Skip to content

Early Access opens June 28 · $99/mo · all 21 suites during the launch window · price locked through Q1 2027 · Join the waitlist →

Regulatory · HIPAA

HIPAA compliance — defensible PHI evidence for SaaS and AI.

HIPAA's Security Rule demands audit controls (45 CFR §164.312(b)) and six-year retention (§164.316) — and for AI, proof of exactly what PHI was accessed, when, and by whom. acipta is the agent-based defensibility platform — workflow-grounded — producing per-§ signed evidence, BAA available, replayable for audit and OCR review.

HIPAA alongside SOC 2, GDPR, CCPA & 18 more — one signed evidence chain.

Deterministic Precision. Experiential Intuition. Autonomous Agents.

Join Early Access →Contact us →
What HIPAA demands

Audit controls and retention — provably, not approximately.

The Security Rule is specific about records. acipta produces them as signed, replayable evidence at the section level.

§164.312(b)

Audit controls

Mechanisms that record and examine PHI-system activity. acipta signs each record at write time.

§164.316

Six-year retention

Documentation retained six years from creation or last effective date — replayable byte-identically across that window.

OCR review

Demonstrated remediation

Since OCR's 2026 enforcement, identifying risk is no longer enough — acipta produces evidence of the action taken.

The AI + PHI problem

Agents accumulate PHI. Evidence has to keep up.

AI agents that touch PHI create new audit-control and retention obligations — exactly where dashboards fall short.

RISK

Silent PHI accumulation

Agents logging PHI in session data without systematic retention and deletion are a HIPAA and GDPR exposure.

FIX

Tamper-evident agent records

Agent identity, PHI accessed, operation, human authorizer — captured and signed at write time.

REUSE

One record, two regimes

The same audit record satisfies §164.312(b) and GDPR Article 30 — cross-framework reuse.

Certification posture

SOC 2 Type 2 + HIPAA — in flight.

acipta discloses its own posture transparently on every customer surface.

TARGET

Aug 23, 2026

SOC 2 Type 2 + HIPAA certifications targeted August 23, 2026, as part of Full GA. Compliance program in flight today.

BAA

Available

A Business Associate Agreement is available for customers handling PHI.

CHAIN

Same substrate

HIPAA evidence rides the same signed, replayable chain as your other 20 frameworks.

FAQ

HIPAA compliance — questions

What does HIPAA actually require for software handling PHI?

HIPAA's Security Rule requires audit controls (45 CFR §164.312(b)) — mechanisms that record and examine activity in systems containing PHI — and retention of that documentation for six years (§164.316(b)(2)). For AI, you must also show what PHI an agent accessed, when, for what purpose, and how long it was retained.

Do you offer a BAA?

Yes — a Business Associate Agreement is available. acipta's SOC 2 Type 2 + HIPAA compliance program is in flight, targeted August 23, 2026 (as part of Full GA).

How is acipta different from HIPAA compliance automation?

Automation collects evidence on a schedule and renders dashboards. acipta produces per-§ signed evidence at write time — replayable byte-identically for the six-year retention window and an OCR review years later.

Does this cover AI agents that touch PHI?

Yes. Tamper-evident records capture agent identity, the PHI accessed, the operation performed, and the human authorizer — satisfying §164.312(b) audit controls and GDPR Article 30 records on the same chain.

PHI evidence that survives an OCR review.

acipta is the agent-based defensibility platform — workflow-grounded. Per-§ HIPAA evidence, BAA available, on one chain with 20+ frameworks. Full GA August 23, 2026.

← Back to homeGet early access · GA Aug 23, 2026 →