Services

The build is the product. Everything else protects it.

Compliance is the reason to call us and the spine of everything we ship. Around it, a short list of things we do well for healthcare, and a clear list of things we don't.

Two audits, and they are not the same thing

One tells you that you might be exposed. The other proves it, and closes it.

Do you possibly have a breach?

Free liability audit

Free

We scan what anyone on the internet can see: your live site, its forms, where a submission actually goes, and the third-party scripts riding along on it. All we need is your URL.

Publicly available information only. No access required.

It cannot see inside your hosting, your email, your CMS, or your agreements, so it cannot confirm everything. It tells you where to worry.

Yes, you have a breach. Here is how we close it.

Compliance Audit

Starting at $500, credited toward a build

The real audit. We work inside your systems: hosting, email, CMS, domain registrar, form processors, analytics, and the agreements behind all of them. We confirm what is actually exposed, document it, and hand you the plan to fix it.

Requires access to your systems. We cannot audit what we cannot see.

We sign the Business Associate Agreement before we are given a single credential.

This is the one you can hand to your counsel, and the fee comes off the build.

Core services

01The audit

Compliance Audit

Starting at $500

The deep audit, and the one that proves it. We work inside your systems: hosting, email, CMS, domain registrar, form processors, and the agreements behind them. We confirm what is actually exposed and document exactly how to close it. Credited toward a build.

What’s included

  • A review from inside your systems: hosting, email provider, CMS, and domain registrar
  • Every form and intake path traced end to end, including where a submission actually lands
  • An inventory of the third parties already running on your site, and the agreements behind them, or the ones missing
  • Your confirmed exposure in writing, in plain English, in a document you can hand to your counsel
  • The mitigation plan, a walkthrough with the engineers who ran it, and the fee credited toward a build

02The build

The Failsafe Build

Starting at $7,500

A fast, modern site on our vetted stack. Intake is captured in our HIPAA-compliant datastore, the BAA chain is executed end to end, and your email provider is secured too. Engineered to be found by search and by AI.

What’s included

  • Design and built on a decoupled, hardened stack, nothing bolted on
  • Intake captured in our HIPAA-compliant datastore, so your website never becomes the place patient data lives
  • Your email provider secured under a BAA: Google Workspace, Microsoft 365, and others
  • The BAA chain executed end to end and signed before a single patient sees the site
  • Structured for search and for the assistants patients now ask first
  • Built to WCAG standards, keyboard to screen reader

The Failsafe Build runs on our platform. An active Compliance Shield is required: it is the hosting, the datastore, and the Business Associate Agreement your site depends on. Without it there is no compliant path for patient data, and no agreement covering it.

03The shield

Compliance Shield

Starting at $350/mo

Managed hosting and your server are included, so there is no separate hosting bill to run. Our scanner runs on every deploy, we hold the BAA chain of custody, and we stand as your technical contact if you’re ever audited.

What’s included

  • Managed hosting and your server, included. No separate hosting bill to run
  • Our scanner runs on every deploy, before a change ever reaches a patient
  • We hold the BAA chain of custody and keep it current as your vendors change
  • We stand as your technical contact if you are ever audited
  • Patches, uptime, and a standing re-check of your data paths

The three biggest HIPAA hosting providers charge an average of $373 a month for the hosting alone, before anyone patches a dependency, scans a deploy, or signs a BAA for the web layer. The Shield is $350, hosting included. It is not a line item on your bill. It is the bill. See the three plans we compared.

What you are actually buying

The website we build is HIPAA-compliant, and we sign the BAA that says so.

What we cover

Every form, every intake path, every place patient data moves because of your site. It is encrypted, it is held in a HIPAA-covered datastore, and it is delivered to a mailbox we bring under a signed Business Associate Agreement. Covered end to end, with our name on the agreement.

Why the BAA is the point

A certification is a vendor telling you they passed an audit. A Business Associate Agreement is a vendor taking on direct liability under HIPAA for the data they handle. Most web agencies will not sign one, and some of the ones that do have not read it. We sign it, and we mean it.

What we do not cover

Your front desk. Your EHR. Your staff training. Your risk analysis. No website covers those, and a vendor who tells you that buying a website makes your practice compliant is a vendor you should not hire.

AI readiness

If the AI can't read your site, it recommends someone else.

For the searches that bring practices patients, the treatments and procedures people actually look for, Google now returns an AI answer almost every time. Being the source it reads is the highest-value visibility play in healthcare right now.

~100%
of treatment and procedure searches now return an AI answer
93%
of symptoms and conditions searches
51%
of all healthcare searches, the highest of any industry

WebFX, 130,070 health queries (2025); BrightEdge Generative Parser, December 2025 snapshot. Verified 2026-07-12.

Additional services

Around the build.

Each of these only works because the build underneath it is contained. We take them on for practices we build for.

Paid ads for medical

Google and Meta campaigns run inside the health-vertical rulesets: the restricted-category and targeting limits that make most agencies overspend or tell you that you cannot advertise at all. You can. We do it, and we do it without leaking a thing.

Visibility: SEO and AI/GEO

Built to be found by search and by the assistants patients now ask first. Structured so Google and ChatGPT can actually read and recommend your practice.

Why this is urgent now

Compliant analytics and tracking

A standard Google Analytics or Meta Pixel on a health site quietly ships protected information to third parties, which the OCR has flagged directly. We set up server-side, de-identified, BAA-covered tracking. It is also the thing that makes your ad spend measurable.

Accessibility (ADA / WCAG)

Audit and remediation to WCAG standards. The same discipline that keeps you ADA-clear, and one more legal exposure closed.

Compliant migration

We move you off a non-compliant setup onto our vetted stack. Not a lift-and-shift of the holes, a rebuild that closes them. We will not put our BAA behind a site we did not build.

Honest scope

What we don't do.

The limits are the product too. A studio that will not name them is a studio you cannot hold to anything.

We don't monitor, patch, or babysit a site we didn't build.

Compliance lives in the architecture, so every engagement is a build onto our vetted platforms. It is the only way we can put our name on it.

We don't build or run patient portals, EHRs, or EMRs.

We will help you connect a compliant one, or stand up intake and scheduling on a BAA-covered platform, at a fixed rate.

We don't put patient data on your web host.

Even if you ask us to. That is the whole point.

We won't run ads or analytics that leak PHI.

If compliant tracking cannot be set up for your case, we tell you. We do not fake it.

We're not a law firm.

We handle the web and marketing layer and sign the BAA for it. Your broader HIPAA program stays with you and your counsel.

We make your website and its patient-data flows compliant, and we sign the BAA that covers them. Your practice’s broader HIPAA program stays yours. We handle the part that lives on the web. We’re engineers, not attorneys, and we’ll tell you when to loop in counsel.

If you leave

You’re not locked in, and we don’t hold your site hostage.

The compliant platform is a service, so it ends when the engagement ends. Here is exactly what happens, in order, so none of it is a surprise on the day it matters.

Your engagement letter and the BAA govern the details. Nothing on this page is the contract.

The BAA ends first

Before anything is moved or shut down, the Business Associate Agreement terminates. The protected path we were accountable for stops being ours from that point forward.

Patient data is destroyed

Everything sitting in our datastore is destroyed, as the agreement requires. We do not keep a copy. We never wanted one.

Our services stop

Hosting, the datastore, and the email relay are ours, so they come down with the agreement. They were the service, not the deliverable.

You get your work, within 30 days

We release the full codebase for your website and every non-PHI asset that belongs to you, so you can take it to another provider. We are not going to hold your files for ransom.

Start with the audit

See what your site is exposing.

It takes a few minutes and costs nothing. If we find a gap, we’ll show you exactly where, and finding one doesn’t mean you did anything wrong. These get installed by default, by tools that never warned you.

Free · public information only · no access to your systems