Arkova is a compliance audit automation platform in early access, built on top of a production-grade, cryptographically-anchored evidence layer. The audit-automation product — scorecard, gap detection, remediation, regulatory-change alerts, PDF export — is being built and refined with pilot customers.

How much faster is an audit with Arkova going to be vs. the manual process?

Typical compliance audits take weeks: compiling evidence across many tools, mapping it to controls, and producing a report. Arkova is designed to map evidence to the rules in your operating regimes automatically, rank gaps by severity and penalty risk, and produce an audit-ready export. Our pilot target is collapsing weeks of audit prep into hours.

Which regulations are on the roadmap?

US federal (FERPA, HIPAA, SOX, FCRA, GLBA, ADA, FLSA, GINA), EU/UK GDPR, Kenya DPA, Australia APP, Canada PIPEDA, Singapore PDPA, Japan APPI, India DPDP, South Africa POPIA, Nigeria NDPR, Colombia Law 1581, Thailand PDPA, and Malaysia PDPA. Prioritized by pilot-customer footprint.

What will the scorecard show?

A per-jurisdiction posture score and breakdown, a severity-ranked gap list, a prioritized remediation plan, a regulatory-change feed, and an audit-ready export. Designed for GRC leads, CISOs, internal audit, and outside counsel.

Is the evidence chain auditor-grade?

The evidence layer is cryptographic and independently verifiable: every anchor is a SHA-256 fingerprint committed to a public network, and lifecycle events are in an append-only audit log. Our own SOC 2 Type II and ISO 27001 work is in progress.

Is my data safe? Do you see our documents?

No. Documents never leave your device. Fingerprinting is client-side. Only PII-stripped metadata flows to our systems. Even if we were breached, your documents remain private because we never had them.

Join the waitlist on arkova.ai. We reach out to scope pilots — the best fits right now are compliance teams operating across multiple jurisdictions who are tired of the quarterly audit fire drill.

Compliance · HIPAA

Private Beta · Building

HIPAA evidence built on an architecture where PHI never leaves the device.

Documents are SHA-256 fingerprinted in your browser before anything reaches our systems. The original PHI never crosses the network. That isn't just a privacy convenience — it materially shrinks the surface area HIPAA's Security Rule applies to. What's left is metadata anchored to a public ledger so an OCR investigator can verify your audit log without trusting Arkova or any other vendor.

Request Early Access Read the research

What it is

The 1996 law that became four rules and a
.9M-per-violation penalty regime.

HIPAA is the Health Insurance Portability and Accountability Act of 1996. The original act was about insurance portability when changing jobs; the compliance burden everyone refers to as "HIPAA" actually comes from regulations issued by HHS afterward — most notably the Privacy Rule (2003), the Security Rule (2005), the Breach Notification Rule (2009 under HITECH), and the Enforcement Rule.

HIPAA applies to covered entities (health plans, providers, clearinghouses) and to business associates (anyone handling PHI on their behalf — direct HIPAA liability since HITECH 2009). Civil monetary penalties reach up to

.9M per violation category per year, indexed for inflation. Criminal penalties up to 10 years imprisonment for knowing violations with intent to sell or transfer PHI for personal gain.

The Office for Civil Rights (OCR) within HHS investigates complaints, performs periodic audits, and resolves cases either through corrective-action plans (most common) or through formal Resolution Agreements (with the highest penalties published). Most multi-million-dollar HIPAA settlements turn on whether the entity could prove the safeguards it claimed were operating actually were operating at the time.

The four rules · how Arkova maps to each

HIPAA's four operational rules, anchored.

Privacy Rule

45 CFR §164.500–§164.534

Requirement

Standards for the use and disclosure of Protected Health Information (PHI). Minimum-necessary rule, individual rights to access/amend records, accounting of disclosures, business associate agreements (BAAs).

Arkova

Anchored disclosure log per patient: who requested PHI, why, on what date, what was disclosed. The §164.528 accounting-of-disclosures requirement becomes a single API query against an immutable ledger instead of a manual reconstruction.

Security Rule

45 CFR §164.302–§164.318

Requirement

Administrative, physical, and technical safeguards for electronic PHI (ePHI). Encryption-in-transit + at-rest, access controls, audit controls, integrity controls, transmission security.

Arkova

Client-side SHA-256 fingerprinting before any data leaves the device satisfies the §164.312(a)(2)(iv) encryption addressable specification by design. Append-only audit log on a public ledger satisfies the §164.312(b) audit-controls requirement with independent verifiability.

Breach Notification Rule

45 CFR §164.400–§164.414

Requirement

Required notifications when a breach of unsecured PHI occurs. Individual notice within 60 days, HHS notice (timing depends on breach size), media notice for breaches affecting 500+ residents of a state.

Arkova

Anchored timeline per incident: when discovered, when assessed, when notifications sent. Disputes about whether notification met the 60-day window become objectively verifiable.

Enforcement Rule

45 CFR §160.300–§160.552

Requirement

OCR investigation procedures, civil monetary penalties (up to

.9M per violation per year, indexed for inflation), corrective action plans.

Arkova

OCR investigations frequently turn on whether claimed safeguards were operating at the time of the alleged violation. Anchored evidence + immutable timeline removes the "your logs say so but how do we know" question.

Security Rule safeguards

Three categories of safeguards. Twenty-plus standards.

Administrative

·Security Management Process (§164.308(a)(1)) — risk analysis + risk management
·Workforce Security (§164.308(a)(3)) — access authorization, supervision, termination
·Information Access Management (§164.308(a)(4)) — access establishment + modification
·Security Awareness + Training (§164.308(a)(5))
·Security Incident Procedures (§164.308(a)(6))
·Contingency Plan (§164.308(a)(7)) — backup, disaster recovery, emergency mode
·Evaluation (§164.308(a)(8)) — periodic technical + non-technical evaluation
·Business Associate Contracts (§164.308(b)(1))

Physical

·Facility Access Controls (§164.310(a)(1))
·Workstation Use + Security (§164.310(b), (c))
·Device + Media Controls (§164.310(d)(1))

Technical

·Access Control (§164.312(a)(1)) — unique user IDs, emergency access, automatic logoff, encryption + decryption
·Audit Controls (§164.312(b))
·Integrity (§164.312(c)(1)) — mechanism to authenticate ePHI
·Person or Entity Authentication (§164.312(d))
·Transmission Security (§164.312(e)(1)) — integrity + encryption

Arkova specifically targets the technical safeguards that produce the most evidence demand: audit controls (§164.312(b)), integrity (§164.312(c)(1)), and encryption (§164.312(a)(2)(iv) + §164.312(e)(2)(ii)). Anchored receipts replace screenshot-and-spreadsheet evidence with cryptographic proof.

Who's in scope

Covered entities, business associates, and most of their downstream chain.

Health Plans

Health insurance issuers, HMOs, Medicare/Medicaid programs, employer-sponsored group health plans, ACA marketplace plans.

Health Care Providers

Hospitals, physicians, dentists, clinics, nursing homes, pharmacies — provided they transmit PHI in electronic form for HIPAA-defined transactions.

Health Care Clearinghouses

Billing services, repricing companies, community health information systems that translate non-standard health data.

Business Associates

Cloud SaaS, EHR vendors, transcription services, accounting firms, IT contractors — anyone creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity. Subject to direct HIPAA liability since HITECH (2009).

What an OCR investigation asks for

Six evidence categories every HIPAA program needs.

1. Risk analysis + risk-management plan. §164.308(a)(1)(ii)(A) requires an accurate, thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This is the single most-cited gap in OCR enforcement actions.
2. Policies + procedures. Documented policies covering each Privacy Rule and Security Rule standard. Required to be reviewed and updated periodically; updates must be evidenced.
3. Workforce training records. §164.530(b)(1) (Privacy) and §164.308(a)(5) (Security) both require workforce training. Records must show training was provided to all members of the workforce and to new hires within a reasonable period.
4. Audit-control logs. §164.312(b) requires hardware, software, or procedural mechanisms that record and examine activity in systems containing ePHI. Logs must be retained for at least 6 years (§164.530(j)) and produced on request.
5. Business Associate Agreements (BAAs). Every third party with access to PHI requires a signed BAA per §164.504(e). Maintenance of an up-to-date BAA register with executed agreements is required for the §164.308(b)(1) standard.
6. Breach risk assessments + notification timeline. §164.402 requires a four-factor risk assessment to determine whether an impermissible use or disclosure constitutes a reportable breach. Notification timing under §164.404 and §164.408 must be documented from discovery through individual + HHS + (if applicable) media notice.

Why Arkova fits HIPAA particularly well

We can't leak PHI we never received.

Most compliance-evidence platforms are themselves business associates because they ingest PHI to function. Every BAA you sign is one more breach surface, one more vendor to vet, one more audit exposure.

Arkova's architecture is different. Documents are SHA-256 fingerprinted in your browser using the Web Crypto API before anything touches our systems. Only the 64-character hash + structured metadata flow outward. The original PHI stays on your device. Even if our infrastructure were entirely compromised, the attacker would not have any of your PHI — because we never had it.

This isn't a privacy nicety. It's an architectural property that:

Substantially shrinks the surface where the Security Rule's encryption and access-control standards apply
Reduces the BAA risk of using Arkova versus a vendor that ingests PHI
Aligns with the §164.502(b) minimum-necessary standard by design
Survives the worst breach scenarios because there is no PHI to breach

Build a HIPAA evidence trail that fits behind your existing BAAs.

If you're a covered entity or business associate looking for PHI evidence that doesn't require Arkova to ever see your documents, we'd like to discuss an early-access pilot.

Arkova is in private beta. Features described on this page are being built and refined with pilot customers right now. Some controls and integrations are live today; others are in active development. Talk to us about the parts most relevant to your workload.

Request Early Access

HIPAA evidence built on an architecture where PHI never leaves the device.

The 1996 law that became four rules and a .9M-per-violation penalty regime.

HIPAA's four operational rules, anchored.

45 CFR §164.500–§164.534

45 CFR §164.302–§164.318

45 CFR §164.400–§164.414

45 CFR §160.300–§160.552

Three categories of safeguards. Twenty-plus standards.

Administrative

Physical

Technical

Covered entities, business associates, and most of their downstream chain.

Health Plans

Health Care Providers

Health Care Clearinghouses

Business Associates

Six evidence categories every HIPAA program needs.

We can't leak PHI we never received.

Build a HIPAA evidence trail that fits behind your existing BAAs.

The 1996 law that became four rules and a
.9M-per-violation penalty regime.