Compliance & Legal

How to track hipaa compliance obligations as Small Legal and Compliance Teams

Compliance & LegalFor Small Legal and Compliance Teams2 apps10 steps~20 min to set up

You're a two-person legal team at a 150-person SaaS company. HIPAA touches your business because sales wants to sign a BAA with every healthcare prospect, IT keeps onboarding new SaaS vendors who might touch PHI, and HR is asking whether your payroll provider counts as a covered entity. You're tracking BAA status in a Notion doc that hasn't been updated since Q2, chasing down which vendors have signed what in a Gmail thread from eight months ago, and manually reminding the security team when annual HIPAA training attestations are due. You know there's an audit window coming. You don't have OneTrust. You have a spreadsheet and a lot of anxiety.

Build this on Starch → See the apps used
Compliance & LegalFor Small Legal and Compliance Teams2 apps10 steps~20 min to set up
Outcome

What you'll set up

A live BAA tracker that pulls from your Gmail and Notion data, surfaces which vendors have signed, which are pending, and which are overdue — without you manually updating a spreadsheet
An automated alert system that notifies you in Slack when a BAA expiration date, annual training deadline, or policy attestation window is within 30 days
A vendor PHI risk queue that cross-references your active SaaS tools against whether a BAA exists, so every new IT procurement goes through a documented review before it becomes a compliance gap
The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used
Task Manager Knowledge Management
Data sources & config

Starch syncs your Gmail data on a schedule (messages and labels, so BAA emails are searchable and surfaced automatically) and connects directly to your Notion workspace on a schedule (pages and databases, so your existing contract tracker rows are the starting point, not a blank slate). Slack connects from Starch's integration catalog so the agent queries it live when sending deadline alerts. DocuSign and Google Drive connect from Starch's integration catalog — the agent queries them live to check signature status and pull executed BAA files. Any HIPAA-adjacent vendor portal that doesn't have an API — a state health department filing portal, a carrier's compliance attestation form — Starch automates through your browser, no API needed.

Prompts to copy
Build me a HIPAA obligation tracker that shows every vendor we've shared PHI with, their BAA status (signed, pending, not started), the BAA expiration date, and who owns the follow-up. Pull vendor names and email threads from Gmail and any existing rows from our Notion contracts database. Flag anything expiring in the next 60 days in red.
Create a HIPAA policy calendar that lists every annual obligation — workforce training attestation, risk analysis review, breach notification policy review, Notice of Privacy Practices update — with due dates, the person responsible, and completion status. Alert me in Slack 30 days before anything is due.
Build a vendor PHI risk queue. When IT submits a new SaaS tool request, create a checklist item that asks: does this tool touch PHI? If yes, has a BAA been signed? Surface all open items sorted by submission date so nothing sits in a queue unreviewed for more than a week.
Run these in Starch → or paste them into your favorite agent
Walkthrough

Step-by-step

1 Connect Gmail to Starch (scheduled sync) — Starch will index your existing BAA email threads, vendor onboarding correspondence, and any signed-agreement notifications so you're not starting from a blank list of vendors.
2 Connect Notion to Starch (scheduled sync) — if you have a contracts or vendor database in Notion, even a partial one, Starch pulls it in as the starting schema for your compliance tracker rather than asking you to re-enter data.
3 Connect DocuSign and Google Drive from Starch's integration catalog — the agent queries them live to check which BAAs have been executed, which are out for signature, and where the PDF lives.
4 Tell Starch: 'Build me a HIPAA BAA tracker that lists every vendor we've shared PHI with, their signing status, expiration date, and the email thread where we sent or received the BAA.' Starch assembles the app; you review and correct any vendor it miscategorized.
5 Add your annual HIPAA calendar obligations manually or by pasting your existing policy schedule into Starch chat — things like workforce training deadlines, risk analysis review dates, and Notice of Privacy Practices update windows. Starch creates recurring task entries for each.
6 Set up a Slack alert automation: 'Every Monday, check all BAA expiration dates and policy deadlines. If anything is within 30 days, post a summary to #legal-alerts with the vendor name, deadline, and owner.' Connect Slack from Starch's integration catalog.
7 Build the vendor PHI risk queue by telling Starch: 'Create a form IT can fill out when they want to onboard a new SaaS tool. If the tool might touch PHI, automatically add it to my compliance review queue with a checkbox for BAA status and a field for the business owner.' No drag-and-drop — describe it, Starch builds it.
8 Wire the Knowledge Management app to house your internal HIPAA policies, your BAA template, your breach notification runbook, and your training attestation records. Tell Starch: 'Index our HIPAA policy documents from Google Drive and make them searchable so anyone on the team can find the current version without emailing me.'
9 Run a gap audit by asking Starch: 'Cross-reference our active vendor list against our BAA tracker and show me any vendor marked as touching PHI where we have no signed BAA on file.' Use this as your starting remediation queue before the next audit window.
10 For annual HIPAA risk analysis, tell Starch: 'Pull all vendors from our PHI risk queue, all BAA expiration dates from the tracker, and all open policy review items from the task list. Generate a summary report I can use as the starting point for our annual risk analysis documentation.' Export it as a shareable doc for your security team.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →
Worked example

Q1 2026 HIPAA Audit Prep — 150-Person SaaS Company

Sample numbers from a real run
Active vendors flagged as touching PHI23
BAAs confirmed signed and on file14
BAAs pending or not started9
BAAs expiring within 90 days3
Annual policy obligations due in Q15
Hours to produce the above report manually (pre-Starch)11

In January 2026, your company gets a heads-up that a healthcare enterprise prospect wants to run a security review before signing. Their questionnaire asks for a list of all subprocessors that touch PHI, each one's BAA status, and your last risk analysis date. Before Starch, answering that question meant cross-referencing a stale Notion spreadsheet against your Gmail inbox for forwarded BAA PDFs, pinging the security team for their vendor list, and spending half a day compiling it. With the HIPAA obligation tracker running on Starch, you pull the current state in under five minutes: 23 vendors flagged as PHI-touching, 14 with signed BAAs on file (DocuSign confirmation pulled live), 9 in some state of incomplete. Three of the 14 signed BAAs are expiring before June — Starch already sent a Slack alert two weeks ago and created task entries for each. The five Q1 policy obligations (workforce training attestation due February 28, risk analysis review due March 31, breach notification policy review due March 15, NPP update due January 31, and security incident response plan review due February 15) are all visible in the task manager with owners assigned. You hand the prospect's team a complete subprocessor list with BAA status in 20 minutes instead of a half-day scramble, and the 9 vendors with gaps become your remediation list for the next two weeks.

Measurement

How you'll know it's working

BAA coverage rate: percentage of PHI-touching vendors with a signed, non-expired BAA on file
Mean time to remediate a BAA gap from identification to signed agreement
Annual HIPAA policy obligations completed on time vs. overdue at the end of each quarter
Vendor PHI risk queue age: average number of days a new SaaS tool request sits unreviewed before a compliance determination is made
Audit response time: hours from request to delivery of a subprocessor list or policy documentation package
Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

OneTrust
OneTrust covers HIPAA, GDPR, and vendor risk comprehensively, but starts around $50K/year and assumes a dedicated privacy-ops person to configure and maintain it — not realistic for a two-person legal team at a 150-person company.
Vanta or Drata (compliance automation)
Vanta and Drata automate evidence collection for SOC 2 and ISO audits well, but their HIPAA modules are lightweight and they don't give you a customizable BAA tracker or vendor risk queue — you still end up managing those in a spreadsheet alongside them.
Google Sheets + Notion (current state)
Zero cost and full flexibility, but no automated alerts, no live sync with DocuSign or Gmail, and the tracker is only as accurate as the last time someone manually updated it — which is rarely today.
Ironclad or Evisort
Best-in-class for contract lifecycle management including BAA workflows, but six-figure contracts with implementation timelines measured in months and sales processes that don't move at the speed a two-person team needs.
Jira + Confluence (compliance wiki + task tracking)
Handles tickets and documentation reasonably well, but requires significant manual configuration to mirror a HIPAA obligation calendar and has no native connection to Gmail, DocuSign, or Notion to pull live contract status.
On Starch RECOMMENDED

One platform — task manager, knowledge management all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →
FAQ

Frequently asked questions

Is Starch SOC 2 Type II certified? Should I be worried about putting BAA-related data in it?
Starch is not SOC 2 Type II certified today — that's a real and honest limit worth naming before you put anything sensitive in it. For a HIPAA compliance tracker, the data you're storing is mostly metadata: vendor names, BAA status, expiration dates, task deadlines. The actual executed BAA PDFs stay in DocuSign or Google Drive; Starch queries their status live rather than storing the documents itself. Your legal team should make the call on whether that architecture is acceptable given your data classification policies. We'd rather you know the limit upfront than discover it during a vendor review.
We already track BAAs in Notion. Does Starch replace that, or does it connect to it?
Starch connects to it. Starch syncs your Notion workspace on a schedule, so your existing database rows become the starting point for the BAA tracker rather than asking you to re-enter anything. You can keep updating Notion directly if that's what your team is used to — Starch will pull the latest state every sync cycle. The goal is to add alerts, cross-references, and automation on top of what you already have, not to ask you to migrate.
Can Starch actually read our executed BAAs from DocuSign or Google Drive?
Starch connects to DocuSign and Google Drive from its integration catalog, so the agent can query envelope status, completion dates, and file locations live when your app runs. It can surface 'signed on this date, file here' for each vendor. Full document text extraction from PDFs is possible through browser automation for Drive files, but the primary use case here is status and metadata — knowing whether a BAA exists and when it expires — rather than clause-level contract analysis.
What if a vendor's HIPAA compliance portal doesn't have an API?
That's what browser automation is for. If a vendor requires you to log into their portal and manually attest to compliance, or a state health department has a filing form with no API, Starch can automate that through your browser — no API needed. You'd describe the workflow to Starch ('log into this portal, check the status of our BAA submission, and report back'), and Starch handles the navigation. This is a first-class pattern in Starch, not a workaround.
We're a two-person team. How long does it actually take to set this up?
Connecting Gmail, Notion, and Slack takes a few minutes each. Describing the BAA tracker and getting a first working version typically takes one working session — you'd describe what you want in plain language, Starch builds a draft, and you refine it by telling it what's wrong or missing. The more specific you are about your current spreadsheet columns and what you want to be alerted on, the faster the first version gets usable. You're not configuring workflows in a drag-and-drop builder or writing rules — you're describing the outcome you want.
Does Starch replace a CLM tool if we eventually need one?
No. Starch connects to CLM tools — Contract Lifecycle Management is on the roadmap as a coming-soon app, but today Starch is the layer that surfaces your compliance obligations and connects your existing tools (DocuSign, Notion, Gmail, Google Drive) into a unified view. If you're at the point where you need full contract drafting, redlining, and approval workflows, a dedicated CLM tool is the right answer. Starch is for the two-person team that needs 80% of that functionality without a six-figure procurement process.

Ready to run track hipaa compliance obligations on Starch?

Request closed-beta access. Everything is free during beta.

You're on the list! We'll be in touch soon.