What regulations does Regulatory Signals cover?

Regulatory Signals continuously monitors GDPR, CCPA/CPRA, the EU AI Act, ePrivacy/cookies rules, and a growing catalog of global privacy and AI obligations. New regulations are added as they are enacted.

How often does Regulatory Signals re-scan my site?

Continuous monitoring runs on a configurable cadence — typically daily for Professional and Enterprise plans, and weekly for Starter. Ad-hoc re-scans can be triggered at any time from the dashboard.

Is my scan data encrypted?

Yes. Data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Scan artifacts are stored with per-tenant isolation and role-based access controls.

Does Regulatory Signals provide legal advice?

No. Regulatory Signals provides automated compliance monitoring, detection, and evidence. Output is intended to assist qualified privacy, security, and legal professionals. It is not a substitute for legal advice.

Can I export compliance evidence for auditors?

Yes. All scans generate an exportable audit trail including timestamped findings, raw evidence, and remediation status — suitable for internal audits, DPIAs, and external assessments.

How does the EU AI Act readiness check work?

The free AI Act check classifies your system into prohibited, high-risk, limited-risk, or minimal-risk categories using Article 6/Annex III criteria, then surfaces the specific obligations that apply.

Do you offer a free trial or free scan?

Yes. You can run a free compliance scan on the homepage and use the AI Act readiness tool at no cost. Paid plans add continuous monitoring, alerting, and evidence export.

HIPAA Security Rule · HHS OCR Enforcement

4 HIPAA documents generated from your codebase

Hospital IT wants your §164.308 Risk Analysis, Safeguards Summary, Breach Notification Protocol, and BAA Checklist. Stop building them manually for every RFP.

Get the HIPAA Pack — $9,990 Scan your repo first

$1,990/quarter retest + updated docs · Tamper-evident cert link included · Not legal advice

$141–$2.1M

HHS OCR penalty range per violation category per year

60-day window

§164.412 breach notification deadline to HHS and individuals

AI vendors in scope

Any AI product processing ePHI is a Business Associate under §164.308(b)

What's in the HIPAA Pack

4 named documents sourced from your codebase — never fabricated.

Risk Analysis Report

§164.308(a)(1)

ePHI system scope (one entry per scanned repo), threat and vulnerability identification (§I.B), and likelihood × impact assessment per OCR Audit Protocol table (§I.C). Governance section always present — questionnaire required if no ePHI classification exists.

Safeguards Summary

§164.308 / §164.310 / §164.312

All seven named safeguard sections always rendered — a missing section heading is an immediate OCR audit deficiency. Physical safeguard sections (facility access, workstation) render amber by design. Audit Controls (§164.312(b)) separated from access controls — the most-cited OCR corrective action finding.

Breach Notification Protocol

§164.400-414

60-day HHS notification timeline always present as static regulatory text. Four-factor Breach Risk Assessment (BRA) per HHS guidance always rendered. Critical findings mapped to inline BRA workflow guidance.

Business Associate Agreement Checklist

§164.308(b) / §164.504(e)

AI model providers (model_usage findings) surfaced first — external AI APIs transmitting clinical data are the §164.308(b)(1) scenario OCR targets. Required BAA provisions checklist: permitted uses, PHI safeguards, reporting, return/destroy.

How to get HIPAA compliance documentation for a hospital contract

Scan your GitHub repository

Paste your GitHub repo URL. The AI scanner analyses ePHI data flows, access controls, encryption, audit logging, and third-party AI dependencies.

Select HIPAA Audit Pack ($9,990)

After the scan completes, select the HIPAA pack. The engine maps scan findings to §164.308 Risk Analysis, §164.308/310/312 Safeguards Summary, §164.400 Breach Notification Protocol, and §164.308(b) BAA Checklist.

Download your 4-document pack and cert link

Download the PDF and receive a tamper-evident certificate link (HMAC-SHA256 signed) to paste into hospital procurement portals. Complete the questionnaire to fill any amber sections.

Evidence-sourced, not fabricated

OCR expects real evidence, not templates

When scanner evidence is missing, the document renders an amber callout: “Evidence not available — questionnaire required.” Physical safeguard sections always render amber by design — a code scanner cannot assess facility locks. The 60-day breach timeline and 4-factor BRA are always present as static regulatory text.

Cover + 4 HIPAA documents + Appendix A/B/C + tamper-evident cert link

Frequently asked questions

What HIPAA documents does an AI vendor need before signing a hospital contract?

At minimum: a completed §164.308(a)(1) Security Risk Analysis, an Administrative and Technical Safeguards Summary, a Breach Notification Protocol aligned to the 60-day HHS reporting requirement, and a Business Associate Agreement (BAA) checklist. OCR expects these to be specific to your system architecture, not generic templates.

How long does it take to complete a HIPAA Security Risk Analysis?

Traditional manual SRAs take 3–6 months with a consultant. Automated approaches that scan your codebase can generate a defensible §164.308(a)(1) report in hours, though legal review is still recommended before presenting to a covered entity.

Does a BAA checklist protect an AI vendor during hospital procurement?

A completed BAA checklist demonstrates that the vendor has reviewed required contractual safeguards under 45 CFR §164.308(b) and §164.504(e). Hospital IT procurement teams increasingly require this as a pre-qualification document before legal negotiates the actual BAA.

What is the HIPAA breach notification timeline?

Under §164.412, covered entities and business associates must notify HHS and affected individuals within 60 days of discovering a breach. For breaches affecting 500 or more individuals, notification must also be provided to prominent media outlets in the affected state.

Is the $9,990 pack a replacement for a HIPAA consultant?

No. The pack generates evidence-sourced documentation from your codebase — sections where scanner evidence is missing render an amber callout rather than fabricated content. Use the pack to cut your consultant's scoping phase from weeks to hours, not to replace the engagement.

Win the hospital contract

$9,990 one-time · $1,990/quarter retest + updated docs · Tamper-evident cert link included. Documentation ready in under 10 minutes.

Get the HIPAA Pack — $9,990 Questions? Contact us →

Automated analysis. Not legal advice. Review with qualified HIPAA counsel before presenting to a covered entity.