HIPAAPath
For practices with cyber insurance renewal coming up

Audit-proof documentation before the underwriter asks.

The 2026 HIPAA Security Rule made MFA and encryption mandatory by November. Your insurance application now demands proof. HIPAAPath gets your risk assessment done — in plain language, in the format your underwriter recognises — and your documents stay in your browser, not on our servers.

Start free SRA Get Insurance-Ready Summary — $99

Free SRA: do one chapter at a time, save as you go, manual yours to keep. Insurance-Ready Summary: a carrier-mapped PDF for the renewal moment.

Already have a saved file? Restore your progress →

/ 00   The proof

What cyber-liability carriers actually want.

We pulled eight cyber-liability applications — Beazley, Coalition, Chubb, Travelers, Hiscox, CNA, MedPro, and The Doctors Company. They ask for the same eight things. Different wording, same eight control groups. We’ve walked the apps and lined the questions up with HIPAAPath. Here’s the crosswalk.

BeazleyCoalitionChubbTravelersHiscoxCNAMedProThe Doctors Company
Identity & AccessIs multi-factor authentication enabled on email, EHR, and remote access, with a unique login per person?Captured from your responses
Data ProtectionAre laptops, mobile devices, and removable media encrypted — at rest and in transit?Captured from your responses
Backup & RecoveryAre backups encrypted, off-site, and restoration-tested?Captured from your responses
Endpoint & NetworkDo workforce devices run endpoint detection, and is patient-data infrastructure isolated from guest / IoT networks?Captured from your responses
Email SecurityIs email filtered for phishing, with SPF, DKIM, and DMARC authentication in place?Captured from your responses
Incident ResponseDo you have a documented, tested breach-response and notification procedure?Captured from your responses
People & ProcessIs there a named security officer, annual workforce training, and a recent vulnerability assessment?Captured from your responses
Compliance AttestationsCan you attest to HIPAA and HITECH compliance, plus any standards you follow (SOC 2, NIST CSF)?Captured from your responses

The free SRA produces your §164-formatted Practice Security Manual — the document an auditor or attorney reads. The $99 Insurance-Ready Summary repackages the same data into the eight-group format underwriters score against. The manual is your year-round artifact; the summary is your renewal-week artifact.

/ 01   Three ways to use it

Free for the chapters. $99 for the renewal artifact. $299/yr for the long haul.

Three places this can stop. The chapters and the Practice Security Manual are free either way — no card needed; you sign in only to download. The paid tiers add things you only need at specific moments.

Free — yours to keep

The free SRA

$0

Walk the chapters at your own pace — no account needed to work. Save as you go. Your Practice Security Manual downloads to your computer when you finish — yours forever; you sign in once at download.

  • Full 17-section §164-formatted manual
  • Auto-fill within the document — answer once, use everywhere
  • Save as you go
  • Adopt-and-edit sanction policy template
  • Your manual, downloaded to your computer, yours forever
  • Browser-editable for 90 days from your last save — download a JSON backup any time
Start the chapters No card needed
For renewal week

Insurance-Ready Summary

$99 — one-time

Insurance renewal coming up? The Carrier-Mapped Summary takes the work you’ve already done in the chapters and re-formats it into the eight-group structure underwriters score against — Beazley, Coalition, Chubb, Travelers, Hiscox, CNA, MedPro, The Doctors Company. One PDF to hand your broker.

  • Eight carrier control groups, in carrier order
  • Two answer formats: free-text paragraph for essay-style carriers, Yes/No-with-detail for checkbox-style carriers
  • Appendix: 2026 mandate checklist + NIST 800-30 mapping
  • Regenerate any time while your assessment is editable — 90 days from your last save (matches typical renewal prep). JSON backup any time, or upgrade to Founding Member to keep editing indefinitely.
Get the Insurance-Ready Summary $99 — one-time purchase
For the long haul

Founding Member

$299 / yr

For practices treating compliance as an ongoing relationship, not a one-time task. Your assessment stays editable across renewal cycles — no 90-day clock. Includes the Carrier-Mapped Summary, 13 NIST-anchored policy template bodies in your manual, the quarterly compliance brief, and every paid tool we ship while you’re a member.

  • Assessment editable indefinitely — no 90-day clock; come back across renewal cycles
  • Carrier-Mapped Summary regenerations any time
  • 13 NIST-anchored policy template bodies in your manual (sanction, risk analysis, contingency, training, …)
  • Quarterly compliance brief — opt-in live in your account
  • Every paid feature we ship while you’re a member
Become a Founding Member $299/yr — rate locked while subscribed
/ 02   What you walk out with

A real audit-ready manual.
Not a checklist.

Nine chapters of guided questions produce a 17-section manual formatted to §164 of the HIPAA Security Rule — the same structure an auditor reads.

Other tools give you a checklist or a blank template. We give you the document.

17
§164 sections
1
Downloadable PDF
A real page from a HIPAAPath Practice Security Manual — §164.308 Administrative Safeguards, showing the Security Management Process, Assigned Security Responsibility, and Workforce Security standards, each marked verified.
An actual manual page — §164.308, Administrative Safeguards
Download this sample page (PDF)
/ 03   Why it’s less work than it looks

Answer once. Use everywhere.

Tell us about your practice in Chapter 1. We auto-fill those answers wherever they show up later — your risk analysis, your inventory, your safeguards.

Save as you go, one chapter at a time — stop and pick up exactly where you left off.

/ 04   Your answers stay yours

Your answers save in your browser.

Your practice details, device serial numbers, and risk findings save in your browser’s local storage, not on our servers. You can verify that in your browser’s developer tools (Application → IndexedDB).

When you finish, your manual downloads to your computer. Sign-in (when you choose to) only carries your email — not your answers.

/ 06   Trust

Built for auditors to read.

Standard45 CFR 164 Subpart C — the HIPAA Security Rule
StructureSection-by-section to §164, the way an auditor reads
PrivacyYour answers save in your browser, not our servers — verifiable in dev tools
GroundingPolicy templates anchored to NIST SP 800-66 Rev. 2 — the federal HIPAA Security Rule implementation guidance
/ 07   FAQ

Questions practices actually ask.

No. We help you document your safeguards. For legal questions about your specific situation, talk to a healthcare attorney.
We line your answers up with what the major cyber-liability carriers ask for — the eight control groups Beazley, Coalition, Chubb, Travelers, Hiscox, CNA, MedPro, and The Doctors Company all score against. What we can't do is approve your application for them; that's the underwriter's call. What we do is make sure their questions don't catch you flat-footed, and that your answers are documented and dated the way they expect.
No. It's the documentation underwriters ask for, organized the way they ask for it — not a promise of approval or a particular premium. A complete, honestly-answered summary helps your renewal go smoothly, but the decision still belongs to your carrier and your broker.
The eight cover most small-practice cyber-liability applications, and the underlying questions are strikingly consistent from carrier to carrier — MFA, endpoint protection, backups, encryption, network segmentation, incident response, asset inventory, and a dated remediation plan. If your carrier uses a different form, those same eight control groups still answer the substance of what it's asking.
Business Associate Agreement. It's a contract that says a vendor handling your patient data takes on some HIPAA liability. The catch: BAAs only cover the services they cover. Personal Gmail, your laptop, and your phone aren't covered by your EHR vendor's BAA — those are still your responsibility. That's most of what we help you document.
You keep it forever — it's already on your computer. If you want it auto-populated next year, that's the paid tier. If you want to redo it from scratch, the free tier is always here.
Your answers save in your browser's local storage, not on our servers. You can verify this in your browser's developer tools (Application → IndexedDB). When you finish, the manual downloads to your computer.
Small practices that handle protected health information — solo therapists, doctors, dentists, small clinics. If you’re a healthtech startup looking for a SOC 2 platform, you want Vanta or Drata. If you’re a solo practitioner who needs a real HIPAA manual without spending $10K on a consultant, you want us.
Ready when you are

Start the first chapter. Stop when you want.

Your work saves as you go, right in your browser. No card to enter, nothing to install — you sign in only when you’re ready to download your manual.

Start free Read the FAQ first