Compliance & Regulatory

HIPAA compliance, architected in — not bolted on.

We design PHI handling, access control, encryption and audit trails into your platform from day one — so security reviews and audits become a formality, not a fire drill.

Talk to our team See the engagement
The requirement

What the HIPAA Security Rule actually requires

Three categories of safeguards. Most breaches and failed audits trace back to a gap in one of them — so we design for all three, not just the technical layer that's easy to point at.

Safeguarding protected health information

Administrative

The governance that proves you manage PHI deliberately — policy, risk analysis and oversight.

  • Risk analysis & management
  • Workforce access policies
  • BAAs & vendor governance
  • Incident response plan

Physical

Control over the facilities, workstations and devices that store or touch protected data.

  • Facility access controls
  • Device & media controls
  • Workstation security
  • Secure disposal & re-use

Technical

The engineering — access control, encryption, audit and integrity — built into the system itself.

  • Access control & unique IDs
  • Encryption in transit & at rest
  • Audit controls & logging
  • Integrity & transmission security
Why AST

Compliance built by engineers, not just auditors

We don't hand you a checklist and leave. We design the controls into the architecture, build them with your team, and stay through the audit.

17+
years in regulated healthcare software

Compliance is native to how we build — not a separate practice we bolt on.

4
frameworks we align to

HIPAA, SOC 2, HITRUST and NIST 800-53 — from one control architecture.

100%
PHI on BAA-ready infrastructure

Every environment and subprocessor that touches PHI sits under a BAA.

360°
safeguard coverage

Administrative, physical and technical — we design for all three, not just the easy one.

The engagement

How a HIPAA engagement works

From a gap assessment to a fully evidenced, audit-ready architecture — we own the technical hard parts and close the gaps with your team.

Start a conversation
A team reviewing compliance documentation around a table
01HIPAA gap assessment

A clear-eyed read of where your PHI handling, access model and infrastructure stand against the Security Rule — with the gaps ranked by real risk.

  • Security Rule gap analysis
  • PHI data-flow mapping
  • Risk register & ranking
  • Prioritized remediation plan
02Compliance architecture design

We design the access control, encryption, logging and segmentation into your platform's architecture — so compliance is a property of the system, not a document.

  • IAM & least-privilege model
  • Encryption & key management
  • Audit logging & retention
  • Network & data segmentation
03Remediation & implementation

We don't just recommend — we build and wire the controls in with your team, in code and configuration, and close the gaps for real.

  • Control implementation
  • Secure infrastructure-as-code
  • BAA & vendor controls
  • Policy & procedure support
04Evidence & audit support

We produce the evidence and sit beside you through SOC 2, HITRUST and customer security reviews — so the audit is an export, not a scramble.

  • Evidence collection & mapping
  • Auditor & customer liaison
  • Continuous-compliance setup
  • Remediation of findings
What we put in place

The controls behind a compliant platform

Access control & IAM

Least-privilege identity and role-based access to every PHI surface.

  • Unique user IDs
  • Role-based access
  • MFA & SSO
  • Emergency & session access

Encryption & keys

PHI encrypted in transit and at rest, with managed key rotation.

  • TLS everywhere
  • At-rest encryption
  • KMS & key rotation
  • Field-level where needed

Audit logging

Tamper-evident records of who touched what, retained to policy.

  • Access & change logs
  • Tamper-evident storage
  • Retention policy
  • Review & alerting

Risk analysis

Ongoing risk assessment, ranked and tracked to closure.

  • Asset & data inventory
  • Threat & risk scoring
  • Risk register
  • Remediation tracking

BAA & vendor governance

Every subcontractor that touches PHI under a BAA and assessed.

  • BAA management
  • Vendor risk reviews
  • Subprocessor inventory
  • Data-sharing controls

Breach & incident response

A tested plan for detection, containment and notification.

  • Detection & triage
  • Containment runbooks
  • Breach notification
  • Tabletop exercises
Who it's for

Compliance pressure comes from different places

Whether it's a looming audit, an enterprise customer's security review, or a regulator at the door — we tune the work to whatever is actually driving the deadline.

Leadership team in a governance review

Startups selling into health systems

Your biggest deal is blocked on a security questionnaire or a SOC 2 report. We get you to a credible, evidenced posture fast — without over-building for a stage you're not at yet.

  • Security questionnaire support
  • SOC 2 / HITRUST readiness
  • Evidence & policy pack
  • Architecture that scales with you

Providers & health systems

You hold PHI at scale and answer to OCR, internal audit and your board. We harden the architecture and produce the documentation that proves the controls actually work.

  • Security Rule alignment
  • OCR-ready documentation
  • Internal audit support
  • Standing risk program

Software & platform vendors

Your customers inherit your compliance posture. We make it a selling point — multi-tenant isolation, customer-facing trust artifacts and governance you can stand behind.

  • Multi-tenant PHI isolation
  • Customer-facing trust docs
  • Subprocessor governance
  • Continuous compliance
Beyond HIPAA

One architecture, many frameworks

HIPAA is the floor. The same controls we put in place map straight to the frameworks your customers and regulators ask about next.

HIPAA Security & Privacy

Core

The baseline for any platform that creates, receives or stores US protected health information.

SOC 2 (Type I & II)

Readiness → audit

The report enterprise buyers ask for first. We get you ready and support the audit end to end.

HITRUST CSF

Mapping → cert

The certification health systems increasingly require of their vendors. Control mapping and remediation.

NIST 800-53 / CSF

Mapping

The control catalog underneath most of the above. We map your controls and close the gaps.

HIPAA Privacy Rule

Process + tech

Use, disclosure and patient-rights handling — backed by real process and system controls.

State & international

Scoped

GDPR, DHA/NABIDH and state privacy laws when you operate beyond US borders — scoped per market.

How we deliver

From gap to audit-ready

01
Scope

Systems, data flows and which frameworks are actually in play.

02
Assess

Gap analysis against the Security Rule and your target frameworks.

03
Design

The control architecture and a ranked remediation plan.

04
Remediate

Implement the controls with your team — in code and configuration.

05
Evidence

Collect, map and package the proof against each control.

06
Audit & sustain

Support the audit, then keep compliance continuous.

How we engineer

Compliance principles we build by

The convictions behind every control we put in — the difference between a platform that passes an audit and one that's actually safe.

Documenting compliance evidence

Least privilege by default

No standing access to PHI that isn't justified, logged and time-boxed.

Encrypt everything

PHI is encrypted in transit and at rest, end to end — no exceptions, no quiet gaps.

Evidence by default

If a control isn't producing evidence, it isn't done. Audits become an export, not a scramble.

Compliance as code

Controls live in infrastructure-as-code and policy — version-controlled and repeatable.

Continuous, not point-in-time

Posture is monitored continuously, not reconstructed the month before an audit.

Defense in depth

No single control is load-bearing. Safeguards overlap by design, so one gap isn't a breach.

Questions

HIPAA architecture FAQ

Do you make us HIPAA 'certified'?

There is no official HIPAA certification — anyone claiming to sell one is overselling. What we deliver is a defensible, evidenced architecture aligned to the Security and Privacy Rules, plus readiness for the certifications that do exist (SOC 2, HITRUST) which buyers actually ask for.

We're pre-revenue — is this premature?

If you're handling PHI or selling into healthcare, no. The cheapest time to build the controls in is before the architecture sets. We scope to your stage so you get a credible posture without over-engineering for scale you don't have yet.

How is this different from buying a compliance tool?

Tools track and automate evidence — they don't design your access model, encryption or segmentation. We do the architecture and implementation, and we'll wire a tool in where it earns its place. The two are complementary.

Can you support our SOC 2 or HITRUST audit?

Yes. The same controls we put in for HIPAA map directly to SOC 2 and HITRUST. We handle readiness, evidence and act as the technical liaison with your auditor through the engagement.

Do you only assess, or do you implement?

Both — and implementation is the point. We can deliver an assessment alone, but most clients want the gaps actually closed, so we build and wire in the controls with your team rather than handing over a report.

Let's get audit-ready

Need your platform to pass its next security review?

Tell us what's driving the deadline — an audit, an enterprise deal, or a regulator. We'll come back with a clear path to a defensible posture.

Talk to our team
An advisory session between two professionals
More in Compliance & RegulatoryAll solutions

SOC 2 Readiness

Trust Services Criteria scoped, controls built in, evidence automated — through Type II.

Explore

HITRUST Certification Support

The right assurance level (e1, i1, r2), controls to scored maturity, MyCSF evidence mapped.

Explore

FedRAMP Readiness

Impact level scoped, NIST 800-53 built in, SSP and evidence prepared for the 3PAO.

Explore