ISMS Copilot for US healthcare compliance
HIPAA documentation, policy drafting, and Security Rule mapping — without exposing protected health information.
Read this first: ISMS Copilot is for HIPAA documentation, not PHI processing
ISMS Copilot does not sign a Business Associate Agreement (BAA). That means we cannot lawfully process Protected Health Information on your behalf under 45 CFR §164.502. Use ISMS Copilot to draft your HIPAA policies, map Security Rule controls, prepare your Risk Analysis methodology, and train your team — but never paste actual PHI (names, dates, MRNs, diagnoses, conversations between providers and patients) into chats. If your use case requires processing PHI through an AI assistant, you need a BAA-signed vendor instead.
Full HIPAA stance and limitations →What ISMS Copilot does for HIPAA-covered teams
- Draft the full HIPAA policy and procedure pack — Information Access Management, Workforce Security, Audit Controls, Contingency Planning, Breach Notification
- Map your environment to the HIPAA Security Rule (administrative, physical, and technical safeguards)
- Draft your Risk Analysis methodology and remediation plan template (45 CFR §164.308(a)(1)(ii)(A))
- Cross-walk HIPAA Security Rule to SOC 2 Security and Confidentiality TSC — most controls overlap
- Prepare workforce HIPAA training material and sanction policies
- Prepare a BAA template for your own subprocessors (when YOU are the covered entity or business associate)
Built for healthcare compliance leads
HIPAA Security Rule control library — administrative, physical, technical safeguards
Privacy Rule policy templates (Notice of Privacy Practices, minimum necessary, authorizations)
Breach Notification Rule workflow (60-day clock, HHS reporting, individual notification)
HITECH Act amendments and Omnibus Rule guidance
SOC 2 + HIPAA cross-mapping for digital health startups going for both
State law layering — California CMIA, NY SHIELD, Texas HB 300 considerations
Questions fréquemment posées
Will ISMS Copilot sign a BAA?
No. We do not sign Business Associate Agreements at this time. This is intentional: the AI infrastructure stack underneath ISMS Copilot (model providers, hosting) does not yet have a BAA chain that we can pass through to you. Until that changes, treat ISMS Copilot as a documentation and training tool — not a PHI processor.
Can I paste de-identified data into chats?
Properly de-identified data (per 45 CFR §164.514(a)-(b)) is not PHI, so technically yes — but be cautious. The HIPAA Safe Harbor method requires removing 18 specific identifiers and re-identification risk assessment. If you're not certain the data is de-identified to that standard, don't paste it. When in doubt, paraphrase or genericize.
Then what's the actual use case?
Drafting policies, SOPs, training material, risk analyses, vendor-management procedures, breach response runbooks, and audit-prep checklists — all of which describe how PHI is handled without containing PHI itself. Most HIPAA compliance work is documentation and process, not data processing. That's exactly what ISMS Copilot accelerates.
We need both SOC 2 and HIPAA — does that work?
Yes, and it's a common pattern for digital health SaaS. The Security Rule technical safeguards overlap heavily with SOC 2 Security TSC, so we generate a combined control matrix and you only write each control once. See /frameworks/soc-2 and /frameworks/hipaa for specifics.
Is ISMS Copilot HITRUST certified?
No. ISMS Copilot is not HITRUST CSF certified. If your customers contractually require HITRUST, you will need a separate HITRUST-certified platform for the actual data path. ISMS Copilot can still help you draft and maintain the documentation a HITRUST assessor will review.
Prêt à optimiser votre travail de conformité ?
Conçu pour la rapidité, la précision et des livrables prêts pour l'audit.