HIPAA Compliance Center

Continuous, automated HIPAA compliance — built lean for a nonprofit budget

Role. Developer & HIPAA Security Officer for ShockTalk — I designed and built the compliance system end to end: the deterministic code and infrastructure checks, the AI drift audit, the policy attestation workflow, and the portal that ties them together.

Developer & HIPAA Security Officer · 2025–present · Internal compliance tool for ShockTalk
Keeping a live, HIPAA-regulated telehealth platform compliant without enterprise hosting budgets.

ShockTalk HIPAA compliance dashboard — Control Posture showing the live code scan, Azure infra audit, HITRUST snapshot, and AI code audit

The $500-a-month problem

HIPAA-compliant infrastructure isn’t cheap. Managed HIPAA hosting platforms like Aptible can run $500 a month or more before you’ve served a single patient. For a well-funded company that’s a rounding error. For ShockTalk — an Indigenous-led telehealth platform operating on grant funding and prize money — it’s the kind of recurring cost that quietly decides whether the project survives.

So compliance had to be smart and lean. Rather than rent someone else’s compliance wrapper, I built ShockTalk’s directly on Azure’s HIPAA tooling, paired with an in-house system that does the work a managed platform would otherwise charge for — at a fraction of the cost.

How HIPAA is configured on Azure

Immutable platform access log — who did what and when, with PHI identifiers redacted

Immutable access log — every CRUD action on PHI, PHI identifiers redacted.

The technical safeguards, done right

The foundation is the part HIPAA spells out explicitly. Encryption in transit (TLS 1.2+) and at rest (AES-256). The PostgreSQL database isolated on a private VNet endpoint with no public internet exposure — only the application can reach it. Immutable audit logging of every create, read, update, and delete on PHI routes, satisfying §164.312(b). And a signed Business Associate Agreement with every vendor that touches protected health information. Get these wrong and nothing else matters; get them right and you’ve cleared the bar most people think is HIPAA.

But technical safeguards are only half of HIPAA

The encryption-and-BAAs layer is what most teams stop at — and it’s where most compliance quietly falls apart. HIPAA also requires extensive documentation that has to be written, maintained, and re-attested over time; applications engineered to minimize how much PHI they ever touch; and constant vigilance against compliance drift — the slow divergence between what your policies claim and what your codebase and infrastructure actually do.

Drift is the dangerous part. A teammate flips on a debug flag, a new dependency phones home over an unverified connection, an Azure resource loses its diagnostic logging, a vendor gets wired in without a BAA. Any one of these can silently break compliance months before an auditor — or a breach — would ever surface it. Catching that continuously, by hand, is more than a part-time founder can do.

A finding is resolved only by human sign-off — never automatically. Absence of evidence is not evidence of a fix.

So I built an automated compliance center

Control Posture dashboard — live code scan 6 of 7 rules passing, Azure infra audit 26 of 26, HITRUST cloud snapshot, and AI code audit

Control Posture — deterministic signals from code, infra, and HITRUST in one view.

Deterministic checks, every day

Grounded in the statutes that govern HIPAA, I encoded the rules as deterministic checks that run against the codebase and infrastructure continuously. A live code scan enforces seven rules — consent-bypass disabled, automatic logoff, Flask debug off, no hardcoded secrets, TLS verification intact, non-BAA model fallbacks flagged, and PHI routes provably writing audit events. Alongside it, a 26-check Azure infrastructure audit mapped to §164.312 controls (Access Control, Audit Controls, Integrity, Transmission Security) and a HITRUST cloud snapshot. A summary report lands in my inbox every day.

Findings register — HITRUST Azure Policy violations and a tracked findings register of human-curated and agent-discovered risks

Findings register — human-curated and agent-discovered risks, tracked by lifecycle.

A monthly AI drift audit

Deterministic rules catch what you thought to write a rule for. To catch the rest — drift in the codebase and the gaps HITRUST’s policy scan doesn’t cover — Claude Opus audits the entire codebase and infrastructure configuration front to back, once a month. It reasons about real data flow and legal basis rather than pattern-matching, surfaces what it finds into a tracked findings register, and proposes fixes. Crucially, nothing it discovers is ever auto-resolved: a finding moves to “needs confirmation” when it’s no longer observed, but only a human sign-off marks it resolved.

Policies and Records — governing HIPAA documents tracked in git, with a sign and attest workflow

Policies & Records — git-tracked documents with in-portal sign / attest.

Living policies, re-signed on change

HIPAA documentation isn’t a one-time PDF — it has to track reality. Every governing document lives in git. When the agent detects that code or infrastructure has drifted away from what a policy says, the affected policy is updated and queued for re-signature. I sign and attest to it directly in the portal, which records the signer, the timestamp, and the exact commit hash — turning attestation into traceable, version-controlled evidence rather than a folder of stale paperwork.

PHI-free by design

One decision shaped everything else: the compliance portal itself holds no protected health information. It stores only compliance posture, process metadata, and audit-event counts — never patient data, never the contents of an access log. The tool that proves ShockTalk is safe is therefore one of the safest surfaces in the system, with almost nothing for an attacker to take. It’s a small idea with outsized payoff: the thing that watches the henhouse isn’t itself a henhouse.

~$500/mo avoided 7 deterministic code rules 26 Azure infra checks §164.312 control mapping Daily email report Monthly Claude Opus audit Git-tracked, signed policies PHI-free portal

Built with

A React portal over a Flask compliance API, deterministic checks in Python, an AI drift auditor on Claude Opus, and Azure’s HIPAA tooling underneath — designed and built in-house.

Claude Opus
Azure
Flask + Python
Postgres
React
Tailwind CSS

What’s next

The honest version of compliance is that it’s never finished — and the portal is built to say so out loud. Next is moving the Azure infrastructure audit onto a scheduled read-only service principal so the daily sweep is fully automated rather than partly manual, extending log retention toward HIPAA’s six-year horizon, and retiring the last vendors without a Business Associate Agreement. The goal isn’t a green dashboard. It’s a system that tells the truth about where compliance actually stands, every single day.

contact

|Austin Charles Serio

|Bushwick, Brooklyn, New York

|[email protected]

|860-819-6299

EMAIL

austin charles serio
PROCESS
RESUME