Technical safeguards
Access control, audit, encryption, auto-logoff, transmission security.
We own this, it's in the product.
There is no such thing as “HIPAA-certified software”, no authority issues that stamp. What we can do, and have, is ship the §164.312 technical safeguards, refuse the operations that would leak PHI, and hand your compliance team the documents that draw the responsibility line. The result: adopting Orchestra is an easy yes for your auditor.
HIPAA splits into three buckets. Software can only own one of them. Anyone telling you their app “makes you HIPAA compliant” is selling you a sentence their lawyer wouldn’t sign.
Access control, audit, encryption, auto-logoff, transmission security.
We own this, it's in the product.
Risk analysis, training, sanction policy, breach runbook, named officers.
Your program owns this, it's policies + people.
Facility access, workstation security, device disposal.
Your program owns this, it's your premises.
In HIPAA/PHIPA mode the engine blocks any step that would send PHI to a party without a BAA, browser automation, image search, third-party file downloads. They don't 'try and fail'; they refuse up front and tell you why.
Every model call is refused until you attest a signed Business Associate Agreement with your AI provider (Enterprise tier). The attestation is timestamped and written to the tamper-evident audit log.
Workflows default to local execution. Anything that would route through our relay is blocked unless you've moved the relay to a BAA-covered host and attested it, so we stay out of your PHI path entirely.
§164.312(a)(2)(iii). Idle sessions lock after a configurable timeout, clearing the in-memory key so local data is unreadable until re-authentication.
Every action is hash-chained and exportable as signed records for your SIEM. Partial tampering breaks the chain visibly.
TLS on all transit; end-to-end encrypted envelopes to managed agents. At rest, we direct you to enable full-disk encryption on the host (NIST 800-111) and surface it as a control.
The product generates these on demand, pre-filled for your entity. They turn “is this our job or theirs?” into a documented answer your auditor can sign off against.
Every §164.308/310/312 control mapped to Software / Customer / Shared, with notes. The single page that gets you out of owning your customer's policy work.
Step-by-step for the compliance officer: decide the PHI data path, harden the host, sign the BAAs, turn on healthcare mode, write the required policies, operate + evidence.
Citation → control → owner → status → evidence. Paste straight into your GRC tool (Vanta, Drata, a spreadsheet).
A starting-point Business Associate Agreement, pre-filled with your entity names and effective date, for your counsel to review.
These are starting points, not legal advice. Have your healthcare-privacy counsel review before processing PHI.
If your patients and data are Canadian, HIPAA likely doesn’t apply to you at all, you’re governed by PIPEDA federally and a provincial health-information act (PHIPA in Ontario, HIA in Alberta, Law 25 in Quebec, and so on). Orchestra’s healthcare mode runs the same technical guards under a PHIPA profile.
One thing to flag explicitly: model inference runs in the United States. Under PIPEDA and Law 25 that is a cross-border disclosure, which typically requires a data-processing agreement and patient notice/consent. Orchestra surfaces this in the compliance dashboard and keeps PHI local by default so you control when, if ever, it leaves the country.
Turning on healthcare mode does not make you compliant, and we won’t pretend otherwise. You still own:
We give you the technical half and the paperwork that maps the rest. Your compliance team operates it. That’s the deal, and it’s a stronger one than “trust us, it’s compliant.”
We’ll walk your team through the shared-responsibility matrix, the control mapping, and exactly where your work begins and ours ends. No hand-waving.