Healthcare-vertical engagement

Defensible AI in healthcare. With the audit to prove it.

A 3–4 week engineering audit of one AI-touching system in your environment. HIPAA, BAA chain, FDA SaMD screening, agentic-attack threat surface, accessibility — the report your privacy officer hands the board.

Schedule a 30-min scoping call

Read a sample report (Beacon Health)

$20,000–$35,000 Three to four weeks · T&M with cap

A vendor pilot graduated. Now your privacy officer is asking what you’re exposed to.

A vendor pilot graduated. Or an innovation team’s AI-mediated symptom checker shipped to production. Or your patient portal added an AI summary feature. Now your privacy officer has a question — what’s our exposure? — and the answer is some combination of “the vendor said it’s HIPAA-compliant,” “we have a BAA somewhere,” and “we ran axe-core once.” Those answers may not be sufficient under OCR enforcement scrutiny, malpractice discovery, or class-action proceedings. The audit produces evidence-backed documentation calibrated to those scrutiny lenses.

PHI plus AI is ghost-summoning with regulatory teeth. Your privacy officer didn’t approve a vendor relationship; the innovation team summoned a powerful pattern-completion engine into a system that holds protected information, and the OCR doesn’t care that nobody briefed your CCO. The audit is the exorcism, the BAA chain is the warding, and the regulatory grounding — 45 CFR 164.302–164.318, FDA AI/ML SaMD screening, breach-notification mechanics — is what makes the deployment defensible instead of a malpractice theory waiting for discovery.

Generic compliance audits don’t fix this. Most run a checklist scored from interviews; they don’t read the code, don’t enumerate the BAAs, don’t screen for SaMD exposure, and don’t model the agentic-attack threat surface against your environment specifically. The findings are advisory. The privacy officer’s job is not advisory.

You need an engineering audit. Specific to AI. Specific to healthcare. Specific to your system. BST is the operator that built HELiX — our open-source healthcare component library shipping at WCAG 2.1 AA — and runs an active engagement at one of the largest health systems in the country. The Compliance Review is not a healthcare-curious security firm doing a side project; it is a healthcare-credentialed engineering audit run by the principal who already lives inside the regulatory and accessibility constraints your system has to meet.

Compliance gap analysis

Every category of HIPAA Security Rule technical safeguards scored against your environment, with severity per finding, remediation pointer, and 45 CFR 164.302–164.318 control mapping.
BAA review memo

Every BAA in your AI chain reviewed for scope, sub-processor language, training opt-out, and breach-notification mechanics. Redline recommendations included.
Remediation roadmap

Phased plan with effort estimates, ownership, and dependencies. Slottable directly into quarterly engineering planning.
Audit-ready documentation

Control descriptions mapped to regulatory citations. The document the privacy officer hands to the audit committee unmodified.
Executive summary

One page, plain language, calibrated to the risk register. Designed for board, audit-committee, or external counsel consumption.
Findings review

90-minute walkthrough with privacy officer, security lead, and engineering lead. Every finding walked by the BST principal who did the work.

Process

How it works

Inspection
Week 1

Deliverable Architecture read end-to-end

Architecture read end-to-end. Code, config, prompts, audit logs, IAM, network topology. We do not begin scoring work until the system is mapped and access is written down.
Documentation
Week 2

Deliverable Severity-rated findings with file-and-clause citations

Every category scored against the rubric. Severity-rated findings with file-and-clause citations. Findings tagged to the four-class AI technical-debt taxonomy with HIPAA overlay.
BAA Review
Week 2–3

Deliverable BAA chain reviewed; redline recommendations

Every BAA in the AI chain read. Scope gaps surfaced. Sub-processor language reviewed. Training opt-out and breach-notification mechanics evaluated. Redline recommendations delivered.
Reporting
Week 3–4

Deliverable Final report + 90-minute findings review

Final report assembled. 90-minute findings review with privacy officer, security lead, and engineering lead. Audit-ready documentation delivered.

$20,000 – $35,000 Three to four weeks · T&M with cap

Engagement model Time & materials with not-to-exceed cap

Single AI feature on a single deployment substrate with a single BAA in scope lands at $20K–$25K. Multi-tenant AI surface with hybrid topology and 2–3 BAAs lands $25K–$30K. Multi-tenant plus jurisdiction overlay (GDPR, NHS DSPT, state law) lands $30K–$35K.

Request a scoping call

Anchor pricing reflects typical engagement ranges. Actual fees are scoped per engagement under time-and-materials with a not-to-exceed cap. Pricing shown does not constitute a binding offer.

FAQ

Frequently asked questions

Does this provide a HIPAA certification?

No. There is no HIPAA "certification." HIPAA is a regulatory framework; compliance is a continuous posture. We deliver gap analysis and remediation roadmap, calibrated to 45 CFR 164.302–164.318 (the Security Rule technical safeguards). For third-party attestation, the closest analogues are HITRUST CSF certification and SOC 2 Type II with HIPAA mapping — we coordinate with those audit shops where they are already in flight.

Do you sign a BAA?

Yes. BST signs BAAs through Clarity House LLC. Standard before any PHI access. The BAA is a precondition of the engagement, not an add-on. Adjacent PHI-touching surfaces (patient portals) route to the G1 Patient Portal Audit, which shares the same BAA infrastructure.

Will you sign the VPAT?

Yes — but the VPAT 2.5 / ACR signature is a separate engagement. The Compliance Review assesses accessibility as one audit lens; the B1 VPAT engagement converts that assessment into a signed conformance artifact under principal-engineer attestation. The two bundle frequently when the same release window needs both.

Can BST do the remediation work too?

Yes, on a separate SOW. Many clients run the Compliance Review as a discovery engagement and fund remediation against the prioritized roadmap. Where the engineering org is also adopting Claude Code or other agentic tooling, the Engineering Practice cluster covers governance install (REA, HELiXiR, agent audit trail).

What if you find a reportable breach indicator?

We stop the audit, escalate to your privacy officer immediately, and document with timestamp and chain-of-custody. The 60-day clock under 45 CFR 164.404 is your privacy officer’s call to act on; our role is to surface the indicator quickly and preserve evidence integrity.

Do you cover GDPR / state law / international jurisdictions?

Default scope is US HIPAA. We add jurisdiction-specific overlays at additional T&M cost:

EU GDPR
UK NHS DSPT
California CMIA
Texas HB 300

Multi-jurisdiction profiles land in the upper end of the price band.

Can this be done remotely?

Yes. Designed for remote delivery. On-site available at additional T&M cost when required by your security policy.

How is this different from our HITRUST or SOC 2 audit?

We coordinate with your existing audit work. Our findings are scoped to gaps the existing assessment did not cover — typically AI-specific surface:

Prompt logging and retention
Embedding scope and PHI-leakage paths
Agent governance and tool-call audit
FDA SaMD exposure under 21 CFR 820

For the deeper agentic-attack lens (OWASP LLM Top 10, MCP server posture), pair with the AI Security Review.

Ready to give your privacy officer a defensible answer?

Three to four weeks. Engineering audit. BAA before any access. Findings your audit committee can act on.

Schedule a 30-min scoping call

Talk to a principal first

Defensible AI in healthcare. With the audit to prove it.

A vendor pilot graduated. Now your privacy officer is asking what you’re exposed to.

What you get

Compliance gap analysis

BAA review memo

Remediation roadmap

Audit-ready documentation

Executive summary

Findings review

How it works

Inspection

Documentation

BAA Review

Reporting

Pricing

Frequently asked questions

Often combined with

AI Security Review

Patient Portal Accessibility Audit

Ready to give your privacy officer a defensible answer?