What this site is — and isn't.

Not legal advice. The playbooks, regulatory grid, and self-check on this site are general guidance for small clinical practices. Nothing here is legal advice and nothing here substitutes for guidance from counsel, your privacy officer, your cyber insurer, or your medical-board licensing authority.

No Business Associate relationship is created by reading this site. A Business Associate Agreement (BAA) between HackFirstAid Medical and a covered entity is only formed in writing, signed by both parties, as part of a paid engagement. Reading playbooks, taking the self-check, or browsing the regulatory grid does not create a BAA.

We do not store customer PHI. Our work is advisory, training, and incident response. All patient data stays on the practice's systems. The self-check on this site runs entirely in your browser — answers are not transmitted to us.

If you have an active breach, call your privacy officer, your cyber insurer, and your counsel first. Then talk to us — but the legal and insurer relationships are the gating ones.

Jurisdiction. Specific state, provincial, and country laws may impose stricter requirements than the federal baselines referenced on this site. Always confirm the applicable timeline and threshold with counsel familiar with your jurisdiction.