Coldstream Informatics
Compliance

US health-data safeguards

HIPAA-aligned safeguards

Aligned

We operate to HIPAA-grade safeguards for health information. Our binding framework is Canadian (PIPEDA / BC PIPA); a Google Cloud HIPAA BAA is in progress for US-facing use.

What it is

HIPAA — the US Health Insurance Portability and Accountability Act — sets Privacy and Security Rules for protected health information (PHI). There is no HIPAA “certification”; organizations demonstrate it by operating the required safeguards and, where they act as a business associate, signing Business Associate Agreements (BAAs). We describe ourselves as HIPAA-aligned — we run those safeguards. We do not claim to be “HIPAA compliant” or “certified.”

The honest framing

Coldstream serves Canadian patients, so our binding obligations are PIPEDA and BC PIPA — met through our data-processing agreement with Google (the Cloud Data Processing Addendum), encryption, and Canadian data residency (see Data protection & residency). HIPAA is a US law; we hold to its safeguards as a rigorous, widely-understood bar and to be ready for US-facing use.

The safeguards we run

Business Associate Agreements — where we stand

For US covered entities, a Business Associate Agreement can be arranged — please get in touch.

What we’re doing

Completing the Google Cloud HIPAA BAA for US-readiness, and keeping our covered-services list and provider agreements current. See how responsibilities split in Data protection & residency, and the providers we rely on in Subprocessors.

Last reviewed 2026-07-04T00:00:00.000Z · Questions? contact@coldstream.info