← Trust and security·HIPAA posture
What we sign, what we host, what we control, and what happens to your data at handoff. This page is the short practice-facing summary. The full controls list lives in the BAA we sign before the engagement starts.
This page is the current published posture as of the Practice Operations Toolkit launch. The complete posture document, including incident-handling procedures, audit rights, and the controls matrix, is delivered with each engagement and will be expanded here in a follow-up.
Six anchors
The six commitments AC5 Labs operates under for any build that touches PHI. Each one is reflected in the BAA and operated through the HIPAA Controls Baseline container.
BAA before PHI
The BAA is signed at the start of the Scope phase, before any access is granted, before any data flows. The agreement covers the controls AC5 commits to operate under, the access scope, the breach notification window, and the wipe procedure at handoff.
Controls baseline
Every build sits on the HIPAA Controls Baseline container: named-account authentication with MFA, end-to-end encryption, and a complete audit trail of who touched what and when. The same baseline is delivered in the production environment your practice owns at handoff.
Hosting options
Three hosting options. Deploy into your AWS or Azure account so your IT team holds the keys. Use our managed AWS account under a signed BAA. Deploy on-prem for practices or specialties that require it. We never host outside the United States.
Wipe at handoff
At the Handoff phase, we revoke our access, transfer credentials, and wipe every development and staging environment that ever held production PHI. The wipe is documented and signed; the documentation lives in the Evidence Binder container.
HIPAA SRA delivered
The toolkit ships with a current HIPAA Security Risk Assessment for the install, scoped to your environment. Future SRAs are produced in the Evidence Binder container on a defined cadence; the methodology is published with the build.
Subcontracting
AC5 Labs is a small firm. The same operators who scope the work also build the work. If a specific engagement ever needs a subcontractor with PHI access, you are told before the engagement is signed and the subcontractor signs the same BAA.
We send the draft BAA before the discovery call so your counsel can review on the call. If your practice or specialty has additional requirements, we adapt; the controls baseline is the floor, not the ceiling.