What it is
HIPAA — the US Health Insurance Portability and Accountability Act — sets Privacy and Security Rules for protected health information (PHI). There is no HIPAA “certification”; organizations demonstrate it by operating the required safeguards and, where they act as a business associate, signing Business Associate Agreements (BAAs). We describe ourselves as HIPAA-aligned — we run those safeguards. We do not claim to be “HIPAA compliant” or “certified.”
The honest framing
Coldstream serves Canadian patients, so our binding obligations are PIPEDA and BC PIPA — met through our data-processing agreement with Google (the Cloud Data Processing Addendum), encryption, and Canadian data residency (see Data protection & residency). HIPAA is a US law; we hold to its safeguards as a rigorous, widely-understood bar and to be ready for US-facing use.
The safeguards we run
- Encryption in transit and at rest, managed by Google Cloud.
- Data stored in Canada (Montréal / Toronto) — see residency.
- HIPAA-eligible services only, with non-eligible analytics disabled.
- Access controls (authenticated, least-privilege) and audit logging of access to sensitive records.
- AI under contract — health information processed by AI runs under our providers’ data-protection terms: Google’s Cloud Data Processing Addendum for Vertex AI, and a Business Associate Agreement with OpenAI (zero-retention).
Business Associate Agreements — where we stand
- OpenAI — BAA in place, with zero data retention. ✅
- Google Cloud — a Google Cloud HIPAA BAA is in progress for US-facing use. Today, our Google/GCP relationship is governed by the Cloud Data Processing Addendum, which is the processor contract underpinning our Canadian obligations.
For US covered entities, a Business Associate Agreement can be arranged — please get in touch.
What we’re doing
Completing the Google Cloud HIPAA BAA for US-readiness, and keeping our covered-services list and provider agreements current. See how responsibilities split in Data protection & residency, and the providers we rely on in Subprocessors.