Orchestra
Healthcare compliance

HIPAA-ready by design. Compliant by your program.

There is no such thing as “HIPAA-certified software”, no authority issues that stamp. What we can do, and have, is ship the §164.312 technical safeguards, refuse the operations that would leak PHI, and hand your compliance team the documents that draw the responsibility line. The result: adopting Orchestra is an easy yes for your auditor.

The honest version

HIPAA splits into three buckets. Software can only own one of them. Anyone telling you their app “makes you HIPAA compliant” is selling you a sentence their lawyer wouldn’t sign.

§164.312

Technical safeguards

Access control, audit, encryption, auto-logoff, transmission security.

We own this, it's in the product.

§164.308

Administrative safeguards

Risk analysis, training, sanction policy, breach runbook, named officers.

Your program owns this, it's policies + people.

§164.310

Physical safeguards

Facility access, workstation security, device disposal.

Your program owns this, it's your premises.

What Orchestra enforces in healthcare mode

Refuses unsafe data egress

In HIPAA/PHIPA mode the engine blocks any step that would send PHI to a party without a BAA, browser automation, image search, third-party file downloads. They don't 'try and fail'; they refuse up front and tell you why.

Gates the model on a signed BAA

Every model call is refused until you attest a signed Business Associate Agreement with your AI provider (Enterprise tier). The attestation is timestamped and written to the tamper-evident audit log.

Keeps PHI on the machine by default

Workflows default to local execution. Anything that would route through our relay is blocked unless you've moved the relay to a BAA-covered host and attested it, so we stay out of your PHI path entirely.

Automatic logoff

§164.312(a)(2)(iii). Idle sessions lock after a configurable timeout, clearing the in-memory key so local data is unreadable until re-authentication.

Tamper-evident audit

Every action is hash-chained and exportable as signed records for your SIEM. Partial tampering breaks the chain visibly.

Encryption everywhere it can reach

TLS on all transit; end-to-end encrypted envelopes to managed agents. At rest, we direct you to enable full-disk encryption on the host (NIST 800-111) and surface it as a control.

Documents for your compliance department

The product generates these on demand, pre-filled for your entity. They turn “is this our job or theirs?” into a documented answer your auditor can sign off against.

  • Shared Responsibility Matrix

    Every §164.308/310/312 control mapped to Software / Customer / Shared, with notes. The single page that gets you out of owning your customer's policy work.

  • HIPAA Implementation Guide

    Step-by-step for the compliance officer: decide the PHI data path, harden the host, sign the BAAs, turn on healthcare mode, write the required policies, operate + evidence.

  • §164 Control Mapping (CSV)

    Citation → control → owner → status → evidence. Paste straight into your GRC tool (Vanta, Drata, a spreadsheet).

  • BAA Template

    A starting-point Business Associate Agreement, pre-filled with your entity names and effective date, for your counsel to review.

These are starting points, not legal advice. Have your healthcare-privacy counsel review before processing PHI.

Canada, PHIPA / PIPEDA / Law 25

If your patients and data are Canadian, HIPAA likely doesn’t apply to you at all, you’re governed by PIPEDA federally and a provincial health-information act (PHIPA in Ontario, HIA in Alberta, Law 25 in Quebec, and so on). Orchestra’s healthcare mode runs the same technical guards under a PHIPA profile.

One thing to flag explicitly: model inference runs in the United States. Under PIPEDA and Law 25 that is a cross-border disclosure, which typically requires a data-processing agreement and patient notice/consent. Orchestra surfaces this in the compliance dashboard and keeps PHI local by default so you control when, if ever, it leaves the country.

What this does NOT do

Turning on healthcare mode does not make you compliant, and we won’t pretend otherwise. You still own:

  • Signing the Business Associate Agreement with your AI provider (you hold the key, so it’s your agreement).
  • Your risk analysis, workforce training, and the policies in §164.316.
  • Your breach-notification procedure and named Security/Privacy Officers.
  • Enabling full-disk encryption on the host and testing your backups.
  • An annual penetration test / vulnerability scan.

We give you the technical half and the paperwork that maps the rest. Your compliance team operates it. That’s the deal, and it’s a stronger one than “trust us, it’s compliant.”

Bring your compliance officer to the call.

We’ll walk your team through the shared-responsibility matrix, the control mapping, and exactly where your work begins and ours ends. No hand-waving.

HIPAA & PHIPA readiness, Enterprise Orchestra