What regulations does Regulatory Signals cover?

Regulatory Signals continuously monitors GDPR, CCPA/CPRA, the EU AI Act, ePrivacy/cookies rules, and a growing catalog of global privacy and AI obligations. New regulations are added as they are enacted.

How often does Regulatory Signals re-scan my site?

Continuous monitoring runs on a configurable cadence — typically daily for Professional and Enterprise plans, and weekly for Starter. Ad-hoc re-scans can be triggered at any time from the dashboard.

Is my scan data encrypted?

Yes. Data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Scan artifacts are stored with per-tenant isolation and role-based access controls.

Does Regulatory Signals provide legal advice?

No. Regulatory Signals provides automated compliance monitoring, detection, and evidence. Output is intended to assist qualified privacy, security, and legal professionals. It is not a substitute for legal advice.

Can I export compliance evidence for auditors?

Yes. All scans generate an exportable audit trail including timestamped findings, raw evidence, and remediation status — suitable for internal audits, DPIAs, and external assessments.

How does the EU AI Act readiness check work?

The free AI Act check classifies your system into prohibited, high-risk, limited-risk, or minimal-risk categories using Article 6/Annex III criteria, then surfaces the specific obligations that apply.

Do you offer a free trial or free scan?

Yes. You can run a free compliance scan on the homepage and use the AI Act readiness tool at no cost. Paid plans add continuous monitoring, alerting, and evidence export.

HIPAA Security Rule · HHS OCR Enforcement

4 HIPAA documents generated from your codebase

Hospital IT wants your §164.308 Risk Analysis, Safeguards Summary, Breach Notification Protocol, and BAA Checklist. Stop building them manually for every RFP.

Talk to sales Scan your repo first

Quarterly monitoring — $1,990/quarter

Automated quarterly HIPAA re-scans and updated §164.308 documentation delivered to your dashboard every 90 days.

$141–$2.1M

HHS OCR penalty range per violation category per year

60-day window

§164.404(b)/§164.408 breach notification deadline to individuals and HHS

AI vendors in scope

Any AI product processing ePHI is a Business Associate under §164.308(b)

What's in the HIPAA Pack

4 named documents sourced from your codebase — never fabricated.

Risk Analysis Report

§164.308(a)(1)

ePHI system scope (one entry per scanned repo), threat and vulnerability identification (§I.B), and likelihood × impact assessment per OCR Audit Protocol table (§I.C). Governance section always present — questionnaire required if no ePHI classification exists.

Safeguards Summary

§164.308 / §164.310 / §164.312

All seven named safeguard sections always rendered — a missing section heading is an immediate OCR audit deficiency. Physical safeguard sections (facility access, workstation) render amber by design. Audit Controls (§164.312(b)) separated from access controls — the most-cited OCR corrective action finding.

Breach Notification Protocol

§164.400-414

60-day HHS notification timeline always present as static regulatory text. Four-factor Breach Risk Assessment (BRA) per HHS guidance always rendered. Critical findings mapped to inline BRA workflow guidance.

Business Associate Agreement Checklist

§164.308(b) / §164.504(e)

AI model providers (model_usage findings) surfaced first — external AI APIs transmitting clinical data are the §164.308(b)(1) scenario OCR targets. Required BAA provisions checklist: permitted uses, PHI safeguards, reporting, return/destroy.

How to get HIPAA compliance documentation for a hospital contract

Scan your GitHub repository

Paste your GitHub repo URL. The AI scanner analyses ePHI data flows, access controls, encryption, audit logging, and third-party AI dependencies.

Select HIPAA Audit Pack ($9,990)

After the scan completes, select the HIPAA pack. The engine maps scan findings to §164.308 Risk Analysis, §164.308/310/312 Safeguards Summary, §164.400 Breach Notification Protocol, and §164.308(b) BAA Checklist.

Download your 4-document pack and cert link

Download the PDF and receive a separate tamper-evident certificate URL (HMAC-SHA256 signed) to paste into hospital procurement portals. Note: the cert URL is signed; the PDF itself is a plain export of the audit pack content. Complete the questionnaire to fill any amber sections.

Evidence-sourced, not fabricated

OCR expects real evidence, not templates

When scanner evidence is missing, the document renders an amber callout: “Evidence not available — questionnaire required.” Physical safeguard sections always render amber by design — a code scanner cannot assess facility locks. The 60-day breach timeline and 4-factor BRA are always present as static regulatory text.

Cover + 4 HIPAA documents + Appendix A/B/C + linked tamper-evident cert URL

AI-assisted verification

Each generated document is checked by an AI verifier (Claude) for obvious citation drift and hallucinated claims. The verifier does not cross-reference against authoritative regulation text bytes and does not replace legal review. Have qualified counsel review before submitting to any regulator (OCR, FCA, BaFin, SEC). Regulatory Signals is an independent technical evaluation provider, not an accredited certification body under ISO/IEC 17065 or ISO/IEC 17021.

Frequently asked questions

What HIPAA documents does an AI vendor need before signing a hospital contract?

At minimum: a completed §164.308(a)(1) Security Risk Analysis, an Administrative and Technical Safeguards Summary, a Breach Notification Protocol aligned to the 60-day HHS reporting requirement, and a Business Associate Agreement (BAA) checklist. OCR expects these to be specific to your system architecture, not generic templates.

How long does it take to complete a HIPAA Security Risk Analysis?

Traditional manual SRAs take 3–6 months with a consultant. Automated approaches that scan your codebase can generate a defensible §164.308(a)(1) report in hours, though legal review is still recommended before presenting to a covered entity.

Does a BAA checklist protect an AI vendor during hospital procurement?

A completed BAA checklist demonstrates that the vendor has reviewed required contractual safeguards under 45 CFR §164.308(b) and §164.504(e). Hospital IT procurement teams increasingly require this as a pre-qualification document before legal negotiates the actual BAA.

What is the HIPAA breach notification timeline?

Under §164.404(b), covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery of a breach. Under §164.408, breaches affecting 500 or more individuals must be reported to HHS without unreasonable delay and in any case no later than 60 days; breaches affecting fewer than 500 individuals must be reported to HHS annually.

Is the $9,990 pack a replacement for a HIPAA consultant?

No. The pack generates evidence-sourced documentation from your codebase — sections where scanner evidence is missing render an amber callout rather than fabricated content. Use the pack to cut your consultant's scoping phase from weeks to hours, not to replace the engagement.

Win the hospital contract

$9,990 one-time · $1,990/quarter optional monitoring (subscribe above) · Cert signed (HMAC-SHA256). Documentation ready in under 10 minutes.

Get the HIPAA Pack — $9,990 Questions? Contact us →

Automated analysis. Not legal advice. Review with qualified HIPAA counsel before presenting to a covered entity.

You might also need

EU AI Act Audit Pack

Scan-driven compliance binder — unblocks enterprise deals in 48 hours.

View product

DORA FinTech Audit Pack

ICT Risk Framework, Incident Protocol, TLPT Plan, and Third-Party Register.

View product

AI Policy Generator

Five EU AI Act policy types generated from your repo scan evidence.

View product

See all 20 products →