Heidi Health
Heidi Health Pty Ltd · EFROS US AI Vendor Governance Index entry
Composite governance score
D = thin posture. Deploy only for low-risk, non-regulated workloads under strict scope.
About this vendor
Clinical AI documentation assistant. Australia-headquartered with US market expansion. Used heavily in solo and small-practice deployments due to lower price point.
- Enterprise tier
- Heidi Pro, Heidi Together (per-clinician licensing)
- Vendor homepage
- https://www.heidihealth.com
Twelve-axis governance scoring
Each axis is scored Yes / Partial / No / N/A against public evidence — vendor trust portals, BAAs/DPAs, SOC 2 report cover pages, published methodology documents. N/A applies when the axis is structurally inapplicable (foundation models, for example, defer Section 1557 to the downstream healthcare deployer).
| Axis | Status | EFROS note | Source |
|---|---|---|---|
| BAA / DPA available | Yes | Heidi signs BAAs for US enterprise customers. | Heidi Security |
| Training-data opt-out | Yes | Heidi does not train models on customer encounter data. | Heidi Privacy |
| US data residency option | Partial | Heidi offers US-region hosting for US customers. Default configuration may use multi-region infrastructure; explicit US-only residency requires enterprise contract. | Heidi Security |
| SOC 2 Type II report | Partial | Heidi reports SOC 2 audit completion; report distribution via direct enterprise request. | Heidi Security |
| ISO/IEC 42001 attestation | No | No ISO/IEC 42001 attestation as of May 2026. | Public posture review |
| NIST AI RMF self-attestation | No | No public NIST AI RMF self-attestation. Heidi's primary regulatory anchoring is Australian (TGA) given its origin market. | Public posture review |
| Colorado AI Act readiness | No | No Colorado AI Act-specific public statement. | Public posture review |
| HHS-OCR Section 1557 readiness | Partial | Heidi documents general clinical safety; explicit Section 1557 public statement less developed than US-headquartered peers. | Heidi documentation |
| FRB SR 11-7 readiness | N/A | Healthcare-vertical positioning. | Heidi positioning |
| ABA Formal Op 512 readiness | N/A | Healthcare-vertical positioning. | Heidi positioning |
| Subprocessor list public | Partial | Subprocessor information available on request; not self-serve public. | Heidi Security |
Trust-center maturity
Security documentation present but less mature than US-headquartered peers. AI-specific governance for US market expanding but behind Abridge / Suki / DAX.
Source: heidihealth.com/security
Deep dive
Overview
Heidi is the price-leader in clinical AI documentation, meaningfully cheaper than DAX Copilot, Abridge, or Suki at small-practice scale. The governance posture reflects the smaller-vendor scale and the Australian origin: BAA available but trust-portal maturity and US-regulatory-specific documentation (Section 1557, Colorado AI Act, NIST AI RMF) are less developed than US-headquartered peers.
Strengths
- BAA-eligible
- Lower price point than US-headquartered peers
- Default no-train
Weaknesses
- Trust portal less mature than US peers
- Section 1557 documentation less developed
- No NIST AI RMF or Colorado AI Act statement
- Explicit US-only residency requires enterprise contract
Best-fit use case
Solo and small practices (1-15 providers) where price sensitivity is high and the governance burden is correspondingly smaller (lower OCR scrutiny than a multi-state health system).
Avoid when
Health systems, hospital networks, or any organization under active OCR Section 1557 scrutiny. The trust-portal maturity gap and weaker public US-regulatory engagement create defensibility risk during audit.
Operator's take
Deploy Heidi Health when solo and small practices (1-15 providers) where price sensitivity is high and the governance burden is correspondingly smaller (lower OCR scrutiny than a multi-state health system). The composite score of 45 (grade D) reflects a mixed posture for regulated US workloads. Skip the vendor when health systems, hospital networks, or any organization under active OCR Section 1557 scrutiny. The trust-portal maturity gap and weaker public US-regulatory engagement create defensibility risk during audit. In every deployment, treat the cells above as a snapshot — the acquisition that gets to production safely is the one that re-verifies the trust-center posture before contract signature and rebuilds the matrix at renewal.
How this scoring is computed
The composite score blends eleven scoreable axes (BAA, training opt-out, US data residency, SOC 2, ISO/IEC 42001, NIST AI RMF, Colorado AI Act, Section 1557, SR 11-7, ABA Op 512, subprocessor transparency) with the trust-center maturity score. Axes marked N/A are excluded from the denominator so vendors are not penalized for sector-inapplicable axes. The vendor's primary sector amplifies the most relevant axes — healthcare vendors weight Section 1557 ×2, legal vendors weight ABA Op 512 ×2, banking vendors weight SR 11-7 ×2 — so the composite reflects what matters in the actual buying context.
Read the full methodology →Disagree with this scoring?
EFROS publishes scoring rationale per cell with a public source. If you have evidence that a specific axis should score differently — a new BAA, a new certification, a documented policy change — submit a formal challenge below. We re-score and publish the result with the next quarterly edition (or as a mid-quarter changelog entry if the change is material).
Disagree with a score?
Every cell in the EFROS Index is source-cited. If you have a public source that contradicts a score for Heidi Health, submit a formal challenge — we re-verify against the source and respond within 14 days.
Similar vendors (same category or sector)
Vendors in the same category as Heidi Health, padded with vendors that share its primary sector. All scored on the same twelve axes — useful for head-to-head shortlisting.
Where Heidi Health shows up in the rest of the Index
Heidi Health is scored in every state and (where applicable) sector slice of the Index. Use these views to compare Heidi Health against its peers from a state or sector lens rather than category.
Take the scoring into production
The Index tells you the posture. These engagements turn the posture into a deployable program — vendor selection, governance policy, sector overlay, audit-ready evidence.