HIPAA Compliance Operating Platform
RiskFlow combines security risk assessments, vendor BAA workflows, and policy sign-offs into one audit-ready command layer — built for healthcare MSPs and the organisations they support.
The pain
Vendor BAAs scattered across email threads and folders
No centralised system for agreement status. Unsigned BAAs sat unnoticed until an audit or incident surfaced the gap.
Policy sign-offs via email — no traceable audit trail
Policy acknowledgements were forwarded emails and reply chains. When auditors asked for proof, teams rebuilt the story from inboxes.
Google Workspace posture never formally assessed
Most orgs assumed their GSuite settings were fine. No structured assessment compared live settings against HIPAA expectations.
MSPs stitching oversight across disconnected tools
Supporting multiple healthcare orgs meant duplicating effort across separate email threads, shared drives, and generic portals without proper workspace separation.
No single view of compliance status across orgs
Compliance leads had no reliable way to see which orgs had outstanding BAAs, unsigned policies, or incomplete assessments at any given moment.
Security Risk Assessment Engine
Structured assessments that surface live Google Workspace gaps against HIPAA expectations, ranked by exposure severity.
- - Control-by-control posture review
- - Risk prioritisation by severity
- - Evidence capture per control item
BAA Workflow Management
Upload agreements, invite vendors via magic-link, capture signatures, and keep every legal step tied to the correct organisation.
- - Magic-link vendor access — no account required
- - Signature status and renewal tracking
- - Full chain-of-custody per agreement
Policy Sign-off System
Assign policies to employees, track acknowledgements in real time, and export clean completion history on demand.
- - Per-policy signer assignment
- - Acknowledgement timestamps with user identity
- - One-click audit export
Role-Aware Access Control
Org admins, analysts, auditors, employees, and vendors each see exactly what their role permits — nothing more.
- - Granular RBAC across all actor types
- - MSP-level workspace separation
- - Immutable activity log per action
Audit Evidence Layer
Every upload, assignment, signature, and status change becomes retrievable evidence — no manual compilation before a review.
- - Searchable, timestamped activity history
- - Structured audit export per project
- - Readable by auditors, operators, and vendors
Multi-tenant Architecture
Proper workspace separation for MSPs supporting multiple healthcare organisations — not shared-folder workarounds.
- - One workspace per org, MSP, or vendor relationship
- - Future-ready for GDPR and SOC 2 frameworks
- - Subdomain support for MSP-branded environments
Three workflows, one operating model
Built for teams that need proof, separation, and traceability — not another generic document portal.
Security Risk Assessment
Compare live Google Workspace settings against HIPAA controls. Surface the highest-risk gaps first and capture evidence per control item.
Business Associate Agreements
Handle vendor document flow end-to-end — upload, invite, sign, track renewals — without losing the chain of custody.
Policies and Procedures
Structure policy folders, assign signers, and turn static files into a traceable compliance operation with exportable sign-off history.
Built for every actor
Role-aware access means each party sees exactly what they need — nothing more.
Organisations
Own projects, launch frameworks, assign signers, and keep internal compliance work visible in one place.
MSPs
Support multiple teams with proper workspace separation instead of stitching oversight across disconnected tools.
Vendors
Receive magic-link access, review assigned agreements, sign quickly, and stay out of the rest of the stack.
Outcome
Spreadsheet handoffs before an audit
3
Core HIPAA workflows in one command layer
1
Workspace for org, MSP, and vendor activity
0
Generic portals required to run the operation
What changed
Compliance became a system, not a scramble. Assessments, BAAs, and policy acknowledgements moved through one operating model instead of three disconnected workflows.
Audit preparation went from days to minutes. Every action was logged and exportable. When reviewers asked for proof, the answer was a structured export — not an inbox reconstruction.
MSP operations gained proper separation. Each client organisation had its own workspace. Oversight was consolidated at the MSP level without mixing permissions or data.
Vendors stayed in their lane. Magic-link access meant vendors could sign agreements without touching any other part of the system — no account creation, no excess visibility.
Built as a scalable, multi-tenant SaaS platform designed for auditability, role separation, and future framework expansion beyond HIPAA.
Core Primitives
Abstractions that work for any compliance framework
Stack
Key Design Decisions
- •Actor-model permissions (org / MSP / vendor / auditor) baked into the data layer
- •Framework-agnostic core — HIPAA today, GDPR and SOC 2 without rethinking the model
- •Immutable audit log for every state change across all three workflow types
Need a compliance operating system?
We build systems that make regulatory work predictable, defensible, and scalable — for HIPAA, HPD, or any compliance domain.