You need to sign a Business Associate Agreement, pass a vendor security review, or demonstrate HIPAA compliance to a US covered entity. ThreeShield delivers the Security Risk Assessment, Privacy Rule policy package, Breach Notification readiness, BAA templates, and Lavawall® continuous monitoring — signed by our CISSP/CISA team. No partner required. No billable-hour surprises.
Your SaaS, analytics, billing, or data platform serves US covered entities. Every downstream vendor handling PHI is a Business Associate and must comply with HIPAA's Security Rule safeguards. Most Canadian health tech founders don't know this when they sign their first US deal.
You manage IT for a US healthcare organization or Canadian entity that receives US health information. Your BAA obligation is real. ThreeShield ensures your controls match what you're signing.
Physician practices, dental groups, and small healthcare organizations that need a Security Risk Assessment (SRA) — a required annual activity under HIPAA — and a documented compliance program without a healthcare-specific law firm's billing rate.
An enterprise US health system sent you a security questionnaire or BAA to sign. You need to know what you're committing to and whether your controls back it up. ThreeShield reviews both before you sign anything.
Identify all systems, data flows, and workforce roles that touch PHI. Establish the SRA boundary.
Lavawall® deployed; HIPAA safeguard assessment conducted; findings documented with risk ratings.
Critical gaps addressed in priority order. Policies written. BAA templates reviewed. Staff training completed.
Signed SRA delivered. Evidence package compiled. Lavawall® monitoring ongoing.
Lavawall® continuously collects evidence for patch compliance, access controls, encryption status, and M365/Entra configuration — the administrative and technical safeguards HIPAA auditors look for. Manual evidence gathering that takes weeks takes hours with Lavawall®.
Lavawall® identifies shadow IT, personal email on work devices, and cloud services touching PHI that you may not have inventoried. The SRA boundary is only as good as your PHI system inventory.
If you're also working toward SOC 2 or ISO 27001, Lavawall® maps evidence to multiple frameworks simultaneously — your HIPAA work reduces the effort needed for your next compliance engagement.
HIPAA requires annual review of your Security Rule program. Lavawall® ongoing monitoring means your annual reassessment is a delta review, not starting from scratch.
This package covers the HIPAA Security Rule SRA, Privacy Rule policy package, Breach Notification readiness, BAA templates, and Lavawall® monitoring. The following are quoted separately if needed: HIPAA-specific penetration testing of production systems handling PHI; legal review of BAA terms (we review the security obligations, not the contract terms — engage healthcare counsel for contract review); HIPAA compliance for Covered Entities with 50+ workforce members requiring a full workforce training rollout (we can quote this); and remediation of major infrastructure changes identified during the assessment (gap closure within normal change management is included; major architectural rework is quoted separately).
If your company receives, creates, maintains, or transmits Protected Health Information (PHI) on behalf of a US covered entity, you are a HIPAA Business Associate regardless of where you're incorporated. The BAA you sign is a legal commitment to implement the HIPAA Security Rule safeguards — and the covered entity's legal exposure if you don't comply is substantial enough that they will audit you eventually. Most Canadian health tech founders learn about this obligation when a US health system asks them to sign a BAA or complete a vendor security questionnaire.
Yes — the HIPAA Security Rule (§164.308(a)(1)) requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI at least annually. The Security Risk Assessment ThreeShield delivers satisfies this requirement. It is signed by our CISSP/CISA team, which constitutes appropriate professional expertise for the purpose. This is direct delivery — we don't need a CPA firm or other partner to sign HIPAA assessments.
Fixed-scope engagement, quoted after a scoping call. The quote covers the entire engagement — assessment, policies, BAA templates, remediation guidance, and Lavawall® monitoring for the engagement period. No hourly billing, no change order surprises for work within the agreed scope. Contact us to book a scoping call; we'll have a quote for you within two business days of that conversation.
Gaps within normal remediation scope — policy gaps, configuration changes, MFA implementation, encryption of data at rest — are addressed within the engagement. Major infrastructure rework (e.g., moving PHI from an unencrypted system to an encrypted one, migrating PHI systems to a new cloud environment) is scoped and quoted separately. We identify these early in the assessment phase so there are no surprises.
Yes — and this is a common scenario for Canadian health tech companies serving both US covered entities and Alberta custodians. Lavawall® maps evidence to both frameworks simultaneously; the policy work overlaps significantly. A combined HIPAA + Alberta HIA engagement is more efficient than running them separately. See our Alberta HIA Compliance package.
ThreeShield delivers HIPAA Security Rule assessments, Privacy Rule policies, BAA templates, and Lavawall® continuous monitoring directly — signed by our CISSP/CISA team. No CPA firm, QSA, or other licensed partner required for HIPAA compliance. This is direct delivery.
See all direct-delivery and partner-attested services →Book a scoping call. We'll have a quote within two business days. Fixed scope, fixed price, 60–90 day timeline.
Book a Scoping Call Free Domain Scan →No minimums. No hourly billing surprises. Fixed-scope engagement.