ISMS Copilot for healthcare compliance
HIPAA Security and Privacy Rule mapping, ISO 27018 for cloud-hosted health data, and SOC 2 cross-walks — documentation only, never PHI.
The healthcare compliance stack, and the PHI boundary
Healthcare compliance is not one framework. A US covered entity carries the HIPAA Security Rule (administrative, physical, technical safeguards under 45 CFR §164.308–§164.312), the Privacy Rule, and the Breach Notification Rule's 60-day clock. The moment patient data sits in a cloud, ISO 27018 layers PII-processor controls onto an ISO 27001 ISMS, and most digital health teams selling B2B also face SOC 2. ISMS Copilot does not sign a Business Associate Agreement (BAA), so it cannot lawfully process Protected Health Information under 45 CFR §164.502. Never paste actual PHI or ePHI — names, dates, MRNs, diagnoses, provider-patient conversations — into chats. Drafting an SOP about how your team handles PHI is fine; entering the PHI itself is not. If your use case requires processing PHI through an AI assistant, you need a BAA-signed vendor instead.
Full HIPAA stance and limitations →What ISMS Copilot does for HIPAA-covered teams
- Draft the HIPAA policy pack — Information Access Management, Workforce Security, Audit Controls, Contingency Planning, Breach Notification
- Map your environment to the HIPAA Security Rule administrative, physical, and technical safeguards (45 CFR §164.308–§164.312)
- Draft the Risk Analysis methodology and remediation plan template (45 CFR §164.308(a)(1)(ii)(A))
- Map ISO 27018 cloud PII-processor Annex A controls onto an ISO 27001 Statement of Applicability for hosted health data
- Cross-walk HIPAA Security Rule to SOC 2 Security and Confidentiality TSC — most controls overlap
- Prepare workforce HIPAA training material, sanction policies, and a subprocessor BAA template
Built for healthcare compliance leads
HIPAA Security Rule control library — administrative, physical, technical safeguards
Privacy Rule templates (Notice of Privacy Practices, minimum necessary, authorizations)
Breach Notification Rule workflow (60-day clock, HHS reporting, individual notification)
ISO 27018:2025 PII-processor control guidance mapped to the 11 ISO/IEC 29100 privacy principles
SOC 2 + HIPAA combined control matrix for digital health startups going for both
State-law layering — California CMIA, NY SHIELD, Texas HB 300 considerations
Are you a NIS 2 essential entity? (free first-pass checker)
Healthcare is one of the Annex I sectors under NIS 2, so most hospitals and many digital-health platforms fall into the essential-entity tier — but the test still depends on entity type, size, and national transposition. The free NIS 2 Applicability Checker walks the Article 2/3 essential-versus-important test as a structured first pass (with national-transposition data) — a starting point alongside the HIPAA/ISO 27018 stack above, not a final legal determination.
Open the free NIS 2 Applicability Checker →And on the US side: are you a covered entity or a business associate?
For the HIPAA half of the stack, status is the first question: health plans and clearinghouses are covered as such, providers only if they conduct HIPAA standard transactions electronically, and vendors only through the business-associate chain (45 CFR 160.103). The free HIPAA Applicability Checker runs that determination deterministically, including the subcontractor chain and the narrow conduit exception, with the primary sources on the page.
Open the free HIPAA Applicability Checker →Frequently Asked Questions
Will ISMS Copilot sign a BAA?
No. We do not sign Business Associate Agreements. The AI infrastructure underneath ISMS Copilot does not have a BAA chain we can pass through to you. Treat ISMS Copilot as a documentation and training tool — not a PHI processor. Never paste PHI or ePHI into chats.
Where does ISO 27018 fit for a healthcare cloud product?
ISO 27018 is not separately certifiable — its Annex A controls are incorporated into an ISO 27001 Statement of Applicability and scoped to public-cloud PII processing. If you host patient data, ISMS Copilot helps you draft those SoA entries and map them to the ISO/IEC 29100 privacy principles. See /frameworks/iso-27018.
We need both SOC 2 and HIPAA — does that work?
Yes, and it is a common pattern for digital health SaaS. The HIPAA Security Rule technical safeguards overlap heavily with the SOC 2 Security TSC, so ISMS Copilot generates a combined control matrix and you write each control once. See /frameworks/soc-2 and /frameworks/hipaa.
Ready to do compliance work faster?
Built for speed, accuracy, and audit-ready output.