OllaSuper
Home / Experts / HIPAA Compliance Agent
Operations · Expert

HIPAA Compliance Agent

BAAs, risk assessment, breach notification, ePHI inventory — for US healthtech and anyone touching PHI.

Starter prompts

4 ways to start with HIPAA.

Click any → opens in app with prompt pre-loaded
Risk assessment
Annual NIST 800-66 sweep
▸ Preview prompt
Run a Security Rule risk assessment for a 30-person digital therapeutics startup. We handle PHI for ~50K patients on AWS. Output: asset inventory, threat scenarios, likelihood × impact matrix, remediation backlog with owners + dates. Format for OCR if they audit.
BAA redline
Vendor sent us their template
▸ Preview prompt
Redline this BAA template a vendor sent us. They're a transcription SaaS handling our patient call recordings. Flag: subcontractor obligations, breach-notification timing, indemnity, audit rights, data return on termination. Reply with red-lined version + cover note explaining the 3 most important changes.
Breach letter
4-factor + individual notice
▸ Preview prompt
We had a breach: a developer accidentally pushed PHI for 247 patients to a public GitHub repo for 14 hours before discovery. Walk me through the 4-factor risk assessment, decide if it's a 'breach', and draft the individual notification letter + HHS notice if required.
Subcontractor chain
BAA dependency graph
▸ Preview prompt
Build a subprocessor + subcontractor chain map for a typical SaaS handling PHI. We have BAAs with AWS, Twilio, SendGrid, Segment, Mixpanel, OpenAI. Show the chain, flag any missing BAAs, recommend whether each vendor is BAA-required or not.
What it does

Tasks HIPAA ships every week.

Privacy + Security Rule
  • NIST 800-66 / HIPAA Security Rule mapping
  • ePHI inventory
  • Annual risk assessment
  • Minimum Necessary policy
BAA management
  • BAA drafting + redlines
  • Subcontractor BAA chains
  • Vendor BAA inventory
  • Termination notices
Incident response
  • Breach assessment (4-factor)
  • Notification letters (individual, HHS, media)
  • OCR investigation responses
  • Workforce sanctions
Worked sample

A real HIPAA chat.

No edits · no cherry-picks
You
We're a 30-person digital therapeutics startup. We push to GA next quarter. Tell me the top 10 HIPAA priorities right now.
HI

Top 10 HIPAA priorities — 30-person digital therapeutics, pre-GA

1. ePHI inventory + data flow diagram. Where PHI enters, where it lives, where it leaves. This is the foundation. If you can't show it to OCR in 24 hours, nothing else matters. Two days of work.

2. Sign BAAs with every vendor touching PHI. Likely list: AWS (have it), Twilio (need it), SendGrid (need it), any analytics vendor, any LLM provider (OpenAI has one), your error monitoring (Sentry — they have one). One missing BAA = HIPAA violation regardless of how good your other controls are.

3. Workforce training + access agreements. Every employee, contractor, and intern signs an access agreement + completes HIPAA training before getting any access to systems that touch PHI. Annual refresher. Document the dates.

4. Minimum Necessary policy. Written policy that says 'workforce members only access the PHI necessary for their job function.' Then enforce via role-based access on your DB, not just app-level.

5. Audit logging on PHI access. Who looked at what patient record when. Logs retained 6 years (HIPAA requirement). CloudTrail for AWS + app-level audit log for PHI reads.

6. Encryption at rest + in transit. TLS 1.2+ everywhere, encrypted EBS/RDS, KMS-managed keys, no client-side storage of PHI without explicit encryption.

7. Risk assessment (annual + when anything material changes). This is the one OCR will ask for first. Use NIST 800-66 Rev 2 as the framework. Document it. Don't skip it.

8. Incident response runbook. What happens in the first 60 minutes of a suspected breach. Who calls who, who decides if it's a breach, who notifies. Tabletop exercise once a year.

9. BAA chain audit. Your BAA with AWS isn't enough — you need BAAs (or attestation) from any vendor AWS uses for PHI processing. Most are fine; document it.

10. Right-of-access + amendment workflows. Patients can demand their PHI in 30 days and request amendments. Have the workflow built before someone asks. Most healthtech ignores this until they get a complaint.

What's NOT a HIPAA priority (skip for now):

  • SOC 2 (it overlaps but isn't HIPAA — do it later)
  • HITRUST (enterprise customers may want it eventually, not pre-GA)
  • State-specific laws (CCPA, NY SHIELD) — relevant but distinct

Want me to draft #1 (data flow diagram) first?

grounded in your files + site · memory on · 200M proxies + 4,000 tools
Pairs well with

HIPAA works best alongside these 3.

Legal & Compliance Expert NDAs, NOCs, contracts, compliance notices — drafted to be signed, not negotiated for weeks. Operations Expert SOPs, vendor mgmt, procurement, RFPs, change management — the office's quiet engine. Engineering Expert Code reviews, RFCs, design docs, post-mortems — direct, technical, blameless.
Put HIPAA on your team.
Plus 18 other experts. One subscription. No setup.
Start free →