Skip to content
Request a quote

← Trust and security·HIPAA posture

HIPAA posture.

What we sign, what we host, what we control, and what happens to your data at handoff. This page is the short practice-facing summary. The full controls list lives in the BAA we sign before the engagement starts.

This page is the current published posture as of the Practice Operations Toolkit launch. The complete posture document, including incident-handling procedures, audit rights, and the controls matrix, is delivered with each engagement and will be expanded here in a follow-up.

Six anchors

The HIPAA posture, in six lines.

The six commitments AC5 Labs operates under for any build that touches PHI. Each one is reflected in the BAA and operated through the HIPAA Controls Baseline container.

BAA before PHI

We sign the Business Associate Agreement before any PHI is touched.

The BAA is signed at the start of the Scope phase, before any access is granted, before any data flows. The agreement covers the controls AC5 commits to operate under, the access scope, the breach notification window, and the wipe procedure at handoff.

Controls baseline

NIST 800-171 baseline · HIPAA Security Rule on top.

Every build inherits the NIST SP 800-171 controls baseline by default: named accounts, phishing-resistant MFA, AES-256 at rest and TLS 1.2+ in transit, full audit log on PHI access, encrypted backups, configuration-as-code, and incident response runbook. The HIPAA Security Rule controls operate on top of and overlap with the baseline; the same controls are delivered in the production environment your practice owns at handoff. See the full security standard for the control families and how each one shows up in an engagement.

Hosting options

US-hosted only. Cloud account in your name, hosting included.

AWS or Azure under a signed BAA, with the cloud account in your name from day one. Hosting is included in the fixed fee for the first three years; AC5 sets it up, keeps it running, and patches it. After year three you pick: keep us running it on a known annual line, take over the cloud bill yourself, or move to your own infrastructure. On-prem deployment is available for practices or specialties that require it. We never host outside the United States.

Wipe at handoff

Written confirmation of wipe from every development environment.

At the Handoff phase, we revoke our access, transfer credentials, and wipe every development and staging environment that ever held production PHI. The wipe is documented and signed; the documentation lives in the Evidence Binder container.

HIPAA SRA delivered

The HIPAA Security Risk Assessment is part of the Evidence Binder.

The toolkit ships with a current HIPAA Security Risk Assessment for the install, scoped to your environment. Future SRAs are produced in the Evidence Binder container on a defined cadence; the methodology is published with the build.

Subcontracting

We do not subcontract development offshore without disclosing it first.

AC5 Labs is a small firm. The same operators who scope the work also build the work. If a specific engagement ever needs a subcontractor with PHI access, you are told before the engagement is signed and the subcontractor signs the same BAA.

Want the full controls list?

We send the draft BAA before the discovery call so your counsel can review on the call. If your practice or specialty has additional requirements, we adapt; the controls baseline is the floor, not the ceiling.

Book a 30-min callBack to the toolkit