How PatientNotes secured HIPAA compliance in under 30 days

How PatientNotes secured HIPAA compliance in under 30 days

We are very excited to announce PatientNotes is now HIPAA compliant ✅ In October, we set ourselves the stretch goal to secure HIPAA compliance within just 30 days. So we launched "Compliance Tuesdays", dedicated days where we zeroed in on the comprehensive requirements of HIPAA - 127 controls and 26 policies. 

We're thrilled to share PatientNotes now achieves the highest standards for care of patient data storage. This marks a pivotal moment in our mission to empower healthcare providers with advanced AI-driven clinical note-taking tools, ensuring the highest standards of patient privacy and data security globally.

Our Journey to HIPAA Compliance:

We were confident with compliance as our founding team brings extensive experience in creating compliant platforms at scale. I worked at Zendesk for over 10 years and had experience working with some of the best compliance folks in the industry to implement SOC2 Type II, HIPAA, ISO 27001:2013, FebRAMP LI-SaaS Combined with Lachlan’s experience at Block (Cash App) and Buildkite we understood many of the controls that would need to be put in place.

Security and Compliance has been a core value of the company from day 1. With each system that we’ve built, purchased, or integrated with we have been thoughtful in the implementation to ensure that we are protecting the sensitive data we temporarily hold.  But there is a big difference between doing what you think is best practice and actually ensuring that you meet and maintain the industry requirements.

On first review of the controls for HIPAA, we met nearly all of the infrastructure and application security controls. But we missed many of the company policies and contracts that are required to ensure that our staff comply and understand how to handle working in a compliant fashion.

Tara, our Head of Compliance, led us through the policy drafting process. Many of the templates that we could find online and did purchase to assist in this process are incredibly outdated. The biggest theme is they are written for companies who all work in a single office building. Yet the PatientNotes team is a remote team. We spent the time to thoughtfully adjust each of the policies to be remote-first. The other adjustments we had to make were mostly due to out-dated policies. For example, our password policy follows the NIST guidelines.

The rigorous focus of dedicating  a whole day each week, combined decades of experience working in strong compliance environments allowed us to become HIPAA compliant in late December 2023. After monitoring our controls for a couple of months, we now feel confident that we’ll be able to consistently maintain HIPAA compliance going forward.Why is HIPAA Compliance Important to Us?

Achieving HIPAA compliance is more than a regulatory milestone; it's a reflection of our commitment to providing a trusted platform for US healthcare providers and a testament to the robustness of our security measures. HIPAA's global recognition underscores our dedication to adhering to the highest compliance standards, with GDPR on our roadmap next.

This achievement does not only signify our compliance with one of the most stringent privacy standards but also enhances our resolve to continuously improve and innovate. It's a testament to our commitment to security, privacy, and the trust placed in us by healthcare providers across the US and around the world.

We are now offering Business Associate Agreements (BAAs) to our US healthcare partners. We invite our US customers interested in learning more about our BAAs to reach out to compliance @

Together, we're setting new standards for privacy and security in healthcare technology. Thank you for being a part of our journey.For a deeper dive into our security practices and how we protect your data, visit: