Compliance & Legal

How to track hipaa compliance obligations as Small IT and ITOps Teams

Compliance & LegalFor Small IT and ITOps Teams2 apps12 steps~24 min to set up

You're two people managing HIPAA obligations across a 300-person company, and nobody handed you a compliance playbook. BAAs need to be tracked across every SaaS vendor that touches PHI — your EHR integration, your SFTP provider, the random analytics tool a product manager connected six months ago. Risk assessments are due annually but live in a Google Doc that's two versions stale. Audit logs exist across AWS CloudWatch, Jira, and Okta, but pulling them together when your security officer asks takes a half-day of tab-switching. Training completion records are in Rippling or BambooHR. Nothing connects, and the next breach notification or OCR audit is the moment you find out what slipped.

Build this on Starch → See the apps used
Compliance & LegalFor Small IT and ITOps Teams2 apps12 steps~24 min to set up
Outcome

What you'll set up

A centralized HIPAA obligation tracker that surfaces BAA status, training completion gaps, and upcoming audit deadlines from your existing tools — no spreadsheet required.
An automated weekly digest that checks your AWS environment, Okta access logs, and vendor inventory for compliance drift and Slacks you and your manager a summary every Monday.
A documentation layer in Starch's Knowledge Management app (coming soon) where your risk assessments, incident response runbooks, and audit evidence live in one searchable place — not scattered across Google Drive folders nobody maintains.
The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used
Knowledge Management Task Manager
Data sources & config

Connect AWS (Starch syncs your AWS Cost Explorer and CloudWatch data directly — on-demand queries, no scheduled snapshot), Jira from Starch's integration catalog (the agent queries it live when your compliance tracker runs), Slack from Starch's integration catalog for digest delivery, and Notion if your current runbooks live there (Starch syncs your Notion pages on a schedule). BambooHR or Rippling for workforce training records are reachable from Starch's integration catalog; the agent queries them live. Any vendor portal without an API — such as a BAA signing portal or insurance carrier dashboard — Starch automates through your browser with no API needed.

Prompts to copy
Build me a HIPAA compliance tracker that shows every vendor we've signed a BAA with, the date it was signed, expiration date if any, and whether they've had a security incident in the last 12 months. Pull vendor list from our Jira tickets tagged 'vendor-review' and flag anything missing a BAA.
Every Monday at 8am, query our AWS Cost Explorer and CloudWatch for any new services spun up in the last 7 days, check if those services touch our PHI VPC, and Slack me a list of new resources that may need a risk assessment before they go to production.
Build me a documentation hub for our HIPAA program: annual risk assessment, workforce training records, incident response plan, and BAA repository. Make it searchable so I can pull any section during an audit review in under 30 seconds.
Create a task list for our Q2 HIPAA audit prep: risk assessment review by April 15, training completion check by April 20, BAA audit by April 25, policy review by April 30. Flag anything that goes overdue and notify me in Slack.
Run these in Starch → or paste them into your favorite agent
Walkthrough

Step-by-step

1 Connect Jira from Starch's integration catalog. The agent queries your Jira projects live — use your existing 'vendor-review' or 'security' project tags to seed the initial vendor list without rebuilding it from scratch.
2 Connect AWS. Starch queries your AWS Cost Explorer and CloudWatch on demand — you'll use this to detect new service deployments that may touch PHI and need a risk assessment before they go live.
3 Connect Slack from Starch's integration catalog so Starch can deliver weekly compliance digests and overdue-task alerts to your IT security channel without you having to remember to check a dashboard.
4 If training records live in BambooHR or Rippling, connect them from Starch's integration catalog. The agent queries workforce training completion live so your compliance tracker always shows current gaps, not last quarter's export.
5 Tell Starch: 'Build me a BAA tracker showing every vendor, BAA status, signing date, and expiration. Pull vendor names from Jira tickets labeled vendor-review and flag any vendor without a signed BAA.' Starch assembles the app from your Jira data.
6 Tell Starch: 'Every Monday at 8am, check AWS for new services deployed in the last 7 days, identify which ones are in our PHI network segment, and Slack the IT channel a list of any that don't have a completed risk assessment.' This automation runs without you touching it.
7 Tell Starch: 'Build me a HIPAA documentation hub where I can store and search our risk assessment, incident response plan, BAA copies, and training logs. Auto-flag any document that hasn't been updated in more than 12 months.' This becomes your audit-ready evidence folder.
8 Use the Task Manager app to create your next audit prep checklist. Capture tasks by typing: 'Add task: complete annual workforce HIPAA training audit by April 20, P1.' Due dates and P1–P4 priority levels keep the prep sprint visible without a separate project management tool.
9 For any vendor portal where you need to pull a signed BAA PDF or check a compliance certificate — but they have no API — tell Starch to automate it through your browser. Starch logs in, navigates to the document, and pulls the file. No API needed.
10 Set a monthly automation: 'On the first of every month, query BambooHR for employees hired in the last 30 days who haven't completed HIPAA training, and create a Jira ticket for each one assigned to the IT onboarding queue.' Training gaps stop falling through during busy hiring months.
11 When an audit request comes in, go to your Starch documentation hub and search for the specific control or policy. Everything you've stored — risk assessments, incident logs, BAA copies, training records — is indexed and returns in seconds rather than requiring a Drive folder excavation.
12 Fork the tracker as your compliance posture evolves. When a new regulation touches your stack — HITECH amendment, state privacy law, a new SOC 2 requirement from a customer — describe the new obligation in natural language and Starch adds it to the existing app.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →
Worked example

April 2026 OCR Audit Prep — 2-person IT team, 300 employees

Sample numbers from a real run
Vendors requiring BAA review23
BAAs confirmed on file17
BAAs missing or expired6
Employees with incomplete annual HIPAA training34
AWS services flagged for PHI-network risk review4
Hours to produce audit evidence packet (pre-Starch)18
Hours to produce audit evidence packet (with Starch)3

In early April, your compliance officer tells you an OCR audit readiness review is happening in three weeks. Before Starch, this would mean pulling a vendor list from memory and old Jira tickets, emailing six SaaS admins to confirm BAA status, exporting a training completion CSV from BambooHR, and compiling AWS service inventory by hand from the console — roughly 18 hours across two weeks. With Starch, you open the BAA tracker (built from your Jira vendor-review tags) and immediately see 6 of 23 vendors are flagged: 4 have expired BAAs and 2 have no BAA on file at all. One of the 2 missing BAAs is a recently onboarded analytics vendor that a product manager connected in January — exactly the kind of thing that would have surfaced during the audit instead of before it. The Monday AWS digest has already flagged 4 new services deployed in March that need risk assessments before the review. You open your Starch documentation hub and pull the current risk assessment, incident response plan, and training log in under two minutes. The 34 employees with incomplete training get Jira tickets automatically routed to HR. You walk into the audit review with a complete evidence packet instead of an apology.

Measurement

How you'll know it's working

BAA coverage rate — percentage of PHI-touching vendors with a current, signed BAA on file
HIPAA training completion rate — percentage of workforce with annual training completed, tracked monthly against new hires
Time to produce audit evidence packet — target under 4 hours for a standard OCR or internal audit request
New AWS service risk-assessment lag — days between a new service deployment touching the PHI VPC and a completed risk assessment
Open compliance tasks by due date — P1 overdue items should be zero; P2 items resolved within 5 business days
Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Spreadsheet + Google Drive folder
Free and already in use, but BAA status goes stale the moment someone forgets to update a row, and there's no automated alerting when a vendor is added without a BAA or when training records fall behind.
Drata or Vanta
Strong for SOC 2 automation and continuous control monitoring, but priced for funded startups and engineering-led compliance programs — a 2-person IT team at a 300-person company often finds the per-seat cost and implementation lift hard to justify for HIPAA alone when the rest of your stack isn't wired to it.
ServiceNow GRC
Enterprise-grade governance, risk, and compliance tooling that requires a dedicated admin to configure and maintain — not realistic for a team of two without a GRC specialist on staff.
Manual Jira + Confluence
You likely already have both, and Starch connects to them from the integration catalog — but Jira and Confluence don't alert you when a PHI-touching vendor goes unsigned, trigger training gap tickets on new hires, or auto-surface audit evidence. They store the information; Starch acts on it.
On Starch RECOMMENDED

One platform — knowledge management, task manager all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →
FAQ

Frequently asked questions

Does Starch store our PHI or HIPAA-covered data?
Starch queries your connected systems live or syncs metadata — it's not designed as a PHI data warehouse. Your patient records or PHI stay in the systems that hold them today. That said, Starch is not SOC 2 Type II certified yet, which is worth knowing before connecting any system that touches regulated data. Check with your compliance officer on your specific data handling requirements.
Can Starch connect to our EHR or specific HIPAA-adjacent vendor portals?
If the vendor has an API in Starch's integration catalog of 3,000+ apps, the agent queries it live. If they don't — which is common with older EHR systems or specialty compliance portals — Starch can automate the browser session directly with no API needed. You'd describe what you need pulled and Starch navigates the portal the same way you would.
What about the Contract Lifecycle Management app for tracking BAAs specifically?
Contract Lifecycle Management — which would handle BAA drafting, e-signature routing, and renewal alerts natively — is currently in development. You can request beta access to get notified when it launches. In the meantime, the BAA tracker you build in Starch using your Jira vendor data covers the core visibility problem: who has a BAA, when it expires, and who's missing one.
We already have Notion for runbooks. Does Starch replace that?
No — Starch syncs your Notion pages on a schedule, so your existing runbooks stay where they are and Starch surfaces them inside your compliance hub. You don't have to migrate anything. The Knowledge Management app in Starch adds AI search across your docs and staleness detection, but it works alongside Notion rather than replacing it.
Can Starch track when new AWS services are deployed and flag PHI exposure risk automatically?
Yes. Starch queries AWS Cost Explorer and CloudWatch on demand — you set up an automation that checks for new service deployments on a schedule (daily or weekly) and Slacks your team if any new resources appear in your PHI network segment without a corresponding risk assessment ticket in Jira. Note that AWS in Starch is on-demand query only, not a scheduled snapshot, so it's a point-in-time check rather than continuous monitoring.
How do we handle workforce HIPAA training tracking if HR owns the records in BambooHR?
Connect BambooHR from Starch's integration catalog — the agent queries it live when your training compliance report runs. You can build an automation that runs monthly, pulls employees hired in the last 30 days, checks training completion status, and creates Jira tickets for anyone who's behind. IT gets visibility into HR's records without needing a CSV export from HR every time.

Ready to run track hipaa compliance obligations on Starch?

Request closed-beta access. Everything is free during beta.

You're on the list! We'll be in touch soon.