Heidi Health
Heidi Health Pty Ltd · EFROS US AI Vendor Governance Index entry
Composite governance score
D = thin posture. Deploy only for low-risk, non-regulated workloads under strict scope.
About this vendor
Clinical AI documentation assistant — Australia-headquartered with US market expansion. Used heavily in solo and small-practice deployments due to lower price point.
- Enterprise tier
- Heidi Pro, Heidi Together (per-clinician licensing)
- Vendor homepage
- https://www.heidihealth.com
Twelve-axis governance scoring
Each axis is scored Yes / Partial / No / N/A against public evidence — vendor trust portals, BAAs/DPAs, SOC 2 report cover pages, published methodology documents. N/A applies when the axis is structurally inapplicable (foundation models, for example, defer Section 1557 to the downstream healthcare deployer).
| Axis | Status | EFROS note | Source |
|---|---|---|---|
| BAA / DPA available | Yes | Heidi signs BAAs for US enterprise customers. | Heidi Security |
| Training-data opt-out | Yes | Heidi does not train models on customer encounter data. | Heidi Privacy |
| US data residency option | Partial | Heidi offers US-region hosting for US customers. Default configuration may use multi-region infrastructure; explicit US-only residency requires enterprise contract. | Heidi Security |
| SOC 2 Type II report | Partial | Heidi reports SOC 2 audit completion; report distribution via direct enterprise request. | Heidi Security |
| ISO/IEC 42001 attestation | No | No ISO/IEC 42001 attestation as of May 2026. | Public posture review |
| NIST AI RMF self-attestation | No | No public NIST AI RMF self-attestation. Heidi's primary regulatory anchoring is Australian (TGA) given its origin market. | Public posture review |
| Colorado AI Act readiness | No | No Colorado AI Act-specific public statement. | Public posture review |
| HHS-OCR Section 1557 readiness | Partial | Heidi documents general clinical safety; explicit Section 1557 public statement less developed than US-headquartered peers. | Heidi documentation |
| FRB SR 11-7 readiness | N/A | Healthcare-vertical positioning. | Heidi positioning |
| ABA Formal Op 512 readiness | N/A | Healthcare-vertical positioning. | Heidi positioning |
| Subprocessor list public | Partial | Subprocessor information available on request; not self-serve public. | Heidi Security |
Trust-center maturity
Security documentation present but less mature than US-headquartered peers. AI-specific governance for US market expanding but behind Abridge / Suki / DAX.
Source: heidihealth.com/security
Deep dive
Overview
Heidi is the price-leader in clinical AI documentation — meaningfully cheaper than DAX Copilot, Abridge, or Suki at small-practice scale. The governance posture reflects the smaller-vendor scale and the Australian origin: BAA available but trust-portal maturity and US-regulatory-specific documentation (Section 1557, Colorado AI Act, NIST AI RMF) are less developed than US-headquartered peers.
Strengths
- BAA-eligible
- Significantly lower price point than US-headquartered peers
- Default no-train
Weaknesses
- Trust portal less mature than US peers
- Section 1557 documentation less developed
- No NIST AI RMF or Colorado AI Act statement
- Explicit US-only residency requires enterprise contract
Best-fit use case
Solo and small practices (1-15 providers) where price sensitivity is high and the governance burden is correspondingly smaller (lower OCR scrutiny than a multi-state health system).
Avoid when
Health systems, hospital networks, or any organization under active OCR Section 1557 scrutiny. The trust-portal maturity gap and weaker public US-regulatory engagement create defensibility risk during audit.
Operator's take
Deploy Heidi Health when solo and small practices (1-15 providers) where price sensitivity is high and the governance burden is correspondingly smaller (lower OCR scrutiny than a multi-state health system). The composite score of 45 (grade D) reflects a mixed posture for regulated US workloads. Skip the vendor when health systems, hospital networks, or any organization under active OCR Section 1557 scrutiny. The trust-portal maturity gap and weaker public US-regulatory engagement create defensibility risk during audit. In every deployment, treat the cells above as a snapshot — the acquisition that gets to production safely is the one that re-verifies the trust-center posture before contract signature and rebuilds the matrix at renewal.
How this scoring is computed
The composite score blends eleven scoreable axes (BAA, training opt-out, US data residency, SOC 2, ISO/IEC 42001, NIST AI RMF, Colorado AI Act, Section 1557, SR 11-7, ABA Op 512, subprocessor transparency) with the trust-center maturity score. Axes marked N/A are excluded from the denominator so vendors are not penalized for sector-inapplicable axes. The vendor's primary sector amplifies the most relevant axes — healthcare vendors weight Section 1557 ×2, legal vendors weight ABA Op 512 ×2, banking vendors weight SR 11-7 ×2 — so the composite reflects what matters in the actual buying context.
Read the full methodology →Disagree with this scoring?
EFROS publishes scoring rationale per cell with a public source. If you have evidence that a specific axis should score differently — a new BAA, a new certification, a documented policy change — submit a formal challenge below. We re-score and publish the result with the next quarterly edition (or as a mid-quarter changelog entry if the change is material).
Disagree with a score?
Every cell in the EFROS Index is source-cited. If you have a public source that contradicts a score for Heidi Health, submit a formal challenge — we re-verify against the source and respond within 14 days.
Other vendors in Healthcare AI
Same category, scored on the same twelve axes. Useful for head-to-head shortlisting.
Take the scoring into production
The Index tells you the posture. These engagements turn the posture into a deployable program — vendor selection, governance policy, sector overlay, audit-ready evidence.