Which technologies do you consult on?

All of the major location, identification and IoT technologies: RTLS (UWB, BLE, Wi-Fi), RFID (passive, active and RAIN UHF), industrial IoT and sensors, GPS and GNSS, AGV and AMR robot fleets, and hybrid stacks that combine them. We recommend the right mix for each zone and use case, not a single technology.

Are you really vendor-neutral?

Yes. We do not sell hardware or a software platform of our own, and we take no resale commissions, so our technology and vendor recommendations serve your outcome rather than a product we need to move.

Do you work outside the UK?

We are UK-based and work across Europe and internationally, delivering in English, German and French. Engagements can be remote or on-site depending on the work.

What does a consulting engagement include?

Typically discovery and requirements, vendor-neutral technology selection, vendor evaluation and RFP support, ROI and business case, solution architecture, and an implementation roadmap. We scope each engagement to where you are.

Can you help after the decision is made?

Yes. We work across the full lifecycle - we can also deploy, integrate, and operate the system, so you can keep one independent team from business case through to live operation.

How do we get started?

Usually with a short call or a fixed-fee discovery to scope the problem, followed by a proposal with clear deliverables, timeline and fees. There is no obligation and no platform pitch.

COMPLIANCE · HEALTHCARE

HIPAA & RTLS in healthcare.

Hospital RTLS deployments routinely touch PHI — sometimes obviously (patient-flow tagging), sometimes incidentally (staff badges that also correlate to assigned patients). HIPAA applies. This is the operator-level summary of what changes in the deployment.

Book a 30-minute scoping call

What counts as PHI in an RTLS context

PHI engages whenever location data can be linked to an identifiable patient. Tagging an infusion pump is not PHI. Tagging a patient wristband is.

Tagging staff badges that happen to be assignable to a specific patient at a given time can be PHI by combination. The right architecture choice is: separate the location infrastructure from the patient-identification layer, with controlled joins.

Business Associate Agreements (BAAs)

Any RTLS vendor whose platform stores, processes or transmits PHI on your behalf is a Business Associate and requires a BAA. This includes cloud-hosted RTLS platforms (the majority), managed-service operators, and SI partners with platform access.

Vendors who decline to sign a BAA cannot host PHI-linked deployments — that disqualifies a meaningful number of otherwise-strong RTLS suppliers. Verify BAA willingness early.

Minimum necessary and role-based access

HIPAA's minimum-necessary rule means clinical staff should see only the location data they need for their role. Nurses see patient flow on their unit; biomed sees equipment location; security sees zone access; nobody routinely sees everything.

This requires role-based access at the platform layer with audit logging. Default vendor configurations rarely implement this well — it's a stage 1 design decision.

Encryption, audit and breach response

PHI in RTLS systems must be encrypted in transit (TLS 1.2+) and at rest (AES-256). Audit logs must capture every PHI access and be retained per state law (typically 6 years).

Breach response — including the 60-day notification window — must be SOP'd. We design the security and breach-response SOPs as part of stage 1 / stage 3 deliverables, jointly with your privacy office.

FAQ

Frequently asked questions

Can we deploy an RTLS system that doesn't touch PHI at all?

Yes, for equipment-only deployments. Tag pumps, beds and wheelchairs, not patients or staff badges, and the system is out of HIPAA scope. This is the easiest path for biomed/equipment-utilisation programmes.

Which RTLS vendors will sign a BAA?

Most enterprise healthcare-RTLS vendors will (Stanley Healthcare, CenTrak, Sonitor, Kontakt.io, Aruba, Cisco). Some industrial vendors won't — they're not in this market. We verify BAA-willingness during vendor shortlisting in stage 1.

How is hand-hygiene compliance reporting handled under HIPAA?

Carefully. Aggregate compliance reporting at unit or shift level is generally outside HIPAA.

Individual staff compliance, attributable to a named clinician treating a named patient, can engage HIPAA depending on context. Most programmes report at unit level for both HIPAA and labour-relations reasons.

Do we need an OCR-style audit pack?

Recommended. We assemble a deployment audit pack covering risk assessment, technical controls, training records, BAA inventory, breach-response SOP and ongoing-monitoring evidence. Updated annually or on material change.

Last updated: 26 May 2026

HIPAA &amp; RTLS in healthcare.