hms. was founded in 2024 by three people who'd spent a decade building security programs for large organizations — and watched the same failures play out in small practices, over and over, because nobody was building tools for them.
It was always a friend-of-a-friend. A pediatric practice with 11 staff. A therapy group with 6. A dental office. They'd gotten an OCR letter, or a breach notification from a vendor, or a nasty cyber insurance renewal — and they had no idea what to do.
We'd spend a Saturday walking them through it, usually by phone, sometimes over a kitchen table. And we'd realize: these are not stupid people. They're exhausted. HIPAA is designed to be hard, because it was drafted for hospitals with general counsels and compliance teams.
The tools for small practices either didn't exist, or were spreadsheets repackaged as SaaS, or were enterprise GRC platforms priced and designed for 5,000-person companies. None of it fit.
So we built the thing we kept wishing existed.
If you do the right thing daily, the binder writes itself. Software should capture evidence as a side-effect of doing the work — never the point of it.
Independent practices see 70% of US patients. Building for hospitals ignores most of the market — and, frankly, most of the people.
She's a nurse practitioner with three other jobs. Tools should respect her time — not drown her in a cockpit designed for a full-time CISO.
"Your risk assessment is ready" — not "Risk Assessment Generation Complete." Jargon hides bad design and excludes the people who need the product most.
HIPAA only. No SOC 2, no ISO, no GDPR. The platform is better because we're not trying to be three platforms.
Flat pricing. No per-seat. No "contact sales" dark patterns. If we can't explain the cost in one sentence, we haven't priced it right.
Compliance is a place where calm matters more than clever. We'd rather be the one tool in the stack that never surprises you.
Fourteen people in four cities. We're building a culture — carefully — so we can hire well for a long time.
Previously led security operations at Harvard Medical School. Answers email faster than is healthy.
Built security tooling at the Defense Health Agency. Thinks SaaS is the highest form of craft.
Ran compliance at a 40-person pediatric group for six years. Brings the kitchen-table perspective.
We're backed by investors who understand that small healthcare moves at the pace of trust — not the pace of a term sheet. We've chosen partners who are in this for a decade, not a cycle.
We hire rarely and slowly — usually a few roles a year. If you like calm, boring-on-the-surface software and caring-a-lot-on-the-inside people, we'd love to hear from you.
Email hello@hipaa.inc. A real human replies, usually inside a workday.