Is Gistia HIPAA compliant?

Yes. HIPAA compliance is built into our engineering process, not added as an afterthought. Every workflow we build includes AES-256 encryption (at rest and in transit), role-based access controls, complete audit trails, and documented security incident procedures. We sign a Business Associate Agreement on every engagement. Our infrastructure runs in SOC 2 Type II certified environments. We conduct annual risk assessments and quarterly security reviews.

Yes, on every engagement without exception. Our BAA covers all aspects of our service — from the assessment phase through ongoing managed operations. It also covers all subcontractors and cloud providers in our technology stack. We maintain a documented chain of custody for PHI across every system and vendor involved in your workflows.

What encryption do you use?

AES-256 encryption for data at rest, including database encryption, file-system encryption, and backup encryption. TLS 1.3 for all data in transit — both external API calls and internal service-to-service communication. Key management is handled through AWS KMS or equivalent managed key services with automatic key rotation. No PHI is ever stored unencrypted, period.

Can you help us pass a HIPAA audit?

We're not a compliance consulting firm — we don't conduct HIPAA audits or sell compliance documentation. What we do is build systems that are compliant by design. Every automation we deploy includes complete audit trails, access logs, encryption documentation, and validation records. When your auditor asks 'show me how PHI is protected in this workflow,' you'll have the technical evidence ready. Our clients consistently pass audits on workflows we've built because compliance is engineered in, not documented after the fact.

What about CLIA and FDA Part 11?

For laboratory clients, HIPAA is the baseline — not the ceiling. We also build in CLIA process controls (quality control validation, proficiency testing documentation, personnel competency records) and FDA 21 CFR Part 11 compliance (electronic signatures with two-factor authentication, complete audit trails with user attribution, system validation documentation including IQ/OQ/PQ). These additional compliance layers are included in our standard laboratory engagements, not priced as add-ons.

How do you handle PHI in automations?

PHI is treated as radioactive material — minimum necessary, maximum protection. Our automations access only the specific PHI fields required for each workflow step (not entire patient records). Data is encrypted in transit between every system. Processing happens in isolated, encrypted environments. PHI is never logged in plaintext. Temporary data is purged on a defined schedule. Every access is audit-logged with user, timestamp, IP, and context. We apply the minimum necessary standard at the field level, not the record level.

What's the difference between HIPAA compliance software and HIPAA-compliant engineering?

HIPAA compliance software (Compliancy Group, Accountable, HIPAA One, Vanta) helps you document and monitor your compliance posture — risk assessments, policies, training records, infrastructure monitoring. These are valuable tools. HIPAA-compliant engineering is what we do: building systems where compliance is enforced by the code itself. Encryption happens automatically. Access controls are coded into every API endpoint. Audit trails are generated by the system, not entered manually. Both have a role — but if your workflows aren't engineered to be compliant, no amount of documentation software fixes that gap.

What happens if there's a security incident?

Our incident response plan follows HIPAA breach notification requirements: identification and containment within 4 hours, initial assessment within 24 hours, client notification within 24 hours of confirmed breach, HHS notification within 60 days for breaches affecting 500+ individuals, and full root cause analysis within 30 days. We conduct quarterly tabletop exercises to test our response procedures. In our history of operating healthcare automations, we have maintained a zero-breach record — but we prepare as if one could happen tomorrow.

12 min readUpdated Mar 2026

HIPAA Compliance: Built Into Every Workflow We Build

Buying HIPAA compliance software doesn't make your systems compliant. 82% of healthcare data breaches involve compromised credentials or misconfigurations — not missing documentation. Compliance has to be engineered in, not bolted on.

This page explains how we build HIPAA compliance into every automation we deploy — from encryption and access controls to audit trails and incident response. If you're evaluating HIPAA compliance solutions, this will help you understand the difference between compliance documentation and compliance engineering.

The Compliance Problem Most Organizations Get Wrong

Healthcare organizations spend an estimated $8.3 billion annually on HIPAA compliance. Most of that goes to documentation platforms, training programs, and consulting firms that help you create policies. And most of it misses the actual problem.

Here's the reality: having a HIPAA policy binder doesn't prevent breaches. Having a compliance software subscription doesn't encrypt your data. 82% of healthcare data breaches involve compromised credentials or system misconfigurations — problems that no amount of documentation fixes.

The compliance industry has created a false sense of security. Organizations buy tools that help them document compliance, then assume they are compliant. But when the automation that processes patient data isn't built with security controls from the ground up, the gap between documented compliance and actual compliance becomes a breach waiting to happen.

82%

Of breaches involve credentials or misconfigurations

$10.9M

Average cost of a healthcare data breach (2024)

$8.3B

Spent annually on HIPAA compliance

This problem gets worse with automation. Every new workflow that touches PHI — patient intake, billing, lab results, claims processing, patient communication — is a new attack surface. If those automations aren't built with compliance controls baked in from day one, you're scaling your risk as fast as you're scaling your operations.

Our Approach: Compliance-First Engineering

Every automation we build starts with HIPAA safeguards as the foundation, not an add-on. Before we write a single line of workflow logic, we define the security architecture: what PHI is involved, who needs access, how it's encrypted, how access is logged, and what happens if something goes wrong.

This isn't a compliance checklist we run at the end of a project. It's an engineering discipline that shapes every design decision from the start. The result is systems that are compliant by design — not systems that need compliance tools layered on top.

Here's what's built into every single Gistia engagement:

Administrative Safeguards

Risk Assessment

Comprehensive risk analysis conducted at engagement start and annually. Identifies threats to PHI in every workflow we build, with documented mitigation strategies.

Workforce Training

All Gistia team members complete HIPAA training annually. Role-based access means engineers only access the PHI necessary for their specific workflow.

Security Incident Procedures

Documented incident response plan with defined roles, escalation paths, and notification timelines. Tested quarterly. Breach notification within 24 hours.

Business Associate Agreement

Signed BAA on every engagement, no exceptions. Covers all subcontractors and cloud providers in our stack. Chain of custody documented.

Access Management

Formal onboarding/offboarding procedures. Access reviews quarterly. Principle of least privilege enforced across all systems.

Contingency Planning

Disaster recovery and business continuity plans for every automation we operate. RPO and RTO defined per workflow. Backup verification tested monthly.

Physical Safeguards

Facility Access Controls

All infrastructure runs in SOC 2 Type II certified data centers. Physical access restricted to authorized personnel with biometric and badge authentication.

Workstation Security

Full-disk encryption on all development machines. Screen lock policies enforced. No PHI stored on local devices — development uses synthetic data.

Device Controls

Mobile device management (MDM) on all company devices. Remote wipe capability. USB storage disabled. VPN required for all remote access.

Technical Safeguards

AES-256 Encryption at Rest

All PHI encrypted at rest using AES-256. Database-level encryption, file-system encryption, and backup encryption. Key management via AWS KMS or equivalent.

TLS 1.3 Encryption in Transit

All data transmission encrypted with TLS 1.3. No exceptions. Internal service-to-service communication also encrypted. Certificate management automated.

Role-Based Access Controls (RBAC)

Granular permissions tied to job function. Automated provisioning and de-provisioning. Multi-factor authentication required for all access to PHI.

Audit Logging

Every access to PHI logged: user, timestamp, IP address, action performed, data accessed. Logs are tamper-evident (append-only, hash-chained). Retained for 6 years per HIPAA requirement.

Integrity Controls

Checksums and hash verification on all PHI data. Automated integrity monitoring detects unauthorized modifications. Version control on all configuration and code.

Automatic Session Management

Sessions timeout after 15 minutes of inactivity. Re-authentication required. Concurrent session limits enforced.

Audit Trails: The Foundation of Accountability

HIPAA requires that you can answer two questions at any time: "Who accessed this patient's data?" and "What did they do with it?" Most systems generate basic access logs. Our audit trails go further — every action on PHI is recorded with full context.

Here's what every audit log entry in a Gistia-built system captures:

{
  "timestamp": "2026-03-19T14:32:07.123Z",
  "event_type": "phi_access",
  "user_id": "usr_a1b2c3",
  "user_role": "lab_tech",
  "ip_address": "10.0.1.42",
  "action": "view_result",
  "resource": "lab_result:LR-2026-00847",
  "phi_fields_accessed": ["patient_name", "result_value", "ordering_provider"],
  "workflow": "results_review",
  "automation_step": "qc_validation",
  "session_id": "sess_x7y8z9",
  "mfa_verified": true,
  "hash": "sha256:e3b0c44298fc1c149afb..."
}

Tamper-Evident

Logs are append-only and hash-chained. Each entry references the hash of the previous entry. Any modification or deletion breaks the chain and triggers an alert. This makes our audit trails forensically sound.

6-Year Retention

HIPAA requires 6 years of audit log retention. Our logs are stored in encrypted, durable storage with automated lifecycle management. When an auditor asks for access records from 3 years ago, they're available in minutes.

Beyond HIPAA: CLIA and FDA 21 CFR Part 11

For our laboratory clients, HIPAA is the starting point, not the finish line. Clinical laboratories operate under additional regulatory frameworks that most automation vendors ignore — or don't even know about.

CLIA Compliance

The Clinical Laboratory Improvement Amendments regulate all laboratory testing performed on human specimens. Every lab automation we build includes:

Quality control validation workflows — Levy-Jennings charts, Westgard rules, automated QC review and flagging
Proficiency testing documentation — automated PT result recording and trending
Personnel competency tracking — training records, competency assessments, and recertification alerts
Test validation protocols — method comparison, linearity, precision, and accuracy documentation
Specimen integrity controls — rejection criteria, chain of custody, and storage condition monitoring

FDA 21 CFR Part 11

Part 11 establishes requirements for electronic records and electronic signatures. For labs using our automations to generate or sign off on results, every system includes:

Electronic signatures with two-factor authentication — something you know (password) + something you have (MFA token)
Signature meaning declarations — the system records why a signature was applied (reviewed, approved, released)
Complete audit trails with user attribution — every modification to an electronic record is tracked with before/after values
System validation documentation — IQ (Installation Qualification), OQ (Operational Qualification), PQ (Performance Qualification)
Record protection — electronic records cannot be altered without detection, and all versions are retained

HIPAA Compliance Software vs. Compliance Engineering

Both have a legitimate role. But they solve different problems, and confusing them is dangerous. Here's an honest comparison of the major HIPAA compliance software platforms and how they differ from what we do.

Compliancy Group

Documentation Platform$199-$399/month

What it does: Guided HIPAA compliance documentation, risk assessment templates, policy generation, and employee training tracking.

The gap: Documents your compliance posture but doesn't enforce it in your actual systems. If your workflows aren't built compliant, the documentation is fiction.

HIPAA One (Intraprise Health)

Risk Assessment ToolCustom (typically $5K-$15K/year)

What it does: Automated risk assessments, remediation tracking, vendor management, and compliance scoring.

The gap: Excellent for identifying gaps but doesn't close them. You still need to build compliant systems — this tool tells you what's wrong.

Accountable HQ

Compliance Management$249-$499/month

What it does: HIPAA compliance program management, training, risk assessments, and incident response planning.

The gap: Focused on administrative compliance — policies, training, documentation. Doesn't address technical safeguards in your actual workflows.

Vanta / Drata

Automated Compliance Monitoring$10K-$50K/year

What it does: Continuous monitoring of cloud infrastructure for compliance violations. Auto-collects evidence for audits.

The gap: Monitors your infrastructure but not your workflow logic. If your automation sends PHI to an unencrypted endpoint, these tools may not catch it unless it's a known cloud misconfiguration.

Compliance Software

Helps you document your compliance posture
Generates policies, tracks training, runs risk assessments
Monitors infrastructure for known misconfigurations
Produces evidence packages for auditors
Tells you what's wrong — you fix it

Role: Documentation and monitoring layer

Compliance Engineering (Gistia)

Builds systems that enforce compliance by design
Encryption, access controls, and audit trails are in the code
PHI protection is automatic, not manual
Compliance is testable — validation scripts prove it works
The system prevents violations — you don't need to catch them

Role: Security architecture and enforcement layer

Our recommendation: Use both. Compliance software (Compliancy Group, Vanta, etc.) handles the administrative side — policies, training records, risk assessment documentation. Gistia handles the technical side — making sure the actual systems that touch PHI are built securely. The documentation is only as good as the systems it describes.

Who This Matters To

If your organization is automating any workflow that touches Protected Health Information, compliance-first engineering isn't optional — it's the foundation.

Patient Intake & Registration

Demographics, insurance information, and medical history collected digitally. Every form submission contains PHI that must be encrypted and access-controlled.

Billing & Claims Processing

Diagnosis codes, treatment details, and financial information. Claims contain clinical and financial PHI that flows between your system, clearinghouses, and payers.

Lab Results & Reporting

Test results, pathologist interpretations, and critical values. Results delivery automation must maintain chain of custody and ensure only authorized recipients see results.

Patient Communication

Appointment reminders, results notifications, and follow-up messages. Any communication referencing health conditions, appointments, or treatments contains PHI.

Clinical Documentation

Progress notes, orders, and referrals. AI-assisted documentation must protect PHI during processing and storage, with clear attribution.

Scheduling & Access

Appointment types reveal treatment context. Scheduling automation must protect the implicit PHI in appointment details and provider selections.

Auto-Generated SOPs and Validation Scripts

Every automation we deploy includes automatically generated documentation that your compliance team and auditors need:

Standard Operating Procedures (SOPs)

Step-by-step documentation of how each automated workflow operates, including security controls, error handling, and escalation procedures. Generated from the code, not written separately — so they're always accurate.

Installation Qualification (IQ)

Verification that all system components are installed correctly, configurations match specifications, and infrastructure meets requirements. Automated test suite you can re-run anytime.

Operational Qualification (OQ)

Verification that the system operates correctly within defined parameters. Covers normal operations, edge cases, error conditions, and security controls. Includes test data and expected results.

Performance Qualification (PQ)

Verification that the system performs as expected under real-world conditions with production data volumes. Includes load testing, failover testing, and monitoring validation.

Traceability Matrix

Maps every requirement to its implementation, test case, and validation result. When an auditor asks 'how do you know this requirement is met?' — the matrix provides the answer with evidence.

Building Healthcare Automations? Compliance Starts at the Architecture.

We start every engagement with a free assessment that includes a compliance review of your current workflows. We'll identify where PHI is at risk, what safeguards are missing, and how to build compliant automations from the ground up.

BAA signed on every engagement
AES-256 encryption, TLS 1.3, role-based access, full audit trails
HIPAA + CLIA + FDA Part 11 compliance for laboratory clients
Auto-generated SOPs and IQ/OQ/PQ validation scripts
$50K savings guarantee on AI Roadmap

Book Free Assessment