How it works

From paperwork to program, in fourteen days.

Most practices are HIPAA-compliant on paper and exposed in practice. hms. closes the gap — without a binder, a consultant, or a six-month project.

01

Import, or start clean.

Upload what you have — policies, BAAs, training records. We index every document and map it to HIPAA controls. No policies yet? Start from 23 practice-ready templates.

02

Run the checklist.

The right task shows up for the right person at the right time. Training for staff. Attestations for providers. Risk assessment prompts for the Privacy Officer.

03

Export on demand.

Every completed task becomes timestamped audit evidence. When OCR asks, export a complete program in one click. When your insurer asks, same answer.

The checklist

Your HIPAA program, running itself.

No more spreadsheets. No more chasing. Every control, every deadline, every task — surfaced when it matters, not before.

  • Automatic task routing — the right person, every time
  • AI walks staff through hard tasks step by step
  • Quarterly & annual controls scheduled in advance
  • Evidence captured automatically on task completion
  • Never miss a review date, renewal, or attestation
Annual HIPAA workforce training
12 of 12 staff · Mar 12
Complete
Risk assessment — Q2 review
Assigned to Griff · 5 days
Due soon
BAA — Stripe
Awaiting countersignature
Pending
Review access to PHI systems
Scheduled May 1
Scheduled
Quarterly device inventory
Auto-generated from MDM
Complete
Policy chat
What's our breach-notification timeline for fewer than 500 people?
60 days from discovery, per Breach Notification Policy §3.2. Individual notice is required within 60 days; HHS notification is annual for breaches affecting fewer than 500 individuals.
Who's the designated Privacy Officer?
Griff Collins, per Privacy Policy §1.4. Appointed Jan 15, 2025.
Policy chat

Ask your policies anything.

Every answer cites the source document. Your staff gets to an answer in seconds, not hours. Your Privacy Officer stops being a human FAQ.

  • Grounded exclusively in your indexed policy library
  • Cites the policy, section, and last review date
  • Available to every team member — answers vary by role
  • Hallucinates less because it's constrained by your data
  • Every question becomes a training signal
Evidence on demand

When OCR knocks, you're ready.

The difference between a $0 finding and a $50,000 fine is often whether you can produce evidence. hms. captures evidence as a byproduct of doing the work — so the binder is always current.

  • Every task completion is timestamped and signed
  • Training records, attestations, risk assessments — all exportable
  • Workforce roster auto-synced with your HR system
  • Device inventory generated from MDM — no manual list
  • 90-day audit-ready export, on demand
Risk_Assessment_Q1_2026.pdf
Generated Apr 02 · 4.2 MB · Signed
CTRL-164.308
Training_Attestations_2026.pdf
Generated Apr 14 · 1.8 MB · 12 signatures
CTRL-164.308(a)(5)
BAA_Register_Apr_2026.csv
Generated Apr 14 · 14 vendors · Current
CTRL-164.308(b)
Full audit export
Everything. One zip. One click.

We went from a shared Dropbox folder and four panicked Slack channels to a program that runs itself. Our first audit was four hours, not four weeks.

Dr. Amy Chen · Privacy Officer, therapitas (18 locations)

Fourteen days until it's done.

Trial is free. Onboarding is white-glove. You'll know by day three whether we're right for your practice.

Start free trial Book a demo