HHS OCR investigations look at what patients could see on your website at specific points in time. VaultShot creates automated, hash-verified archives of your privacy notices, patient portals, and consent pages.
No credit card required. Free plan available.
HIPAA Privacy Rule requires covered entities to post and maintain Notice of Privacy Practices on their website
OCR investigations request evidence of what was displayed to patients at specific dates
HIPAA requires retention of policies and notices for 6 years from date of creation or last effective date
Business associate websites with PHI access must also maintain compliant notices
Under 45 CFR §164.530(j), covered entities must retain copies of their Notice of Privacy Practices and any required policies for 6 years. The OCR frequently reviews website archives during breach investigations and compliance reviews. VaultShot's daily automated captures create the timestamped evidence trail that OCR expects to see.
6 years
HIPAA minimum retention requirement
HIPAA's recordkeeping requirements are deceptively broad when applied to websites. Section 164.530(j) requires covered entities to retain their policies and procedures, including the Notice of Privacy Practices, for six years from the date of creation or the date it was last in effect — whichever is later. Since your website's NPP is always 'in effect' while it's posted, every version must be retained for six years from the date you replaced it. Most healthcare organizations have no idea how many times their privacy notice has changed, let alone whether they retained each version with verifiable timestamps. VaultShot solves this with zero ongoing effort: daily automated captures, SHA-256 integrity hashing, and a searchable archive that goes back to the day you signed up.
OCR investigations triggered by breach reports are where the lack of website archives becomes most painful. When a data breach occurs, OCR investigators examine not just the breach itself but the covered entity's overall compliance posture — and that includes whether the NPP was properly posted and maintained on the website. In Resolution Agreements and Corrective Action Plans, OCR frequently cites the failure to maintain required documentation as a separate violation, adding hundreds of thousands of dollars to the settlement. VaultShot's compliance certificates — each containing a SHA-256 hash, UTC timestamp, and full-page screenshot — provide exactly the documentation OCR expects to see.
The rise of digital health, telehealth platforms, and patient engagement tools has expanded HIPAA's website compliance surface far beyond a simple privacy notice page. Online scheduling systems that collect PHI, patient portal login pages, telehealth consent forms, and even chatbot interfaces all fall under HIPAA's documentation requirements. Each of these pages changes frequently as products evolve, and each change creates a new version that must be retained. VaultShot monitors all of your patient-facing URLs in a single dashboard, capturing every change and generating hash-verified records that your HIPAA Privacy Officer can access in seconds — not the hours or days it takes to reconstruct website history from server logs and content management backups.
Every feature is designed to produce evidence that regulators accept.
Every screenshot is cryptographically hashed at capture time. Any modification — even a single pixel — produces a different hash, proving the file is original.
Screenshots are stored on AWS S3 with WORM-grade immutability. Files cannot be deleted or overwritten — meeting FINRA 17a-4 and SEC requirements.
Set it and forget it. VaultShot captures your website on your schedule — hourly, daily, or weekly — ensuring no gaps in your compliance timeline.
Each capture generates a professional PDF with hash, timestamp, metadata, and screenshot preview — ready to hand directly to auditors or regulators.
Anyone can verify a screenshot's authenticity by uploading it or pasting its hash. Provides instant, independent proof that the file is untampered.
VaultShot automatically detects and dismisses cookie consent banners before capture — ensuring clean, unobstructed screenshots every time.
Same SHA-256 hashing standard. Fraction of the cost.
| Feature | VaultShot — $19/mo | PageFreezer — $500+/mo | Smarsh — $1,000+/mo |
|---|---|---|---|
| SHA-256 Hashing | ✓ | ✓ | ✓ |
| Automated Captures | ✓ | ✓ | ✓ |
| PDF Certificates | ✓ | ✓ | ✓ |
| Self-Service Signup | ✓ | ✗ | ✗ |
| Month-to-Month Billing | ✓ | ✗ | ✗ |
| Setup in Minutes | ✓ | ✗ | ✗ |
| Monthly Price | $19/mo | $500+/mo | $1,000+/mo |
Try the free snapshot tool — no account needed. Or go Pro for $19/mo with daily automated captures, hash verification, and PDF certificates.
No credit card required. Cancel anytime.