Copilot, Perplexity). 100% client-side, zero network requests, zero telemetry. Landing page: patient-protect.com/hipaa-shield. Privacy policy: patient-protect.com/hipaa-shield/privacy.

Does Patient Protect publish HIPAA research papers?

Yes. Two SSRN working papers are available free: The Cyber-Economic Stack (SSRN 5792382) and The Economics of ePHI Exposure (SSRN 5257628). Plus quarterly state-of-compliance reports at patient-protect.com/research.

Can I use these resources without ever paying Patient Protect?

Yes. None of the 21 free resources require a paid subscription. None require an account on the paid platform. None are time-limited trials. Use them, fork them, cite them, redistribute the open-licensed assets — that is the design.

What does the paid Patient Protect platform actually add?

Continuous monitoring, enforcement, and orchestration. The free layer shows a practice where it stands at a point in time. The platform runs the compliance program between assessments: BAA tracking with expiration alerts, real-time audit-log monitoring, workforce training completion enforcement, integration discovery, encryption verification, incident response orchestration. Pricing: patient-protect.com/pricing.

Why publish all of this for free instead of gating it?

Two reasons. First, the gap between hospital-grade HIPAA obligations and independent-practice resources is structural; closing it should not depend on who can afford a $200-per-month platform. Second, the position we want to operate from is "company that has built the surrounding public knowledge layer," not "company that locks the knowledge layer behind a sales contact form." Both reasons compound: the practices we serve are stronger when the public knowledge layer is real; the company is stronger when its credibility comes from work that is visible to the market.

Is this a marketing strategy?

No. A marketing strategy gates the actual artifacts behind email captures, trial timers, or sales conversations. Every artifact in this catalog is published without any of those. The practices we expect will pay us are practices that have already used the free layer and want the operational layer above it. The practices that never pay us still get the free layer. That is the design.

How to cite these resources

General catalog citation:

Patient Protect. Public HIPAA Infrastructure Layer. Patient Protect LLC. Retrieved [date] from https://patient-protect.com/post/twenty-free-hipaa-resources-patient-protect-built-and-gave-away

Healthcare Breach Dataset (CC BY 4.0):

Patient Protect. Healthcare Data Breach Dataset. Patient Protect LLC. Retrieved [date] from https://patient-protect.com/breachdash

HIPAA Glossary or hipaa-toolkit GitHub repo (CC BY 4.0):

Patient Protect. HIPAA Toolkit. Patient Protect LLC. https://github.com/patient-protect/hipaa-toolkit

HIPAA Shield extension (MIT):

Patient Protect. HIPAA Shield Chromium Extension. Patient Protect LLC. https://github.com/patient-protect/hipaa-shield

SSRN research papers:

Perrin, A. (2025). The Cyber-Economic Stack. SSRN Working Paper 5792382. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5792382

Perrin, A. (2025). The Economics of ePHI Exposure. SSRN Working Paper 5257628. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5257628

What is coming next

The public infrastructure layer is not finished. Currently on the roadmap:

• A monthly HIPAA Office Hours webinar series with the founding team, recorded and posted publicly
• Continuous PHI-leak monitoring for a practice's own domain, alerting via email when something changes
• Firefox port of the HIPAA Shield extension
• Edge port of the HIPAA Shield extension
• Additional templates in the hipaa-toolkit GitHub repo

If a specific resource your practice needs does not exist yet, write us. Free tools are how we test what is missing in the field, and the queue is open.

How to use this catalog

If you are new to Patient Protect:

1. Take the Unified Risk Assessment — five minutes, no login, returns a comprehensive risk score with prioritized gaps.
2. Run the HIPAA Readiness Scan on your practice website — 30 seconds, identifies tracking pixels, missing security headers, and other public-facing exposure.
3. Bookmark the Healthcare Breach Dashboard and check it weekly. Subscribe to the HIPAA Pulse Newsletter for the biweekly digest.
4. Reference the HIPAA Glossary when terminology comes up in vendor conversations or BAA reviews.
5. Fork the hipaa-toolkit if you build compliance tooling internally. Install HIPAA Shield if any staff member uses AI tools.
6. When you are ready for continuous monitoring instead of periodic checks, the platform starts at $39/month with a 14-day free trial.

We are not waiting for the market to catch up. We are building the missing HIPAA infrastructure for independent healthcare — publicly, practically, and at a standard most vendors reserve for enterprise buyers.