diff --git a/apps/api/package.json b/apps/api/package.json
index 23f23bfa68..39307a69a2 100644
--- a/apps/api/package.json
+++ b/apps/api/package.json
@@ -83,7 +83,7 @@
         "eslint": "^9.18.0",
         "eslint-config-prettier": "^10.0.1",
         "eslint-plugin-prettier": "^5.2.2",
-        "globals": "^16.0.0",
+        "globals": "^17.3.0",
         "jest": "^30.0.0",
         "prettier": "^3.5.3",
         "source-map-support": "^0.5.21",
diff --git a/apps/api/src/email/templates/hipaa-training-completed.tsx b/apps/api/src/email/templates/hipaa-training-completed.tsx
new file mode 100644
index 0000000000..3a220a500f
--- /dev/null
+++ b/apps/api/src/email/templates/hipaa-training-completed.tsx
@@ -0,0 +1,116 @@
+import {
+  Body,
+  Container,
+  Font,
+  Heading,
+  Html,
+  Preview,
+  Section,
+  Tailwind,
+  Text,
+} from '@react-email/components';
+import { Footer } from '../components/footer';
+import { Logo } from '../components/logo';
+
+interface Props {
+  email: string;
+  userName: string;
+  organizationName: string;
+  completedAt: Date;
+}
+
+export const HipaaTrainingCompletedEmail = ({
+  email,
+  userName,
+  organizationName,
+  completedAt,
+}: Props) => {
+  const formattedDate = new Date(completedAt).toLocaleDateString('en-US', {
+    year: 'numeric',
+    month: 'long',
+    day: 'numeric',
+  });
+
+  return (
+    <Html>
+      <Tailwind>
+        <head>
+          <Font
+            fontFamily="Geist"
+            fallbackFontFamily="Helvetica"
+            fontWeight={400}
+            fontStyle="normal"
+          />
+          <Font
+            fontFamily="Geist"
+            fallbackFontFamily="Helvetica"
+            fontWeight={500}
+            fontStyle="normal"
+          />
+        </head>
+        <Preview>
+          Congratulations! You've completed your HIPAA Security Awareness
+          Training
+        </Preview>
+
+        <Body className="mx-auto my-auto bg-[#fff] font-sans">
+          <Container
+            className="mx-auto my-[40px] max-w-[600px] border-transparent p-[20px] md:border-[#E8E7E1]"
+            style={{ borderStyle: 'solid', borderWidth: 1 }}
+          >
+            <Logo />
+            <Heading className="mx-0 my-[30px] p-0 text-center text-[24px] font-normal text-[#121212]">
+              HIPAA Training Complete!
+            </Heading>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              Hi {userName},
+            </Text>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              Congratulations! You have successfully completed the HIPAA
+              Security Awareness Training for{' '}
+              <strong>{organizationName}</strong>.
+            </Text>
+
+            <Section
+              className="mt-[24px] mb-[24px] rounded-[8px] p-[24px] text-center"
+              style={{
+                backgroundColor: '#f0fdf4',
+                border: '1px solid #bbf7d0',
+              }}
+            >
+              <Text className="m-0 text-[16px] font-medium text-[#166534]">
+                Completion Date: {formattedDate}
+              </Text>
+            </Section>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              Your HIPAA training completion certificate is attached to this
+              email. Please save it for your records.
+            </Text>
+
+            <Text className="text-[14px] leading-[24px] text-[#121212]">
+              Thank you for your commitment to protecting PHI and maintaining
+              HIPAA compliance at {organizationName}.
+            </Text>
+
+            <br />
+            <Section>
+              <Text className="text-[12px] leading-[24px] text-[#666666]">
+                This notification was intended for{' '}
+                <span className="text-[#121212]">{email}</span>.
+              </Text>
+            </Section>
+
+            <br />
+
+            <Footer />
+          </Container>
+        </Body>
+      </Tailwind>
+    </Html>
+  );
+};
+
+export default HipaaTrainingCompletedEmail;
diff --git a/apps/api/src/frameworks/frameworks-scores.helper.ts b/apps/api/src/frameworks/frameworks-scores.helper.ts
index eb164b80e7..72a213437c 100644
--- a/apps/api/src/frameworks/frameworks-scores.helper.ts
+++ b/apps/api/src/frameworks/frameworks-scores.helper.ts
@@ -9,10 +9,11 @@ import { filterComplianceMembers } from '../utils/compliance-filters';
 
 const SIX_MONTHS_MS = 6 * 30 * 24 * 60 * 60 * 1000;
 
-const TRAINING_VIDEO_IDS = ['sat-1', 'sat-2', 'sat-3', 'sat-4', 'sat-5'];
+const GENERAL_TRAINING_IDS = ['sat-1', 'sat-2', 'sat-3', 'sat-4', 'sat-5'];
+const HIPAA_TRAINING_ID = 'hipaa-sat-1';
 
 export async function getOverviewScores(organizationId: string) {
-  const [allPolicies, allTasks, employees, onboarding, org] = await Promise.all([
+  const [allPolicies, allTasks, employees, onboarding, org, hipaaInstance] = await Promise.all([
     db.policy.findMany({ where: { organizationId } }),
     db.task.findMany({ where: { organizationId } }),
     db.member.findMany({
@@ -27,9 +28,14 @@ export async function getOverviewScores(organizationId: string) {
       where: { id: organizationId },
       select: { securityTrainingStepEnabled: true },
     }),
+    db.frameworkInstance.findFirst({
+      where: { organizationId, framework: { name: 'HIPAA' } },
+      select: { id: true },
+    }),
   ]);
 
   const securityTrainingStepEnabled = org?.securityTrainingStepEnabled === true;
+  const hasHipaaFramework = !!hipaaInstance;
 
   // Policy breakdown
   const publishedPolicies = allPolicies.filter((p) => p.status === 'published');
@@ -60,9 +66,12 @@ export async function getOverviewScores(organizationId: string) {
         p.isRequiredToSign && p.status === 'published' && !p.isArchived,
     );
 
-    const trainingCompletions = securityTrainingStepEnabled
+    const memberIds = activeEmployees.map((e) => e.id);
+    const needsCompletions = securityTrainingStepEnabled || hasHipaaFramework;
+
+    const trainingCompletions = needsCompletions
       ? await db.employeeTrainingVideoCompletion.findMany({
-          where: { memberId: { in: activeEmployees.map((e) => e.id) } },
+          where: { memberId: { in: memberIds } },
         })
       : [];
 
@@ -71,21 +80,19 @@ export async function getOverviewScores(organizationId: string) {
         requiredPolicies.length === 0 ||
         requiredPolicies.every((p) => p.signedBy.includes(emp.id));
 
+      const completedVideoIds = trainingCompletions
+        .filter((c) => c.memberId === emp.id && c.completedAt !== null)
+        .map((c) => c.videoId);
+
       const hasCompletedAllTraining = securityTrainingStepEnabled
-        ? (() => {
-            const empCompletions = trainingCompletions.filter(
-              (c) => c.memberId === emp.id,
-            );
-            const completedVideoIds = empCompletions
-              .filter((c) => c.completedAt !== null)
-              .map((c) => c.videoId);
-            return TRAINING_VIDEO_IDS.every((vid) =>
-              completedVideoIds.includes(vid),
-            );
-          })()
+        ? GENERAL_TRAINING_IDS.every((vid) => completedVideoIds.includes(vid))
+        : true;
+
+      const hasCompletedHipaa = hasHipaaFramework
+        ? completedVideoIds.includes(HIPAA_TRAINING_ID)
         : true;
 
-      if (hasAcceptedAllPolicies && hasCompletedAllTraining) {
+      if (hasAcceptedAllPolicies && hasCompletedAllTraining && hasCompletedHipaa) {
         completedMembers++;
       }
     }
diff --git a/apps/api/src/people/dto/people-responses.dto.ts b/apps/api/src/people/dto/people-responses.dto.ts
index a87ab60e33..1b3d206935 100644
--- a/apps/api/src/people/dto/people-responses.dto.ts
+++ b/apps/api/src/people/dto/people-responses.dto.ts
@@ -111,6 +111,12 @@ export class PeopleResponseDto {
   })
   isActive: boolean;
 
+  @ApiProperty({
+    description: 'Whether member is deactivated',
+    example: false,
+  })
+  deactivated: boolean;
+
   @ApiProperty({
     description: 'FleetDM label ID for member devices',
     example: 123,
diff --git a/apps/api/src/people/people-invite.service.ts b/apps/api/src/people/people-invite.service.ts
index 2a51e67f16..5a55212ce6 100644
--- a/apps/api/src/people/people-invite.service.ts
+++ b/apps/api/src/people/people-invite.service.ts
@@ -155,9 +155,8 @@ export class PeopleInviteService {
       isNewMember = true;
     }
 
-    // Create training video entries for new members
     if (member && isNewMember) {
-      await this.createTrainingVideoEntries(member.id);
+      await this.createTrainingVideoEntries(member.id, organizationId);
     }
 
     // Send invite email (non-fatal)
@@ -280,10 +279,22 @@ export class PeopleInviteService {
     });
   }
 
-  private async createTrainingVideoEntries(memberId: string): Promise<void> {
-    // Training videos are defined in the app; we create entries for known video IDs
+  private async createTrainingVideoEntries(
+    memberId: string,
+    organizationId?: string,
+  ): Promise<void> {
     const trainingVideoIds = ['sat-1', 'sat-2', 'sat-3', 'sat-4', 'sat-5'];
 
+    if (organizationId) {
+      const hipaaInstance = await db.frameworkInstance.findFirst({
+        where: { organizationId, framework: { name: 'HIPAA' } },
+        select: { id: true },
+      });
+      if (hipaaInstance) {
+        trainingVideoIds.push('hipaa-sat-1');
+      }
+    }
+
     await db.employeeTrainingVideoCompletion.createMany({
       data: trainingVideoIds.map((videoId) => ({
         memberId,
diff --git a/apps/api/src/people/people.controller.spec.ts b/apps/api/src/people/people.controller.spec.ts
index 11f3769910..c7111a8b53 100644
--- a/apps/api/src/people/people.controller.spec.ts
+++ b/apps/api/src/people/people.controller.spec.ts
@@ -103,6 +103,17 @@ describe('PeopleController', () => {
       );
     });
 
+    it('should pass includeDeactivated=true to the service', async () => {
+      mockPeopleService.findAllByOrganization.mockResolvedValue([]);
+
+      await controller.getAllPeople('org_123', mockAuthContext, 'true');
+
+      expect(peopleService.findAllByOrganization).toHaveBeenCalledWith(
+        'org_123',
+        true,
+      );
+    });
+
     it('should not include authenticatedUser when userId is missing', async () => {
       const apiKeyContext: AuthContext = {
         ...mockAuthContext,
diff --git a/apps/api/src/people/utils/member-queries.ts b/apps/api/src/people/utils/member-queries.ts
index 09fc99c605..a6683a3974 100644
--- a/apps/api/src/people/utils/member-queries.ts
+++ b/apps/api/src/people/utils/member-queries.ts
@@ -19,6 +19,7 @@ export class MemberQueries {
     department: true,
     jobTitle: true,
     isActive: true,
+    deactivated: true,
     fleetDmLabelId: true,
     user: {
       select: {
diff --git a/apps/api/src/tasks/description-framework-filter.spec.ts b/apps/api/src/tasks/description-framework-filter.spec.ts
new file mode 100644
index 0000000000..2890fde9f2
--- /dev/null
+++ b/apps/api/src/tasks/description-framework-filter.spec.ts
@@ -0,0 +1,146 @@
+import { filterDescriptionByFrameworks } from './description-framework-filter';
+
+describe('filterDescriptionByFrameworks', () => {
+  it('returns the description unchanged when no active frameworks are provided', () => {
+    const desc =
+      'General task.\n\nFor ISO 27001: Store NDA evidence.\n\nFor PCI: Document checks.';
+    expect(filterDescriptionByFrameworks(desc, [])).toBe(desc);
+  });
+
+  it('returns empty string for empty description', () => {
+    expect(filterDescriptionByFrameworks('', ['SOC 2'])).toBe('');
+  });
+
+  it('keeps paragraphs that match an active framework', () => {
+    const desc =
+      'Maintain a list.\n\nFor ISO 27001: Store NDA evidence.\n\nFor PCI: Document checks.';
+    const result = filterDescriptionByFrameworks(desc, ['ISO 27001']);
+    expect(result).toContain('Maintain a list.');
+    expect(result).toContain('For ISO 27001: Store NDA evidence.');
+    expect(result).not.toContain('For PCI');
+  });
+
+  it('removes paragraphs for inactive frameworks', () => {
+    const desc =
+      'General description.\n\nFor HIPAA: Know which devices hold patient data.\n\nFor GDPR: Document lawful basis.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2']);
+    expect(result).toBe('General description.');
+  });
+
+  it('keeps all framework paragraphs when all are active', () => {
+    const desc =
+      'Base task.\n\nFor ISO 27001: ISO requirement.\n\nFor HIPAA: HIPAA requirement.';
+    const result = filterDescriptionByFrameworks(desc, [
+      'ISO 27001',
+      'HIPAA',
+    ]);
+    expect(result).toContain('For ISO 27001');
+    expect(result).toContain('For HIPAA');
+    expect(result).toContain('Base task.');
+  });
+
+  it('handles alias matching (e.g. "PCI" matches "PCI DSS")', () => {
+    const desc =
+      'Base.\n\nFor PCI: PCI-specific info.\n\nFor ISO 27001: ISO info.';
+    const result = filterDescriptionByFrameworks(desc, ['PCI DSS']);
+    expect(result).toContain('For PCI');
+    expect(result).not.toContain('For ISO 27001');
+  });
+
+  it('handles case-insensitive matching', () => {
+    const desc = 'Base.\n\nFor HIPAA: Some requirement.';
+    const result = filterDescriptionByFrameworks(desc, ['hipaa']);
+    expect(result).toContain('For HIPAA');
+  });
+
+  it('keeps paragraphs without framework prefixes', () => {
+    const desc =
+      'Upload a screenshot.\n\nProvide documentation.\n\nFor GDPR: Document lawful basis.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2']);
+    expect(result).toContain('Upload a screenshot.');
+    expect(result).toContain('Provide documentation.');
+    expect(result).not.toContain('GDPR');
+  });
+
+  it('keeps unknown framework labels as a safe default', () => {
+    const desc = 'Base.\n\nFor CustomFramework: Custom requirement.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2']);
+    expect(result).toContain('For CustomFramework');
+  });
+
+  it('handles the real-world Employee Verification example', () => {
+    const desc =
+      'Maintain a list of reference checks you made for every new hire. Verify the identity of every new hire.\n\nFor ISO 27001: Ensure you are also storing the NDA, candidate evaluation form and access creation request with its approval evidence\n\nFor PCI: For employees with potential access to the CDE, document background verification checks (e.g., reference check, prior employment) before granting access to CHD systems.';
+
+    // Org only has SOC 2 active
+    const soc2Only = filterDescriptionByFrameworks(desc, ['SOC 2']);
+    expect(soc2Only).toBe(
+      'Maintain a list of reference checks you made for every new hire. Verify the identity of every new hire.',
+    );
+
+    // Org has ISO 27001 active
+    const iso = filterDescriptionByFrameworks(desc, ['ISO 27001']);
+    expect(iso).toContain('For ISO 27001');
+    expect(iso).not.toContain('For PCI');
+  });
+
+  it('handles the real-world Asset Inventory with HIPAA example', () => {
+    const desc =
+      'Keep and maintain a list of your devices (laptops/servers). If you install the Comp AI agent on your devices, these will be automatically tracked in-app and you can mark this task as not-relevant.\n\nFor HIPAA: Know which devices hold your patient data is going and create a maintain a system to track it\n\nComp AI device agent is located at: portal.trycomp.ai';
+
+    const soc2Only = filterDescriptionByFrameworks(desc, ['SOC 2']);
+    expect(soc2Only).toContain('Keep and maintain a list');
+    expect(soc2Only).not.toContain('HIPAA');
+    expect(soc2Only).toContain('Comp AI device agent');
+  });
+
+  it('handles SOC 2 v.1 seed name variant', () => {
+    const desc = 'Base.\n\nFor HIPAA: HIPAA info.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2 v.1']);
+    expect(result).not.toContain('HIPAA');
+  });
+
+  it('removes a framework section when header and content are split across paragraphs', () => {
+    const desc =
+      'General guidance.\n\nFor GDPR:\n\nMaintain a documented data breach response plan.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2']);
+
+    expect(result).toBe('General guidance.');
+  });
+
+  it('removes leaked framework-specific content for Public Policies seed format', () => {
+    const desc =
+      'Add a comment with links to your privacy policy.\n\nFor GDPR:\n\nMaintain clear, transparent, and GDPR-compliant privacy notices.\n\nFor ISO 42001:\n\nEnsure policies identify stakeholder rights and obligations.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2']);
+
+    expect(result).toBe('Add a comment with links to your privacy policy.');
+  });
+
+  it('removes leaked framework-specific content for Incident Response seed format', () => {
+    const desc =
+      'Keep a record of all security incidents and how they were resolved.\n\nFor GDPR:\n\nMaintain a documented data breach response plan.\n\nFor PCI:\n\nMaintain and annually test the incident response plan for cardholder data incidents.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2']);
+
+    expect(result).toBe(
+      'Keep a record of all security incidents and how they were resolved.',
+    );
+  });
+
+  it('removes leaked framework-specific content for Board Meetings & Independence seed format', () => {
+    const desc =
+      'Submit board meeting evidence covering security topics.\n\nFor ISO 42001:\n\nEnsure board reviews discuss internal and external issues relevant to the AI MS.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2']);
+
+    expect(result).toBe(
+      'Submit board meeting evidence covering security topics.',
+    );
+  });
+
+  it('removes leaked framework-specific content for Diagramming seed format', () => {
+    const desc =
+      'Architecture Diagram: Draw a single-page diagram.\n\nFor ISO 27001 and HIPAA:\n\nData Flow Diagram: Show exactly how user and sensitive data travels.\n\nFor ISO 42001:\n\nDocument how internal and external issues are reflected in diagrams.\n\nFor GDPR:\n\nMaintain an up-to-date data inventory and data flow map.\n\nFor PCI:\n\nMaintain current CDE network diagrams.';
+    const result = filterDescriptionByFrameworks(desc, ['SOC 2']);
+
+    expect(result).toBe('Architecture Diagram: Draw a single-page diagram.');
+  });
+});
diff --git a/apps/api/src/tasks/description-framework-filter.ts b/apps/api/src/tasks/description-framework-filter.ts
new file mode 100644
index 0000000000..670275c459
--- /dev/null
+++ b/apps/api/src/tasks/description-framework-filter.ts
@@ -0,0 +1,180 @@
+/**
+ * Well-known framework name patterns used in task descriptions.
+ * Each entry maps a canonical label (used in "For <label>:" paragraphs)
+ * to the possible names stored in FrameworkEditorFramework.name.
+ *
+ * Matching is case-insensitive.
+ */
+const FRAMEWORK_ALIASES: Record<string, string[]> = {
+  'soc 2': ['soc 2', 'soc2', 'soc 2 v.1'],
+  'iso 27001': ['iso 27001', 'iso27001'],
+  'iso 42001': ['iso 42001', 'iso42001'],
+  'iso 9001': ['iso 9001', 'iso9001'],
+  hipaa: ['hipaa'],
+  gdpr: ['gdpr'],
+  'pci dss': ['pci dss', 'pci', 'pci v0', 'example pci'],
+  'nen 7510': ['nen 7510', 'nen7510'],
+  'nist csf': ['nist csf'],
+  'nist 800-53': ['nist 800-53'],
+  'nis 2': ['nis 2', 'nis2'],
+};
+
+/**
+ * Regex that matches a paragraph that starts with a framework-specific
+ * prefix such as "For ISO 27001:" or "For HIPAA:".
+ *
+ * Capture group 1 = framework label (e.g. "ISO 27001", "PCI").
+ *
+ * The pattern is intentionally broad: it catches "For <words>:" at the
+ * beginning of a paragraph (after optional whitespace / newlines).
+ */
+const FOR_FRAMEWORK_LINE_RE =
+  /^[ \t]*For\s+([A-Za-z0-9][A-Za-z0-9 .\-/]*?)\s*:/im;
+const COMPOSITE_LABEL_SEPARATOR_RE = /\s*(?:,|\/|&|\band\b)\s*/i;
+
+/**
+ * Normalise a framework name for comparison.
+ */
+function normalise(name: string): string {
+  return name.trim().toLowerCase();
+}
+
+/**
+ * Build a Set of normalised active framework labels from the org's
+ * framework instance names. We expand each name through the alias map
+ * so that both the canonical label and the DB name are included.
+ */
+function buildActiveLabels(activeFrameworkNames: string[]): Set<string> {
+  const labels = new Set<string>();
+
+  for (const name of activeFrameworkNames) {
+    const normName = normalise(name);
+    labels.add(normName);
+
+    // Also add canonical labels that match this name
+    for (const [canonical, aliases] of Object.entries(FRAMEWORK_ALIASES)) {
+      if (aliases.some((a) => normalise(a) === normName)) {
+        labels.add(normalise(canonical));
+        for (const alias of aliases) {
+          labels.add(normalise(alias));
+        }
+      }
+    }
+  }
+
+  return labels;
+}
+
+/**
+ * Check whether a framework label extracted from a "For <label>:" line
+ * matches one of the active frameworks.
+ */
+function isLabelActive(label: string, activeLabels: Set<string>): boolean {
+  const normLabel = normalise(label);
+  const aliasEntries = Object.entries(FRAMEWORK_ALIASES);
+
+  // Direct match
+  if (activeLabels.has(normLabel)) return true;
+
+  // Check alias map: if the label is a known canonical key or alias,
+  // see if any of its counterparts are in the active set.
+  for (const [canonical, aliases] of aliasEntries) {
+    const allNames = [canonical, ...aliases].map(normalise);
+    if (allNames.includes(normLabel)) {
+      return allNames.some((n) => activeLabels.has(n));
+    }
+  }
+
+  // Handle headers like "For ISO 27001 and HIPAA:"
+  const parts = normLabel
+    .split(COMPOSITE_LABEL_SEPARATOR_RE)
+    .map((part) => part.trim())
+    .filter(Boolean);
+
+  if (parts.length > 1) {
+    let hasKnownPart = false;
+    let hasUnknownPart = false;
+    let anyKnownPartIsActive = false;
+
+    for (const part of parts) {
+      if (activeLabels.has(part)) {
+        hasKnownPart = true;
+        anyKnownPartIsActive = true;
+        continue;
+      }
+
+      const matchingAliasEntry = aliasEntries.find(([canonical, aliases]) => {
+        const allNames = [canonical, ...aliases].map(normalise);
+        return allNames.includes(part);
+      });
+
+      if (!matchingAliasEntry) {
+        hasUnknownPart = true;
+        continue;
+      }
+
+      hasKnownPart = true;
+      const [canonical, aliases] = matchingAliasEntry;
+      const allNames = [canonical, ...aliases].map(normalise);
+      if (allNames.some((name) => activeLabels.has(name))) {
+        anyKnownPartIsActive = true;
+      }
+    }
+
+    if (hasKnownPart && !hasUnknownPart) {
+      return anyKnownPartIsActive;
+    }
+  }
+
+  // Unknown label - keep it visible (safe default)
+  return true;
+}
+
+/**
+ * Filter framework-specific paragraphs from a task description.
+ *
+ * Paragraphs starting with "For <FrameworkName>:" are removed if the
+ * framework is not among the organisation's active frameworks.
+ *
+ * @returns The filtered description string.
+ */
+export function filterDescriptionByFrameworks(
+  description: string,
+  activeFrameworkNames: string[],
+): string {
+  if (!description) return description;
+  if (activeFrameworkNames.length === 0) return description;
+
+  const activeLabels = buildActiveLabels(activeFrameworkNames);
+
+  // Split description into paragraphs (double-newline separated)
+  const paragraphs = description.split(/\n\n+/);
+  let pendingHeaderIsActive: boolean | null = null;
+
+  const filtered = paragraphs.filter((paragraph) => {
+    if (pendingHeaderIsActive !== null) {
+      const shouldKeep = pendingHeaderIsActive;
+      pendingHeaderIsActive = null;
+      return shouldKeep;
+    }
+
+    const match = paragraph.match(FOR_FRAMEWORK_LINE_RE);
+    if (!match) return true; // Not a framework-specific paragraph
+
+    const label = match[1];
+    const isActive = isLabelActive(label, activeLabels);
+
+    // Handle seed data format where header and section content are split:
+    // "For GDPR:\n\n<framework-specific paragraph>"
+    const paragraphWithoutPrefix = paragraph
+      .replace(FOR_FRAMEWORK_LINE_RE, '')
+      .trim();
+    if (!paragraphWithoutPrefix) {
+      pendingHeaderIsActive = isActive;
+    }
+
+    return isActive;
+  });
+
+  return filtered.join('\n\n').trim();
+}
diff --git a/apps/api/src/tasks/tasks.service.ts b/apps/api/src/tasks/tasks.service.ts
index 62aa692387..deb99dcd7c 100644
--- a/apps/api/src/tasks/tasks.service.ts
+++ b/apps/api/src/tasks/tasks.service.ts
@@ -5,6 +5,7 @@ import {
   InternalServerErrorException,
   NotFoundException,
 } from '@nestjs/common';
+import { filterDescriptionByFrameworks } from './description-framework-filter';
 import { db, TaskStatus, Prisma, TaskFrequency, Departments } from '@db';
 import { TaskResponseDto } from './dto/task-responses.dto';
 import { TaskNotifierService } from './task-notifier.service';
@@ -62,6 +63,21 @@ export class TasksService {
     return ownerMember.userId;
   }
 
+  /**
+   * Fetch the active framework names for an organisation.
+   */
+  private async getActiveFrameworkNames(
+    organizationId: string,
+  ): Promise<string[]> {
+    const instances = await db.frameworkInstance.findMany({
+      where: { organizationId },
+      include: {
+        framework: { select: { name: true } },
+      },
+    });
+    return instances.map((fi) => fi.framework.name);
+  }
+
   /**
    * Get all tasks for an organization
    * @param organizationId - The organization ID
@@ -73,49 +89,61 @@ export class TasksService {
     options?: { includeRelations?: boolean },
   ) {
     try {
-      const tasks = await db.task.findMany({
-        where: {
-          organizationId,
-          ...assignmentFilter,
-        },
-        ...(options?.includeRelations && {
-          include: {
-            controls: {
-              select: { id: true, name: true },
-            },
-            evidenceAutomations: {
-              select: {
-                id: true,
-                isEnabled: true,
-                name: true,
-                runs: {
-                  orderBy: { createdAt: 'desc' as const },
-                  take: 3,
-                  select: {
-                    status: true,
-                    success: true,
-                    evaluationStatus: true,
-                    createdAt: true,
-                    triggeredBy: true,
-                    runDuration: true,
+      const [tasks, activeFrameworkNames] = await Promise.all([
+        db.task.findMany({
+          where: {
+            organizationId,
+            ...assignmentFilter,
+          },
+          ...(options?.includeRelations && {
+            include: {
+              controls: {
+                select: { id: true, name: true },
+              },
+              evidenceAutomations: {
+                select: {
+                  id: true,
+                  isEnabled: true,
+                  name: true,
+                  runs: {
+                    orderBy: { createdAt: 'desc' as const },
+                    take: 3,
+                    select: {
+                      status: true,
+                      success: true,
+                      evaluationStatus: true,
+                      createdAt: true,
+                      triggeredBy: true,
+                      runDuration: true,
+                    },
                   },
                 },
               },
             },
-          },
+          }),
+          orderBy: [{ status: 'asc' }, { order: 'asc' }, { createdAt: 'asc' }],
         }),
-        orderBy: [{ status: 'asc' }, { order: 'asc' }, { createdAt: 'asc' }],
-      });
+        this.getActiveFrameworkNames(organizationId),
+      ]);
+
+      const filterDescription = (desc: string) =>
+        filterDescriptionByFrameworks(desc, activeFrameworkNames);
 
       if (options?.includeRelations) {
-        return { data: tasks, count: tasks.length };
+        return {
+          data: tasks.map((t) => ({
+            ...t,
+            description: filterDescription(t.description),
+          })),
+          count: tasks.length,
+        };
       }
 
       return {
         data: tasks.map((task) => ({
           id: task.id,
           title: task.title,
-          description: task.description,
+          description: filterDescription(task.description),
           status: task.status,
           createdAt: task.createdAt,
           updatedAt: task.updatedAt,
@@ -152,23 +180,32 @@ export class TasksService {
     taskId: string,
   ) {
     try {
-      const task = await db.task.findFirst({
-        where: {
-          id: taskId,
-          organizationId,
-        },
-        include: {
-          assignee: true,
-          controls: true,
-          approver: { include: { user: true } },
-        },
-      });
+      const [task, activeFrameworkNames] = await Promise.all([
+        db.task.findFirst({
+          where: {
+            id: taskId,
+            organizationId,
+          },
+          include: {
+            assignee: true,
+            controls: true,
+            approver: { include: { user: true } },
+          },
+        }),
+        this.getActiveFrameworkNames(organizationId),
+      ]);
 
       if (!task) {
         throw new BadRequestException('Task not found or access denied');
       }
 
-      return task;
+      return {
+        ...task,
+        description: filterDescriptionByFrameworks(
+          task.description,
+          activeFrameworkNames,
+        ),
+      };
     } catch (error) {
       console.error('Error fetching task:', error);
       if (error instanceof BadRequestException) {
diff --git a/apps/api/src/training/training-certificate-pdf.service.ts b/apps/api/src/training/training-certificate-pdf.service.ts
index 81c644c32d..6d8961d877 100644
--- a/apps/api/src/training/training-certificate-pdf.service.ts
+++ b/apps/api/src/training/training-certificate-pdf.service.ts
@@ -53,15 +53,38 @@ export class TrainingCertificatePdfService {
     return cleanedText;
   }
 
-  /**
-   * Generates a training completion certificate PDF with Comp AI branding
-   */
+  async generateHipaaCertificatePdf(params: {
+    userName: string;
+    organizationName: string;
+    completedAt: Date;
+  }): Promise<Buffer> {
+    return this.generateCertificatePdf({
+      ...params,
+      title: 'HIPAA Security Awareness Training',
+      subtitle: 'HIPAA Security Awareness Training program',
+    });
+  }
+
   async generateTrainingCertificatePdf(params: {
     userName: string;
     organizationName: string;
     completedAt: Date;
   }): Promise<Buffer> {
-    const { userName, organizationName, completedAt } = params;
+    return this.generateCertificatePdf({
+      ...params,
+      title: 'Security Awareness Training',
+      subtitle: 'Security Awareness Training program',
+    });
+  }
+
+  private async generateCertificatePdf(params: {
+    userName: string;
+    organizationName: string;
+    completedAt: Date;
+    title: string;
+    subtitle: string;
+  }): Promise<Buffer> {
+    const { userName, organizationName, completedAt, title, subtitle } = params;
 
     const doc = new jsPDF({
       orientation: 'landscape',
@@ -112,7 +135,7 @@ export class TrainingCertificatePdfService {
     doc.setFont('helvetica', 'bold');
     doc.setFontSize(26);
     doc.setTextColor(18, 18, 18);
-    doc.text('Security Awareness Training', pageWidth / 2, 62, {
+    doc.text(this.cleanTextForPDF(title), pageWidth / 2, 62, {
       align: 'center',
     });
 
@@ -158,7 +181,7 @@ export class TrainingCertificatePdfService {
         align: 'center',
       },
     );
-    doc.text('Security Awareness Training program', pageWidth / 2, 117, {
+    doc.text(this.cleanTextForPDF(subtitle), pageWidth / 2, 117, {
       align: 'center',
     });
     // "for" in normal, org name in bold - manually center
diff --git a/apps/api/src/training/training-email.service.ts b/apps/api/src/training/training-email.service.ts
index de85f53a49..8f68c060af 100644
--- a/apps/api/src/training/training-email.service.ts
+++ b/apps/api/src/training/training-email.service.ts
@@ -1,6 +1,7 @@
 import { Injectable, Logger } from '@nestjs/common';
 import { triggerEmail } from '../email/trigger-email';
 import { TrainingCompletedEmail } from '../email/templates/training-completed';
+import { HipaaTrainingCompletedEmail } from '../email/templates/hipaa-training-completed';
 import { TrainingCertificatePdfService } from './training-certificate-pdf.service';
 
 @Injectable()
@@ -58,4 +59,50 @@ export class TrainingEmailService {
       `Training completed email sent to ${toEmail} with certificate (ID: ${id})`,
     );
   }
+
+  async sendHipaaTrainingCompletedEmail(params: {
+    toEmail: string;
+    toName: string;
+    organizationName: string;
+    completedAt: Date;
+  }): Promise<void> {
+    const { toEmail, toName, organizationName, completedAt } = params;
+
+    const certificatePdf =
+      await this.certificatePdfService.generateHipaaCertificatePdf({
+        userName: toName,
+        organizationName,
+        completedAt,
+      });
+
+    this.logger.log(
+      `Generated HIPAA training certificate PDF for ${toEmail} (${certificatePdf.length} bytes)`,
+    );
+
+    const safeUserName = toName.replace(/[^a-zA-Z0-9]/g, '-').toLowerCase();
+    const filename = `hipaa-training-certificate-${safeUserName}.pdf`;
+
+    const { id } = await triggerEmail({
+      to: toEmail,
+      subject: `Congratulations! You've completed your HIPAA Security Awareness Training - ${organizationName}`,
+      react: HipaaTrainingCompletedEmail({
+        email: toEmail,
+        userName: toName,
+        organizationName,
+        completedAt,
+      }),
+      system: true,
+      attachments: [
+        {
+          filename,
+          content: certificatePdf,
+          contentType: 'application/pdf',
+        },
+      ],
+    });
+
+    this.logger.log(
+      `HIPAA training completed email sent to ${toEmail} with certificate (ID: ${id})`,
+    );
+  }
 }
diff --git a/apps/api/src/training/training-hipaa.spec.ts b/apps/api/src/training/training-hipaa.spec.ts
new file mode 100644
index 0000000000..7c3a3d6f23
--- /dev/null
+++ b/apps/api/src/training/training-hipaa.spec.ts
@@ -0,0 +1,161 @@
+import { BadRequestException, NotFoundException } from '@nestjs/common';
+import { TrainingService } from './training.service';
+
+jest.mock('@db', () => ({
+  db: {
+    member: { findFirst: jest.fn(), findUnique: jest.fn() },
+    employeeTrainingVideoCompletion: {
+      findMany: jest.fn(),
+      findFirst: jest.fn(),
+      create: jest.fn(),
+      update: jest.fn(),
+    },
+  },
+}));
+
+const { db } = jest.requireMock('@db');
+
+const mockEmailService = {
+  sendTrainingCompletedEmail: jest.fn(),
+};
+
+const mockCertService = {
+  generateTrainingCertificatePdf: jest.fn(),
+};
+
+describe('TrainingService — HIPAA training', () => {
+  let service: TrainingService;
+
+  beforeEach(() => {
+    service = new TrainingService(
+      mockEmailService as never,
+      mockCertService as never,
+    );
+    jest.clearAllMocks();
+  });
+
+  describe('markVideoComplete', () => {
+    it('should accept hipaa-sat-1 as a valid training ID', async () => {
+      db.member.findFirst.mockResolvedValue({
+        id: 'mem_1',
+        organizationId: 'org_1',
+      });
+      db.employeeTrainingVideoCompletion.findFirst.mockResolvedValue(null);
+      db.employeeTrainingVideoCompletion.create.mockResolvedValue({
+        id: 'evc_1',
+        videoId: 'hipaa-sat-1',
+        memberId: 'mem_1',
+        completedAt: new Date(),
+      });
+      db.employeeTrainingVideoCompletion.findMany.mockResolvedValue([]);
+
+      const result = await service.markVideoComplete(
+        'mem_1',
+        'org_1',
+        'hipaa-sat-1',
+      );
+
+      expect(result.videoId).toBe('hipaa-sat-1');
+      expect(db.employeeTrainingVideoCompletion.create).toHaveBeenCalledWith({
+        data: {
+          videoId: 'hipaa-sat-1',
+          memberId: 'mem_1',
+          completedAt: expect.any(Date),
+        },
+      });
+    });
+
+    it('should reject unknown training IDs', async () => {
+      await expect(
+        service.markVideoComplete('mem_1', 'org_1', 'unknown-id'),
+      ).rejects.toThrow(BadRequestException);
+    });
+
+    it('should still accept general SAT IDs', async () => {
+      db.member.findFirst.mockResolvedValue({
+        id: 'mem_1',
+        organizationId: 'org_1',
+      });
+      db.employeeTrainingVideoCompletion.findFirst.mockResolvedValue(null);
+      db.employeeTrainingVideoCompletion.create.mockResolvedValue({
+        id: 'evc_2',
+        videoId: 'sat-3',
+        memberId: 'mem_1',
+        completedAt: new Date(),
+      });
+      db.employeeTrainingVideoCompletion.findMany.mockResolvedValue([]);
+
+      const result = await service.markVideoComplete(
+        'mem_1',
+        'org_1',
+        'sat-3',
+      );
+
+      expect(result.videoId).toBe('sat-3');
+    });
+  });
+
+  describe('hasCompletedAllTraining', () => {
+    it('should return true when all 5 general SAT videos are completed', async () => {
+      db.employeeTrainingVideoCompletion.findMany.mockResolvedValue(
+        ['sat-1', 'sat-2', 'sat-3', 'sat-4', 'sat-5'].map((id) => ({
+          videoId: id,
+          completedAt: new Date(),
+        })),
+      );
+
+      const result = await service.hasCompletedAllTraining('mem_1');
+      expect(result).toBe(true);
+    });
+
+    it('should return false when only some general SAT videos are completed', async () => {
+      db.employeeTrainingVideoCompletion.findMany.mockResolvedValue(
+        ['sat-1', 'sat-2'].map((id) => ({
+          videoId: id,
+          completedAt: new Date(),
+        })),
+      );
+
+      const result = await service.hasCompletedAllTraining('mem_1');
+      expect(result).toBe(false);
+    });
+
+    it('should NOT require hipaa-sat-1 for general training completion', async () => {
+      db.employeeTrainingVideoCompletion.findMany.mockResolvedValue(
+        ['sat-1', 'sat-2', 'sat-3', 'sat-4', 'sat-5'].map((id) => ({
+          videoId: id,
+          completedAt: new Date(),
+        })),
+      );
+
+      const result = await service.hasCompletedAllTraining('mem_1');
+      expect(result).toBe(true);
+    });
+  });
+
+  describe('hasCompletedHipaaTraining', () => {
+    it('should return true when hipaa-sat-1 is completed', async () => {
+      db.employeeTrainingVideoCompletion.findFirst.mockResolvedValue({
+        videoId: 'hipaa-sat-1',
+        completedAt: new Date(),
+      });
+
+      const result = await service.hasCompletedHipaaTraining('mem_1');
+      expect(result).toBe(true);
+    });
+
+    it('should return false when hipaa-sat-1 is not completed', async () => {
+      db.employeeTrainingVideoCompletion.findFirst.mockResolvedValue(null);
+
+      const result = await service.hasCompletedHipaaTraining('mem_1');
+      expect(result).toBe(false);
+    });
+
+    it('should return false when hipaa-sat-1 exists but has no completedAt', async () => {
+      db.employeeTrainingVideoCompletion.findFirst.mockResolvedValue(null);
+
+      const result = await service.hasCompletedHipaaTraining('mem_1');
+      expect(result).toBe(false);
+    });
+  });
+});
diff --git a/apps/api/src/training/training.controller.ts b/apps/api/src/training/training.controller.ts
index 9ed6d3ea76..1bc4b22939 100644
--- a/apps/api/src/training/training.controller.ts
+++ b/apps/api/src/training/training.controller.ts
@@ -147,4 +147,37 @@ export class TrainingController {
     );
     res.send(result.pdf);
   }
+
+  @Post('generate-hipaa-certificate')
+  @HttpCode(HttpStatus.OK)
+  @RequirePermission('training', 'read')
+  @ApiOperation({
+    summary: 'Generate HIPAA training certificate PDF',
+    description:
+      'Generates a PDF certificate for a member who has completed the HIPAA Security Awareness Training.',
+  })
+  @ApiProduces('application/pdf')
+  @ApiResponse({ status: 200, description: 'PDF certificate file' })
+  @ApiResponse({ status: 400, description: 'HIPAA training not complete or member not found' })
+  async generateHipaaCertificate(
+    @OrganizationId() organizationId: string,
+    @Body() dto: SendTrainingCompletionDto,
+    @Res() res: Response,
+  ): Promise<void> {
+    const result = await this.trainingService.generateHipaaCertificate(
+      dto.memberId,
+      organizationId,
+    );
+
+    if ('error' in result) {
+      throw new BadRequestException(result.error);
+    }
+
+    res.setHeader('Content-Type', 'application/pdf');
+    res.setHeader(
+      'Content-Disposition',
+      `attachment; filename="${result.fileName}"`,
+    );
+    res.send(result.pdf);
+  }
 }
diff --git a/apps/api/src/training/training.service.ts b/apps/api/src/training/training.service.ts
index 63363e689f..2f4d9d6524 100644
--- a/apps/api/src/training/training.service.ts
+++ b/apps/api/src/training/training.service.ts
@@ -8,8 +8,9 @@ import { db } from '@db';
 import { TrainingEmailService } from './training-email.service';
 import { TrainingCertificatePdfService } from './training-certificate-pdf.service';
 
-// Training video IDs - these must match what's in training-videos.ts
-const TRAINING_VIDEO_IDS = ['sat-1', 'sat-2', 'sat-3', 'sat-4', 'sat-5'];
+const GENERAL_TRAINING_IDS = ['sat-1', 'sat-2', 'sat-3', 'sat-4', 'sat-5'];
+const HIPAA_TRAINING_ID = 'hipaa-sat-1';
+const ALL_TRAINING_IDS = [...GENERAL_TRAINING_IDS, HIPAA_TRAINING_ID];
 
 @Injectable()
 export class TrainingService {
@@ -39,10 +40,22 @@ export class TrainingService {
     organizationId: string,
     videoId: string,
   ) {
-    if (!TRAINING_VIDEO_IDS.includes(videoId)) {
+    if (!ALL_TRAINING_IDS.includes(videoId)) {
       throw new BadRequestException(`Invalid video ID: ${videoId}`);
     }
 
+    if (videoId === HIPAA_TRAINING_ID) {
+      const hipaaInstance = await db.frameworkInstance.findFirst({
+        where: { organizationId, framework: { name: 'HIPAA' } },
+        select: { id: true },
+      });
+      if (!hipaaInstance) {
+        throw new BadRequestException(
+          'HIPAA training is not available for this organization',
+        );
+      }
+    }
+
     const member = await db.member.findFirst({
       where: { id: memberId, organizationId, deactivated: false },
     });
@@ -70,48 +83,64 @@ export class TrainingService {
       });
     }
 
-    // Check if all training is now complete and send email if so
-    const allComplete = await this.hasCompletedAllTraining(memberId);
-    if (allComplete) {
+    if (videoId === HIPAA_TRAINING_ID) {
       try {
-        await this.sendTrainingCompletionEmailIfComplete(
-          memberId,
-          organizationId,
-        );
+        await this.sendHipaaCompletionEmailIfComplete(memberId, organizationId);
       } catch (error) {
         this.logger.error(
-          `Failed to send training completion email for member ${memberId}:`,
+          `Failed to send HIPAA training completion email for member ${memberId}:`,
           error,
         );
       }
+    } else {
+      const allComplete = await this.hasCompletedAllTraining(memberId);
+      if (allComplete) {
+        try {
+          await this.sendTrainingCompletionEmailIfComplete(
+            memberId,
+            organizationId,
+          );
+        } catch (error) {
+          this.logger.error(
+            `Failed to send training completion email for member ${memberId}:`,
+            error,
+          );
+        }
+      }
     }
 
     return record;
   }
 
-  /**
-   * Check if a member has completed all training videos
-   */
   async hasCompletedAllTraining(memberId: string): Promise<boolean> {
     const completions = await db.employeeTrainingVideoCompletion.findMany({
       where: {
         memberId,
-        videoId: { in: TRAINING_VIDEO_IDS },
+        videoId: { in: GENERAL_TRAINING_IDS },
         completedAt: { not: null },
       },
     });
 
-    return completions.length === TRAINING_VIDEO_IDS.length;
+    return completions.length === GENERAL_TRAINING_IDS.length;
+  }
+
+  async hasCompletedHipaaTraining(memberId: string): Promise<boolean> {
+    const completion = await db.employeeTrainingVideoCompletion.findFirst({
+      where: {
+        memberId,
+        videoId: HIPAA_TRAINING_ID,
+        completedAt: { not: null },
+      },
+    });
+
+    return !!completion;
   }
 
-  /**
-   * Get the completion date for training (the most recent video completion)
-   */
   async getTrainingCompletionDate(memberId: string): Promise<Date | null> {
     const completions = await db.employeeTrainingVideoCompletion.findMany({
       where: {
         memberId,
-        videoId: { in: TRAINING_VIDEO_IDS },
+        videoId: { in: GENERAL_TRAINING_IDS },
         completedAt: { not: null },
       },
       orderBy: { completedAt: 'desc' },
@@ -125,144 +154,128 @@ export class TrainingService {
     return completions[0].completedAt;
   }
 
-  /**
-   * Send training completion email with certificate if all training is complete
-   * Returns true if email was sent, false if training is not complete
-   */
   async sendTrainingCompletionEmailIfComplete(
     memberId: string,
     organizationId: string,
   ): Promise<{ sent: boolean; reason?: string }> {
-    // Check if all training is complete
     const isComplete = await this.hasCompletedAllTraining(memberId);
     if (!isComplete) {
       return { sent: false, reason: 'training_not_complete' };
     }
 
-    // Get member details
-    const member = await db.member.findUnique({
-      where: { id: memberId },
-      include: {
-        user: {
-          select: {
-            email: true,
-            name: true,
-          },
-        },
-        organization: {
-          select: {
-            name: true,
-          },
-        },
-      },
-    });
+    const resolved = await this.resolveMemberForCertificate(memberId, organizationId);
+    if ('reason' in resolved) return { sent: false, reason: resolved.reason };
 
-    if (!member || !member.user) {
-      this.logger.warn(`Member not found or no user: ${memberId}`);
-      return { sent: false, reason: 'member_not_found' };
-    }
+    const completedAt = await this.getTrainingCompletionDate(memberId);
+    if (!completedAt) return { sent: false, reason: 'no_completion_date' };
 
-    if (!member.user.email) {
-      this.logger.warn(`Member has no email: ${memberId}`);
-      return { sent: false, reason: 'no_email' };
-    }
+    await this.trainingEmailService.sendTrainingCompletedEmail({
+      toEmail: resolved.email,
+      toName: resolved.userName,
+      organizationName: resolved.organizationName,
+      completedAt,
+    });
+    this.logger.log(`Training completion email sent to ${resolved.email}`);
+    return { sent: true };
+  }
 
-    // Check if member's organization matches
-    if (member.organizationId !== organizationId) {
-      this.logger.warn(
-        `Member organization mismatch: ${member.organizationId} !== ${organizationId}`,
-      );
-      return { sent: false, reason: 'organization_mismatch' };
-    }
+  async generateCertificate(
+    memberId: string,
+    organizationId: string,
+  ): Promise<{ pdf: Buffer; fileName: string } | { error: string }> {
+    const isComplete = await this.hasCompletedAllTraining(memberId);
+    if (!isComplete) return { error: 'training_not_complete' };
+
+    const resolved = await this.resolveMemberForCertificate(memberId, organizationId);
+    if ('reason' in resolved) return { error: resolved.reason };
 
-    // Get completion date
     const completedAt = await this.getTrainingCompletionDate(memberId);
-    if (!completedAt) {
-      return { sent: false, reason: 'no_completion_date' };
-    }
+    if (!completedAt) return { error: 'no_completion_date' };
 
-    // Send the email with certificate
-    try {
-      await this.trainingEmailService.sendTrainingCompletedEmail({
-        toEmail: member.user.email,
-        toName: member.user.name || 'Team Member',
-        organizationName: member.organization?.name || 'Your Organization',
-        completedAt,
-      });
+    const pdf = await this.trainingCertificatePdfService.generateTrainingCertificatePdf({
+      userName: resolved.userName,
+      organizationName: resolved.organizationName,
+      completedAt,
+    });
 
-      this.logger.log(
-        `Training completion email sent to ${member.user.email} for member ${memberId}`,
-      );
-
-      return { sent: true };
-    } catch (error) {
-      this.logger.error(
-        `Failed to send training completion email to ${member.user.email}:`,
-        error,
-      );
-      throw error;
-    }
+    return { pdf, fileName: `training-certificate-${resolved.userName.replace(/\s+/g, '-').toLowerCase()}.pdf` };
   }
 
-  /**
-   * Generate a training certificate PDF for a member
-   * Returns the PDF as a Buffer, or null if training is not complete
-   */
-  async generateCertificate(
+  async getHipaaCompletionDate(memberId: string): Promise<Date | null> {
+    const completion = await db.employeeTrainingVideoCompletion.findFirst({
+      where: { memberId, videoId: HIPAA_TRAINING_ID, completedAt: { not: null } },
+    });
+    return completion?.completedAt ?? null;
+  }
+
+  async sendHipaaCompletionEmailIfComplete(
     memberId: string,
     organizationId: string,
-  ): Promise<{ pdf: Buffer; fileName: string } | { error: string }> {
-    // Check if all training is complete
-    const isComplete = await this.hasCompletedAllTraining(memberId);
-    if (!isComplete) {
-      return { error: 'training_not_complete' };
-    }
+  ): Promise<{ sent: boolean; reason?: string }> {
+    const isComplete = await this.hasCompletedHipaaTraining(memberId);
+    if (!isComplete) return { sent: false, reason: 'hipaa_training_not_complete' };
 
-    // Get member details
-    const member = await db.member.findUnique({
-      where: { id: memberId },
-      include: {
-        user: {
-          select: {
-            name: true,
-          },
-        },
-        organization: {
-          select: {
-            name: true,
-          },
-        },
-      },
+    const resolved = await this.resolveMemberForCertificate(memberId, organizationId);
+    if ('reason' in resolved) return { sent: false, reason: resolved.reason };
+
+    const completedAt = await this.getHipaaCompletionDate(memberId);
+    if (!completedAt) return { sent: false, reason: 'no_completion_date' };
+
+    await this.trainingEmailService.sendHipaaTrainingCompletedEmail({
+      toEmail: resolved.email,
+      toName: resolved.userName,
+      organizationName: resolved.organizationName,
+      completedAt,
     });
+    this.logger.log(`HIPAA training completion email sent to ${resolved.email}`);
+    return { sent: true };
+  }
 
-    if (!member || !member.user) {
-      return { error: 'member_not_found' };
-    }
+  async generateHipaaCertificate(
+    memberId: string,
+    organizationId: string,
+  ): Promise<{ pdf: Buffer; fileName: string } | { error: string }> {
+    const isComplete = await this.hasCompletedHipaaTraining(memberId);
+    if (!isComplete) return { error: 'hipaa_training_not_complete' };
 
-    // Check if member's organization matches
-    if (member.organizationId !== organizationId) {
-      return { error: 'organization_mismatch' };
-    }
+    const resolved = await this.resolveMemberForCertificate(memberId, organizationId);
+    if ('reason' in resolved) return { error: resolved.reason };
 
-    // Get completion date
-    const completedAt = await this.getTrainingCompletionDate(memberId);
-    if (!completedAt) {
-      return { error: 'no_completion_date' };
-    }
+    const completedAt = await this.getHipaaCompletionDate(memberId);
+    if (!completedAt) return { error: 'no_completion_date' };
 
-    const userName = member.user.name || 'Team Member';
-    const organizationName = member.organization?.name || 'Organization';
+    const pdf = await this.trainingCertificatePdfService.generateHipaaCertificatePdf({
+      userName: resolved.userName,
+      organizationName: resolved.organizationName,
+      completedAt,
+    });
 
-    // Generate the PDF
-    const pdf =
-      await this.trainingCertificatePdfService.generateTrainingCertificatePdf({
-        userName,
-        organizationName,
-        completedAt,
-      });
+    return { pdf, fileName: `hipaa-training-certificate-${resolved.userName.replace(/\s+/g, '-').toLowerCase()}.pdf` };
+  }
+
+  private async resolveMemberForCertificate(
+    memberId: string,
+    organizationId: string,
+  ): Promise<
+    | { userName: string; email: string; organizationName: string }
+    | { reason: string }
+  > {
+    const member = await db.member.findUnique({
+      where: { id: memberId },
+      include: {
+        user: { select: { email: true, name: true } },
+        organization: { select: { name: true } },
+      },
+    });
 
-    const fileName = `training-certificate-${userName.replace(/\s+/g, '-').toLowerCase()}.pdf`;
+    if (!member?.user) return { reason: 'member_not_found' };
+    if (!member.user.email) return { reason: 'no_email' };
+    if (member.organizationId !== organizationId) return { reason: 'organization_mismatch' };
 
-    return { pdf, fileName };
+    return {
+      userName: member.user.name || 'Team Member',
+      email: member.user.email,
+      organizationName: member.organization?.name || 'Organization',
+    };
   }
 }
diff --git a/apps/api/src/trigger/policies/update-policy-helpers.ts b/apps/api/src/trigger/policies/update-policy-helpers.ts
index dbf7c5595b..0739ad3e3b 100644
--- a/apps/api/src/trigger/policies/update-policy-helpers.ts
+++ b/apps/api/src/trigger/policies/update-policy-helpers.ts
@@ -251,7 +251,12 @@ export async function updatePolicyInDatabase(
     }
 
     await db.$transaction(async (tx) => {
+      // Clear version references first to avoid FK constraint issues during deletion
       if (policy.versions.length > 0) {
+        await tx.policy.update({
+          where: { id: policyId },
+          data: { currentVersionId: null, pendingVersionId: null },
+        });
         await tx.policyVersion.deleteMany({ where: { policyId } });
       }
 
diff --git a/apps/app/src/app/(app)/[orgId]/integrations/components/PlatformIntegrations.test.tsx b/apps/app/src/app/(app)/[orgId]/integrations/components/PlatformIntegrations.test.tsx
index 31a2f3ceea..b10e3ff0f9 100644
--- a/apps/app/src/app/(app)/[orgId]/integrations/components/PlatformIntegrations.test.tsx
+++ b/apps/app/src/app/(app)/[orgId]/integrations/components/PlatformIntegrations.test.tsx
@@ -92,6 +92,7 @@ vi.mock('next/link', () => ({
 // Mock next/navigation
 vi.mock('next/navigation', () => ({
   useParams: () => ({ orgId: 'org-1' }),
+  useRouter: () => ({ push: vi.fn() }),
   useSearchParams: () => new URLSearchParams(),
 }));
 
@@ -143,9 +144,10 @@ vi.mock('lucide-react', () => ({
 
 // Mock sonner
 vi.mock('sonner', () => ({
-  toast: { success: vi.fn(), error: vi.fn() },
+  toast: { success: vi.fn(), error: vi.fn(), info: vi.fn() },
 }));
 
+import { toast } from 'sonner';
 import { PlatformIntegrations } from './PlatformIntegrations';
 
 const defaultProps = {
@@ -202,4 +204,129 @@ describe('PlatformIntegrations', () => {
       expect(screen.getByTestId('search-input')).toBeInTheDocument();
     });
   });
+
+  describe('Employee sync import prompt', () => {
+    it('shows import prompt toast after Google Workspace OAuth callback', async () => {
+      // Override mocks for this test to simulate OAuth callback
+      const { useIntegrationProviders, useIntegrationConnections } = vi.mocked(
+        await import('@/hooks/use-integration-platform'),
+      );
+
+      vi.mocked(useIntegrationProviders).mockReturnValue({
+        providers: [
+          {
+            id: 'google-workspace',
+            name: 'Google Workspace',
+            description: 'Google Workspace admin',
+            category: 'Identity & Access',
+            logoUrl: '/google.png',
+            authType: 'oauth2',
+            oauthConfigured: true,
+            isActive: true,
+            requiredVariables: [],
+            mappedTasks: [],
+            supportsMultipleConnections: false,
+          },
+        ] as any,
+        isLoading: false,
+        error: undefined,
+        refresh: vi.fn(),
+      });
+
+      vi.mocked(useIntegrationConnections).mockReturnValue({
+        connections: [
+          {
+            id: 'conn-1',
+            providerSlug: 'google-workspace',
+            status: 'active',
+            variables: null,
+          },
+        ] as any,
+        isLoading: false,
+        error: undefined,
+        refresh: vi.fn(),
+      });
+
+      // Mock useSearchParams to simulate OAuth callback
+      const { useSearchParams: mockUseSearchParams } = vi.mocked(
+        await import('next/navigation'),
+      );
+      vi.mocked(mockUseSearchParams).mockReturnValue(
+        new URLSearchParams('success=true&provider=google-workspace') as any,
+      );
+
+      setMockPermissions(ADMIN_PERMISSIONS);
+
+      render(<PlatformIntegrations {...defaultProps} />);
+
+      expect(toast.success).toHaveBeenCalledWith(
+        'Google Workspace connected successfully!',
+      );
+      expect(toast.info).toHaveBeenCalledWith(
+        'Import your Google Workspace users',
+        expect.objectContaining({
+          description: 'Go to People to import and sync your team members.',
+          action: expect.objectContaining({ label: 'Go to People' }),
+        }),
+      );
+    });
+
+    it('does not show import prompt for non-sync providers', async () => {
+      // Override mocks for this test to simulate OAuth callback for a non-sync provider
+      const { useIntegrationProviders, useIntegrationConnections } = vi.mocked(
+        await import('@/hooks/use-integration-platform'),
+      );
+
+      vi.mocked(useIntegrationProviders).mockReturnValue({
+        providers: [
+          {
+            id: 'github',
+            name: 'GitHub',
+            description: 'Code hosting',
+            category: 'Development',
+            logoUrl: '/github.png',
+            authType: 'oauth2',
+            oauthConfigured: true,
+            isActive: true,
+            requiredVariables: [],
+            mappedTasks: [],
+            supportsMultipleConnections: false,
+          },
+        ] as any,
+        isLoading: false,
+        error: undefined,
+        refresh: vi.fn(),
+      });
+
+      vi.mocked(useIntegrationConnections).mockReturnValue({
+        connections: [
+          {
+            id: 'conn-2',
+            providerSlug: 'github',
+            status: 'active',
+            variables: null,
+          },
+        ] as any,
+        isLoading: false,
+        error: undefined,
+        refresh: vi.fn(),
+      });
+
+      const { useSearchParams: mockUseSearchParams } = vi.mocked(
+        await import('next/navigation'),
+      );
+      vi.mocked(mockUseSearchParams).mockReturnValue(
+        new URLSearchParams('success=true&provider=github') as any,
+      );
+
+      setMockPermissions(ADMIN_PERMISSIONS);
+
+      render(<PlatformIntegrations {...defaultProps} />);
+
+      expect(toast.success).toHaveBeenCalledWith(
+        'GitHub connected successfully!',
+      );
+      expect(toast.info).not.toHaveBeenCalled();
+    });
+  });
 });
diff --git a/apps/app/src/app/(app)/[orgId]/integrations/components/PlatformIntegrations.tsx b/apps/app/src/app/(app)/[orgId]/integrations/components/PlatformIntegrations.tsx
index 594f8d3426..700704c3ea 100644
--- a/apps/app/src/app/(app)/[orgId]/integrations/components/PlatformIntegrations.tsx
+++ b/apps/app/src/app/(app)/[orgId]/integrations/components/PlatformIntegrations.tsx
@@ -34,7 +34,7 @@ import {
 } from 'lucide-react';
 import Image from 'next/image';
 import Link from 'next/link';
-import { useParams, useSearchParams } from 'next/navigation';
+import { useParams, useRouter, useSearchParams } from 'next/navigation';
 import { useEffect, useMemo, useRef, useState } from 'react';
 import { toast } from 'sonner';
 import {
@@ -48,6 +48,14 @@ import { TaskCard, TaskCardSkeleton } from './TaskCard';
 
 const LOGO_TOKEN = 'pk_AZatYxV5QDSfWpRDaBxzRQ';
 
+// Providers that support employee sync via People > All
+const EMPLOYEE_SYNC_PROVIDERS = new Set([
+  'google-workspace',
+  'rippling',
+  'jumpcloud',
+  'ramp',
+]);
+
 // Check if a provider needs variable configuration based on manifest's required variables
 const providerNeedsConfiguration = (
   requiredVariables: string[] | undefined,
@@ -78,6 +86,7 @@ interface PlatformIntegrationsProps {
 
 export function PlatformIntegrations({ className, taskTemplates }: PlatformIntegrationsProps) {
   const { orgId } = useParams<{ orgId: string }>();
+  const router = useRouter();
   const searchParams = useSearchParams();
   const { providers, isLoading: loadingProviders } = useIntegrationProviders(true);
   const {
@@ -138,6 +147,18 @@ export function PlatformIntegrations({ className, taskTemplates }: PlatformInteg
   };
 
   const handleConnectDialogSuccess = () => {
+    // Prompt user to import employees for providers that support sync
+    if (connectingProviderInfo && EMPLOYEE_SYNC_PROVIDERS.has(connectingProviderInfo.id)) {
+      toast.info(`Import your ${connectingProviderInfo.name} users`, {
+        description:
+          'Go to People to import and sync your team members.',
+        duration: 15000,
+        action: {
+          label: 'Go to People',
+          onClick: () => router.push(`/${orgId}/people/all`),
+        },
+      });
+    }
     refreshConnections();
     setConnectDialogOpen(false);
     setConnectingProviderInfo(null);
@@ -264,6 +285,19 @@ export function PlatformIntegrations({ className, taskTemplates }: PlatformInteg
     if (connection && provider) {
       toast.success(`${provider.name} connected successfully!`);
 
+      // Prompt user to import employees for providers that support sync
+      if (EMPLOYEE_SYNC_PROVIDERS.has(providerSlug)) {
+        toast.info(`Import your ${provider.name} users`, {
+          description:
+            'Go to People to import and sync your team members.',
+          duration: 15000,
+          action: {
+            label: 'Go to People',
+            onClick: () => router.push(`/${orgId}/people/all`),
+          },
+        });
+      }
+
       // Set state first
       setSelectedConnection(connection);
       setSelectedProvider(provider);
diff --git a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/actions/download-hipaa-certificate.ts b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/actions/download-hipaa-certificate.ts
new file mode 100644
index 0000000000..bdee3cfdde
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/actions/download-hipaa-certificate.ts
@@ -0,0 +1,64 @@
+'use server';
+
+import { authActionClient } from '@/actions/safe-action';
+import { env } from '@/env.mjs';
+import { headers } from 'next/headers';
+import { z } from 'zod';
+
+const downloadHipaaCertificateSchema = z.object({
+  memberId: z.string(),
+  organizationId: z.string(),
+});
+
+export const downloadHipaaCertificate = authActionClient
+  .inputSchema(downloadHipaaCertificateSchema)
+  .metadata({
+    name: 'downloadHipaaCertificate',
+    track: {
+      event: 'downloadHipaaCertificate',
+      channel: 'server',
+    },
+  })
+  .action(async ({ parsedInput, ctx }) => {
+    const { memberId, organizationId } = parsedInput;
+    const { session } = ctx;
+
+    if (session.activeOrganizationId !== organizationId) {
+      throw new Error(
+        'Unauthorized: You do not have access to this organization',
+      );
+    }
+
+    const apiUrl =
+      env.NEXT_PUBLIC_API_URL ||
+      process.env.API_BASE_URL ||
+      'http://localhost:3333';
+
+    const headerStore = await headers();
+    const cookieHeader = headerStore.get('cookie');
+
+    const requestHeaders: Record<string, string> = {
+      'Content-Type': 'application/json',
+    };
+
+    if (cookieHeader) {
+      requestHeaders['Cookie'] = cookieHeader;
+    }
+
+    const response = await fetch(
+      `${apiUrl}/v1/training/generate-hipaa-certificate`,
+      {
+        method: 'POST',
+        headers: requestHeaders,
+        body: JSON.stringify({ memberId, organizationId }),
+      },
+    );
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(`Failed to generate HIPAA certificate: ${errorText}`);
+    }
+
+    const pdfBuffer = await response.arrayBuffer();
+    return Buffer.from(pdfBuffer).toString('base64');
+  });
diff --git a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/Employee.tsx b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/Employee.tsx
index 4759638335..191e7be5c3 100644
--- a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/Employee.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/Employee.tsx
@@ -21,6 +21,8 @@ interface EmployeeProps {
   organization: Organization;
   memberDevice: DeviceWithChecks | null;
   orgId: string;
+  hasHipaaFramework: boolean;
+  hipaaCompletedAt: Date | null;
 }
 
 export function Employee({
@@ -33,6 +35,8 @@ export function Employee({
   organization,
   memberDevice,
   orgId,
+  hasHipaaFramework,
+  hipaaCompletedAt,
 }: EmployeeProps) {
   return (
     <PageLayout
@@ -59,6 +63,8 @@ export function Employee({
           host={host}
           organization={organization}
           memberDevice={memberDevice}
+          hasHipaaFramework={hasHipaaFramework}
+          hipaaCompletedAt={hipaaCompletedAt}
         />
       </Stack>
     </PageLayout>
diff --git a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/EmployeeTasks.tsx b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/EmployeeTasks.tsx
index 8ec1c364c3..ecb62cb7ab 100644
--- a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/EmployeeTasks.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/components/EmployeeTasks.tsx
@@ -19,8 +19,26 @@ import type { FleetPolicy, Host } from '../../devices/types';
 import type { DeviceWithChecks } from '../../devices/types';
 import { PolicyItem } from '../../devices/components/PolicyItem';
 import { downloadTrainingCertificate } from '../actions/download-training-certificate';
+import { downloadHipaaCertificate } from '../actions/download-hipaa-certificate';
 import { cn } from '@/lib/utils';
 
+function downloadBase64Pdf(base64: string, fileName: string) {
+  const byteCharacters = atob(base64);
+  const byteNumbers = new Array(byteCharacters.length);
+  for (let i = 0; i < byteCharacters.length; i++) {
+    byteNumbers[i] = byteCharacters.charCodeAt(i);
+  }
+  const blob = new Blob([new Uint8Array(byteNumbers)], { type: 'application/pdf' });
+  const url = window.URL.createObjectURL(blob);
+  const link = document.createElement('a');
+  link.href = url;
+  link.download = fileName;
+  document.body.appendChild(link);
+  link.click();
+  document.body.removeChild(link);
+  window.URL.revokeObjectURL(url);
+}
+
 const CHECK_FIELDS = [
   { key: 'diskEncryptionEnabled' as const, dbKey: 'disk_encryption', label: 'Disk Encryption' },
   { key: 'antivirusEnabled' as const, dbKey: 'antivirus', label: 'Antivirus' },
@@ -42,6 +60,8 @@ export const EmployeeTasks = ({
   fleetPolicies,
   organization,
   memberDevice,
+  hasHipaaFramework,
+  hipaaCompletedAt,
 }: {
   employee: Member & {
     user: User;
@@ -54,6 +74,8 @@ export const EmployeeTasks = ({
   fleetPolicies: FleetPolicy[];
   organization: Organization;
   memberDevice: DeviceWithChecks | null;
+  hasHipaaFramework: boolean;
+  hipaaCompletedAt: Date | null;
 }) => {
   // Calculate training completion status
   const completedVideos = trainingVideos.filter((v) => v.completedAt !== null);
@@ -70,30 +92,13 @@ export const EmployeeTasks = ({
 
   const handleDownloadCertificate = async () => {
     if (!trainingCompletionDate) return;
-
     const result = await downloadTrainingCertificate({
       memberId: employee.id,
       organizationId: organization.id,
     });
-
     if (result?.data) {
-      // Convert base64 to blob and download
-      const byteCharacters = atob(result.data);
-      const byteNumbers = new Array(byteCharacters.length);
-      for (let i = 0; i < byteCharacters.length; i++) {
-        byteNumbers[i] = byteCharacters.charCodeAt(i);
-      }
-      const byteArray = new Uint8Array(byteNumbers);
-      const blob = new Blob([byteArray], { type: 'application/pdf' });
-
-      const url = window.URL.createObjectURL(blob);
-      const link = document.createElement('a');
-      link.href = url;
-      link.download = `training-certificate-${employee.user.name?.replace(/\s+/g, '-').toLowerCase() || 'employee'}.pdf`;
-      document.body.appendChild(link);
-      link.click();
-      document.body.removeChild(link);
-      window.URL.revokeObjectURL(url);
+      const safeName = employee.user.name?.replace(/\s+/g, '-').toLowerCase() || 'employee';
+      downloadBase64Pdf(result.data, `training-certificate-${safeName}.pdf`);
     }
   };
   return (
@@ -103,6 +108,9 @@ export const EmployeeTasks = ({
           <TabsList>
             <TabsTrigger value="policies">Policies</TabsTrigger>
             <TabsTrigger value="training">Training Videos</TabsTrigger>
+            {hasHipaaFramework && (
+              <TabsTrigger value="hipaa">HIPAA Training</TabsTrigger>
+            )}
             <TabsTrigger value="device">Device</TabsTrigger>
           </TabsList>
 
@@ -244,6 +252,67 @@ export const EmployeeTasks = ({
             )}
           </TabsContent>
 
+          {hasHipaaFramework && (
+            <TabsContent value="hipaa">
+              <div
+                className={cn(
+                  'flex items-center justify-between rounded-lg border p-4',
+                  hipaaCompletedAt
+                    ? 'border-primary/20 bg-primary/5'
+                    : 'border-muted bg-muted/30',
+                )}
+              >
+                <div className="flex items-center gap-3">
+                  {hipaaCompletedAt ? (
+                    <div
+                      className={cn(
+                        'flex h-10 w-10 items-center justify-center rounded-full bg-primary/10',
+                      )}
+                    >
+                      <Award className="h-5 w-5 text-primary" />
+                    </div>
+                  ) : (
+                    <AlertCircle className="h-5 w-5 shrink-0 text-destructive" />
+                  )}
+                  <div>
+                    <Text weight="medium">
+                      {hipaaCompletedAt
+                        ? 'HIPAA Security Awareness Training Acknowledged'
+                        : 'HIPAA Security Awareness Training Not Completed'}
+                    </Text>
+                    <Text size="sm" variant="muted">
+                      {hipaaCompletedAt
+                        ? `Acknowledged on ${new Date(hipaaCompletedAt).toLocaleDateString('en-US', {
+                            year: 'numeric',
+                            month: 'long',
+                            day: 'numeric',
+                          })}`
+                        : 'Employee has not yet acknowledged the HIPAA training in the portal.'}
+                    </Text>
+                  </div>
+                </div>
+                {hipaaCompletedAt && (
+                  <button
+                    onClick={async () => {
+                      const result = await downloadHipaaCertificate({
+                        memberId: employee.id,
+                        organizationId: organization.id,
+                      });
+                      if (result?.data) {
+                        const safeName = employee.user.name?.replace(/\s+/g, '-').toLowerCase() || 'employee';
+                        downloadBase64Pdf(result.data, `hipaa-training-certificate-${safeName}.pdf`);
+                      }
+                    }}
+                    className="inline-flex items-center gap-2 rounded-lg border border-primary bg-primary px-3 py-1.5 text-sm font-medium text-primary-foreground transition-all duration-200 hover:bg-primary/90 hover:shadow-sm focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-primary/20 focus-visible:ring-offset-1 cursor-pointer"
+                  >
+                    <Download className="h-3.5 w-3.5" />
+                    Certificate
+                  </button>
+                )}
+              </div>
+            </TabsContent>
+          )}
+
           <TabsContent value="device">
             {!organization.deviceAgentStepEnabled ? (
               <div className="flex items-center gap-3 rounded-lg border border-muted bg-muted/30 p-4">
diff --git a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/page.tsx b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/page.tsx
index 788d2655d1..2161176330 100644
--- a/apps/app/src/app/(app)/[orgId]/people/[employeeId]/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/[employeeId]/page.tsx
@@ -4,6 +4,7 @@ import {
   type TrainingVideo,
   trainingVideos as trainingVideosData,
 } from '@/lib/data/training-videos';
+import { HIPAA_TRAINING_ID } from '@/lib/data/hipaa-training-content';
 import { getFleetInstance } from '@/lib/fleet';
 import type { EmployeeTrainingVideoCompletion, Member, User } from '@db';
 import { db } from '@db/server';
@@ -40,19 +41,27 @@ export default async function EmployeeDetailsPage({
     redirect('/');
   }
 
-  const policies = await getPoliciesTasks(employeeId);
-  const employeeTrainingVideos = await getTrainingVideos(employeeId);
-  const employee = await getEmployee(employeeId);
+  const [policies, employeeTrainingVideos, employee, hipaaCompletion] = await Promise.all([
+    getPoliciesTasks(employeeId),
+    getTrainingVideos(employeeId),
+    getEmployee(employeeId),
+    db.employeeTrainingVideoCompletion.findFirst({
+      where: { memberId: employeeId, videoId: HIPAA_TRAINING_ID },
+    }),
+  ]);
 
   // If employee doesn't exist, show 404 page
   if (!employee) {
     notFound();
   }
 
-  // Get organization for certificate generation
-  const organization = await db.organization.findUnique({
-    where: { id: orgId },
-  });
+  const [organization, hipaaFramework] = await Promise.all([
+    db.organization.findUnique({ where: { id: orgId } }),
+    db.frameworkInstance.findFirst({
+      where: { organizationId: orgId, framework: { name: 'HIPAA' } },
+      select: { id: true },
+    }),
+  ]);
 
   if (!organization) {
     notFound();
@@ -72,6 +81,8 @@ export default async function EmployeeDetailsPage({
       organization={organization}
       memberDevice={memberDevice}
       orgId={orgId}
+      hasHipaaFramework={!!hipaaFramework}
+      hipaaCompletedAt={hipaaCompletion?.completedAt ?? null}
     />
   );
 }
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembersClient.tsx b/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembersClient.tsx
index 7432ccb2c4..b6657d5624 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembersClient.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembersClient.tsx
@@ -1,6 +1,5 @@
 'use client';
 
-import { Loader2 } from 'lucide-react';
 import Image from 'next/image';
 import { useRouter } from 'next/navigation';
 import { useState } from 'react';
@@ -34,9 +33,10 @@ import {
   TableRow,
   Button,
 } from '@trycompai/design-system';
-import { Search } from '@trycompai/design-system/icons';
+import { InProgress, Search } from '@trycompai/design-system/icons';
 
 import { apiClient } from '@/lib/api-client';
+import { buildDisplayItems, filterDisplayItems } from './filter-members';
 import { MemberRow } from './MemberRow';
 import { PendingInvitationRow } from './PendingInvitationRow';
 import type { MemberWithUser, TeamMembersData } from './TeamMembers';
@@ -56,18 +56,6 @@ interface TeamMembersClientProps {
   memberIdsWithDeviceAgent: string[];
 }
 
-// Define a simplified type for merged list items
-interface DisplayItem extends Partial<MemberWithUser>, Partial<Invitation> {
-  type: 'member' | 'invitation';
-  displayName: string;
-  displayEmail: string;
-  displayRole: string | string[]; // Simplified role display, could be comma-separated
-  displayStatus: 'active' | 'pending' | 'deactivated';
-  displayId: string; // Use member.id or invitation.id
-  processedRoles: string[];
-  isDeactivated?: boolean;
-}
-
 export function TeamMembersClient({
   data,
   organizationId,
@@ -129,65 +117,12 @@ export function TeamMembersClient({
     }
   };
 
-  // Combine and type members and invitations for filtering/display
-  const allItems: DisplayItem[] = [
-    ...data.members.map((member) => {
-      // Process the role to handle comma-separated values
-      const roles = parseRolesString(member.role);
-
-      const isInactive = member.deactivated || !member.isActive;
-
-      return {
-        ...member,
-        type: 'member' as const,
-        displayName: member.user.name || member.user.email || '',
-        displayEmail: member.user.email || '',
-        displayRole: member.role, // Keep original for filtering
-        displayStatus: isInactive ? ('deactivated' as const) : ('active' as const),
-        displayId: member.id,
-        // Add processed roles for rendering
-        processedRoles: roles,
-        isDeactivated: isInactive,
-      };
-    }),
-    ...data.pendingInvitations.map((invitation) => {
-      // Process the role to handle comma-separated values
-      const roles = parseRolesString(invitation.role);
-
-      return {
-        ...invitation,
-        type: 'invitation' as const,
-        displayName: invitation.email.split('@')[0], // Or just email
-        displayEmail: invitation.email,
-        displayRole: invitation.role, // Keep original for filtering
-        displayStatus: 'pending' as const,
-        displayId: invitation.id,
-        // Add processed roles for rendering
-        processedRoles: roles,
-      };
-    }),
-  ];
-
-  const filteredItems = allItems.filter((item) => {
-    const matchesSearch =
-      item.displayName.toLowerCase().includes(searchQuery.toLowerCase()) ||
-      item.displayEmail.toLowerCase().includes(searchQuery.toLowerCase());
-
-    // Check if the role filter matches any of the member's roles
-    const matchesRole = !roleFilter || item.processedRoles.includes(roleFilter);
-
-    // Status filter: by default (no filter), hide deactivated members
-    // 'active' explicitly shows non-deactivated members + pending invitations
-    // 'deactivated' shows only deactivated members
-    // 'all' shows everything
-    const matchesStatus =
-      (statusFilter === 'all') ||
-      (statusFilter === 'deactivated' && item.displayStatus === 'deactivated') ||
-      (statusFilter === 'pending' && item.displayStatus === 'pending') ||
-      (!statusFilter && item.displayStatus !== 'deactivated') ||
-      (statusFilter === 'active' && item.displayStatus === 'active');
-
-    return matchesSearch && matchesRole && matchesStatus;
+  const allItems = buildDisplayItems(data);
+  const filteredItems = filterDisplayItems({
+    items: allItems,
+    searchQuery,
+    roleFilter,
+    statusFilter,
   });
 
   const activeMembers = filteredItems.filter((item) => item.type === 'member');
@@ -356,7 +291,7 @@ export function TeamMembersClient({
                 <SelectTrigger>
                   {isSyncing ? (
                     <>
-                      <Loader2 className="mr-2 h-4 w-4 animate-spin" />
+                      <InProgress size={16} className="mr-2 animate-spin" />
                       Syncing...
                     </>
                   ) : selectedProvider ? (
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/filter-members.test.ts b/apps/app/src/app/(app)/[orgId]/people/all/components/filter-members.test.ts
new file mode 100644
index 0000000000..c23731abc9
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/people/all/components/filter-members.test.ts
@@ -0,0 +1,272 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+import type { DisplayItem } from './filter-members';
+import type { MemberWithUser } from './TeamMembers';
+import type { Invitation } from '@db';
+
+// Mock @/lib/permissions to avoid resolving @trycompai/auth
+vi.mock('@/lib/permissions', () => ({
+  parseRolesString: (rolesStr: string | null | undefined): string[] => {
+    if (!rolesStr) return [];
+    return rolesStr
+      .split(',')
+      .map((r) => r.trim())
+      .filter((r) => r.length > 0);
+  },
+}));
+
+// Import after mock setup
+const { buildDisplayItems, filterDisplayItems } = await import('./filter-members');
+
+// Minimal member factory for testing
+function makeMember(overrides: Partial<MemberWithUser> & { id: string; role: string }): MemberWithUser {
+  return {
+    organizationId: 'org_1',
+    userId: `usr_${overrides.id}`,
+    createdAt: new Date(),
+    department: 'none' as never,
+    jobTitle: null,
+    isActive: true,
+    deactivated: false,
+    externalUserId: null,
+    externalUserSource: null,
+    fleetDmLabelId: null,
+    user: {
+      id: `usr_${overrides.id}`,
+      name: `User ${overrides.id}`,
+      email: `user-${overrides.id}@test.com`,
+      emailVerified: true,
+      image: null,
+      createdAt: new Date(),
+      updatedAt: new Date(),
+      lastLogin: null,
+      role: 'user',
+      banned: false,
+      banReason: null,
+      banExpires: null,
+      twoFactorEnabled: false,
+    },
+    ...overrides,
+  } as MemberWithUser;
+}
+
+function makeInvitation(overrides: Partial<Invitation> & { id: string; email: string; role: string }): Invitation {
+  return {
+    organizationId: 'org_1',
+    inviterId: 'usr_inv',
+    teamId: null,
+    status: 'pending',
+    expiresAt: new Date(),
+    ...overrides,
+  } as Invitation;
+}
+
+const activeMember = makeMember({ id: 'mem_1', role: 'employee', isActive: true, deactivated: false });
+const deactivatedMember = makeMember({ id: 'mem_2', role: 'admin', isActive: false, deactivated: true });
+const inactiveMember = makeMember({ id: 'mem_3', role: 'employee', isActive: false, deactivated: false });
+const pendingInvite = makeInvitation({ id: 'inv_1', email: 'pending@test.com', role: 'employee' });
+
+describe('buildDisplayItems', () => {
+  it('should mark active members as active', () => {
+    const items = buildDisplayItems({ members: [activeMember], pendingInvitations: [] });
+
+    expect(items).toHaveLength(1);
+    expect(items[0].displayStatus).toBe('active');
+    expect(items[0].type).toBe('member');
+    expect(items[0].isDeactivated).toBe(false);
+  });
+
+  it('should mark deactivated members as deactivated', () => {
+    const items = buildDisplayItems({ members: [deactivatedMember], pendingInvitations: [] });
+
+    expect(items).toHaveLength(1);
+    expect(items[0].displayStatus).toBe('deactivated');
+    expect(items[0].isDeactivated).toBe(true);
+  });
+
+  it('should mark inactive (isActive=false) members as deactivated', () => {
+    const items = buildDisplayItems({ members: [inactiveMember], pendingInvitations: [] });
+
+    expect(items).toHaveLength(1);
+    expect(items[0].displayStatus).toBe('deactivated');
+    expect(items[0].isDeactivated).toBe(true);
+  });
+
+  it('should mark pending invitations as pending', () => {
+    const items = buildDisplayItems({ members: [], pendingInvitations: [pendingInvite] });
+
+    expect(items).toHaveLength(1);
+    expect(items[0].displayStatus).toBe('pending');
+    expect(items[0].type).toBe('invitation');
+  });
+
+  it('should parse roles from comma-separated string', () => {
+    const multiRoleMember = makeMember({ id: 'mem_multi', role: 'admin,employee' });
+    const items = buildDisplayItems({ members: [multiRoleMember], pendingInvitations: [] });
+
+    expect(items[0].processedRoles).toEqual(['admin', 'employee']);
+  });
+});
+
+describe('filterDisplayItems', () => {
+  let allItems: DisplayItem[];
+
+  const buildAll = () =>
+    buildDisplayItems({
+      members: [activeMember, deactivatedMember, inactiveMember],
+      pendingInvitations: [pendingInvite],
+    });
+
+  beforeEach(() => {
+    allItems = buildAll();
+  });
+
+  describe('status filter', () => {
+    it('should hide deactivated members by default (no status filter)', () => {
+      const result = filterDisplayItems({
+        items: allItems,
+        searchQuery: '',
+        roleFilter: '',
+        statusFilter: '',
+      });
+
+      expect(result.some((i) => i.displayStatus === 'deactivated')).toBe(false);
+      expect(result.some((i) => i.displayStatus === 'active')).toBe(true);
+      expect(result.some((i) => i.displayStatus === 'pending')).toBe(true);
+    });
+
+    it('should show only active members when status is "active"', () => {
+      const result = filterDisplayItems({
+        items: allItems,
+        searchQuery: '',
+        roleFilter: '',
+        statusFilter: 'active',
+      });
+
+      expect(result.every((i) => i.displayStatus === 'active')).toBe(true);
+      expect(result.length).toBeGreaterThan(0);
+    });
+
+    it('should show only deactivated members when status is "deactivated"', () => {
+      const result = filterDisplayItems({
+        items: allItems,
+        searchQuery: '',
+        roleFilter: '',
+        statusFilter: 'deactivated',
+      });
+
+      expect(result.every((i) => i.displayStatus === 'deactivated')).toBe(true);
+      // Both deactivatedMember and inactiveMember should appear
+      expect(result).toHaveLength(2);
+    });
+
+    it('should show only pending invitations when status is "pending"', () => {
+      const result = filterDisplayItems({
+        items: allItems,
+        searchQuery: '',
+        roleFilter: '',
+        statusFilter: 'pending',
+      });
+
+      expect(result.every((i) => i.displayStatus === 'pending')).toBe(true);
+      expect(result).toHaveLength(1);
+    });
+
+    it('should show everything when status is "all"', () => {
+      const result = filterDisplayItems({
+        items: allItems,
+        searchQuery: '',
+        roleFilter: '',
+        statusFilter: 'all',
+      });
+
+      expect(result).toHaveLength(allItems.length);
+    });
+  });
+
+  describe('search filter', () => {
+    it('should filter by name', () => {
+      const result = filterDisplayItems({
+        items: allItems,
+        searchQuery: 'User mem_1',
+        roleFilter: '',
+        statusFilter: 'all',
+      });
+
+      expect(result).toHaveLength(1);
+      expect(result[0].displayId).toBe('mem_1');
+    });
+
+    it('should filter by email', () => {
+      const result = filterDisplayItems({
+        items: allItems,
+        searchQuery: 'pending@test.com',
+        roleFilter: '',
+        statusFilter: 'all',
+      });
+
+      expect(result).toHaveLength(1);
+      expect(result[0].displayId).toBe('inv_1');
+    });
+
+    it('should be case-insensitive', () => {
+      const result = filterDisplayItems({
+        items: allItems,
+        searchQuery: 'USER MEM_1',
+        roleFilter: '',
+        statusFilter: 'all',
+      });
+
+      expect(result).toHaveLength(1);
+    });
+  });
+
+  describe('role filter', () => {
+    it('should filter by role', () => {
+      const result = filterDisplayItems({
+        items: allItems,
+        searchQuery: '',
+        roleFilter: 'admin',
+        statusFilter: 'all',
+      });
+
+      expect(result.every((i) => i.processedRoles.includes('admin'))).toBe(true);
+    });
+
+    it('should show all when no role filter set', () => {
+      const result = filterDisplayItems({
+        items: allItems,
+        searchQuery: '',
+        roleFilter: '',
+        statusFilter: 'all',
+      });
+
+      expect(result).toHaveLength(allItems.length);
+    });
+  });
+
+  describe('combined filters', () => {
+    it('should apply search and status filters together', () => {
+      const result = filterDisplayItems({
+        items: allItems,
+        searchQuery: 'user-mem',
+        roleFilter: '',
+        statusFilter: 'deactivated',
+      });
+
+      // Only deactivated members whose name or email contains "user-mem"
+      expect(result.every((i) => i.displayStatus === 'deactivated')).toBe(true);
+      expect(result.length).toBeGreaterThan(0);
+    });
+
+    it('should return empty when no items match all filters', () => {
+      const result = filterDisplayItems({
+        items: allItems,
+        searchQuery: 'nonexistent',
+        roleFilter: 'owner',
+        statusFilter: 'pending',
+      });
+
+      expect(result).toHaveLength(0);
+    });
+  });
+});
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/filter-members.ts b/apps/app/src/app/(app)/[orgId]/people/all/components/filter-members.ts
new file mode 100644
index 0000000000..0ed79226b6
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/people/all/components/filter-members.ts
@@ -0,0 +1,89 @@
+import { parseRolesString } from '@/lib/permissions';
+import type { Invitation } from '@db';
+import type { MemberWithUser } from './TeamMembers';
+
+export interface DisplayItem extends Partial<MemberWithUser>, Partial<Invitation> {
+  type: 'member' | 'invitation';
+  displayName: string;
+  displayEmail: string;
+  displayRole: string | string[];
+  displayStatus: 'active' | 'pending' | 'deactivated';
+  displayId: string;
+  processedRoles: string[];
+  isDeactivated?: boolean;
+}
+
+export function buildDisplayItems({
+  members,
+  pendingInvitations,
+}: {
+  members: MemberWithUser[];
+  pendingInvitations: Invitation[];
+}): DisplayItem[] {
+  return [
+    ...members.map((member) => {
+      const roles = parseRolesString(member.role);
+      const isInactive = member.deactivated || !member.isActive;
+
+      return {
+        ...member,
+        type: 'member' as const,
+        displayName: member.user.name || member.user.email || '',
+        displayEmail: member.user.email || '',
+        displayRole: member.role,
+        displayStatus: isInactive ? ('deactivated' as const) : ('active' as const),
+        displayId: member.id,
+        processedRoles: roles,
+        isDeactivated: isInactive,
+      };
+    }),
+    ...pendingInvitations.map((invitation) => {
+      const roles = parseRolesString(invitation.role);
+
+      return {
+        ...invitation,
+        type: 'invitation' as const,
+        displayName: invitation.email.split('@')[0],
+        displayEmail: invitation.email,
+        displayRole: invitation.role,
+        displayStatus: 'pending' as const,
+        displayId: invitation.id,
+        processedRoles: roles,
+      };
+    }),
+  ];
+}
+
+export function filterDisplayItems({
+  items,
+  searchQuery,
+  roleFilter,
+  statusFilter,
+}: {
+  items: DisplayItem[];
+  searchQuery: string;
+  roleFilter: string;
+  statusFilter: string;
+}): DisplayItem[] {
+  return items.filter((item) => {
+    const matchesSearch =
+      item.displayName.toLowerCase().includes(searchQuery.toLowerCase()) ||
+      item.displayEmail.toLowerCase().includes(searchQuery.toLowerCase());
+
+    const matchesRole = !roleFilter || item.processedRoles.includes(roleFilter);
+
+    // Status filter: by default (no filter), hide deactivated members
+    // 'active' explicitly shows only active members
+    // 'deactivated' shows only deactivated members
+    // 'pending' shows only pending invitations
+    // 'all' shows everything
+    const matchesStatus =
+      statusFilter === 'all' ||
+      (statusFilter === 'deactivated' && item.displayStatus === 'deactivated') ||
+      (statusFilter === 'pending' && item.displayStatus === 'pending') ||
+      (!statusFilter && item.displayStatus !== 'deactivated') ||
+      (statusFilter === 'active' && item.displayStatus === 'active');
+
+    return matchesSearch && matchesRole && matchesStatus;
+  });
+}
diff --git a/apps/app/src/app/(app)/[orgId]/people/dashboard/components/EmployeeCompletionChart.tsx b/apps/app/src/app/(app)/[orgId]/people/dashboard/components/EmployeeCompletionChart.tsx
index 051c3dfd23..3ddc0bf2e0 100644
--- a/apps/app/src/app/(app)/[orgId]/people/dashboard/components/EmployeeCompletionChart.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/dashboard/components/EmployeeCompletionChart.tsx
@@ -22,6 +22,8 @@ interface EmployeeCompletionChartProps {
   })[];
   showAll?: boolean;
   securityTrainingStepEnabled?: boolean;
+  hasHipaaFramework?: boolean;
+  hipaaCompletions?: EmployeeTrainingVideoCompletion[];
 }
 
 // Define colors for the chart using semantic tokens
@@ -37,6 +39,7 @@ interface EmployeeTaskStats {
   totalTasks: number;
   policiesCompleted: number;
   trainingsCompleted: number;
+  hipaaCompleted: boolean;
   policiesTotal: number;
   trainingsTotal: number;
   policyPercentage: number;
@@ -50,6 +53,8 @@ export function EmployeeCompletionChart({
   trainingVideos,
   showAll = false,
   securityTrainingStepEnabled = true,
+  hasHipaaFramework = false,
+  hipaaCompletions = [],
 }: EmployeeCompletionChartProps) {
   const params = useParams();
   const orgId = params.orgId as string;
@@ -92,9 +97,16 @@ export function EmployeeCompletionChart({
           : 0;
       }
 
-      // Calculate total completion percentage
-      const totalItems = policies.length + trainingVideosTotal;
-      const totalCompletedItems = policiesCompletedCount + trainingsCompletedCount;
+      const hipaaComplete = hasHipaaFramework
+        ? hipaaCompletions.some(
+            (c) => c.memberId === employee.id && c.completedAt !== null,
+          )
+        : false;
+      const hipaaCount = hasHipaaFramework ? 1 : 0;
+
+      const totalItems = policies.length + trainingVideosTotal + hipaaCount;
+      const totalCompletedItems =
+        policiesCompletedCount + trainingsCompletedCount + (hipaaComplete ? 1 : 0);
 
       const overallPercentage = totalItems
         ? Math.round((totalCompletedItems / totalItems) * 100)
@@ -107,6 +119,7 @@ export function EmployeeCompletionChart({
         totalTasks: totalItems,
         policiesCompleted: policiesCompletedCount,
         trainingsCompleted: trainingsCompletedCount,
+        hipaaCompleted: hipaaComplete,
         policiesTotal: policies.length,
         trainingsTotal: trainingVideosTotal,
         policyPercentage: policyCompletionPercentage,
@@ -114,7 +127,7 @@ export function EmployeeCompletionChart({
         overallPercentage,
       };
     });
-  }, [employees, policies, trainingVideos, securityTrainingStepEnabled]);
+  }, [employees, policies, trainingVideos, securityTrainingStepEnabled, hasHipaaFramework, hipaaCompletions]);
 
   // Filter employees based on search term
   const filteredStats = React.useMemo(() => {
@@ -263,6 +276,12 @@ export function EmployeeCompletionChart({
                           • {stat.trainingsCompleted}/{stat.trainingsTotal} training
                         </>
                       )}
+                      {hasHipaaFramework && (
+                        <>
+                          {' '}
+                          • HIPAA {stat.hipaaCompleted ? 'done' : 'pending'}
+                        </>
+                      )}
                     </div>
                   </div>
 
diff --git a/apps/app/src/app/(app)/[orgId]/people/dashboard/components/EmployeesOverview.tsx b/apps/app/src/app/(app)/[orgId]/people/dashboard/components/EmployeesOverview.tsx
index 6149af8ecd..61f128c55f 100644
--- a/apps/app/src/app/(app)/[orgId]/people/dashboard/components/EmployeesOverview.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/dashboard/components/EmployeesOverview.tsx
@@ -1,7 +1,8 @@
 import { filterComplianceMembers } from '@/lib/compliance';
 import { trainingVideos as trainingVideosData } from '@/lib/data/training-videos';
+import { HIPAA_TRAINING_ID } from '@/lib/data/hipaa-training-content';
 import { auth } from '@/utils/auth';
-import type { Member, Organization, Policy, User } from '@db';
+import type { EmployeeTrainingVideoCompletion, Member, Organization, Policy, User } from '@db';
 import { db } from '@db/server';
 import { headers } from 'next/headers';
 import { EmployeeCompletionChart } from './EmployeeCompletionChart';
@@ -37,11 +38,19 @@ export async function EmployeesOverview() {
   let policies: Policy[] = [];
   const processedTrainingVideos: ProcessedTrainingVideo[] = [];
   let organization: Organization | null = null;
+  let hasHipaaFramework = false;
+  let hipaaCompletions: EmployeeTrainingVideoCompletion[] = [];
 
   if (organizationId) {
-    organization = await db.organization.findUnique({
-      where: { id: organizationId },
-    });
+    const [org, hipaaInstance] = await Promise.all([
+      db.organization.findUnique({ where: { id: organizationId } }),
+      db.frameworkInstance.findFirst({
+        where: { organizationId, framework: { name: 'HIPAA' } },
+        select: { id: true },
+      }),
+    ]);
+    organization = org;
+    hasHipaaFramework = !!hipaaInstance;
 
     // Fetch employees
     const fetchedMembers = await db.member.findMany({
@@ -67,7 +76,6 @@ export async function EmployeesOverview() {
       },
     });
 
-    // Fetch and process training videos if employees exist and training step is enabled
     if (employees.length > 0 && organization?.securityTrainingStepEnabled !== false) {
       const employeeTrainingVideos = await db.employeeTrainingVideoCompletion.findMany({
         where: {
@@ -83,7 +91,6 @@ export async function EmployeesOverview() {
         );
 
         if (videoMetadata) {
-          // Push the object matching the updated ProcessedTrainingVideo interface
           processedTrainingVideos.push({
             id: dbVideo.id,
             memberId: dbVideo.memberId,
@@ -94,6 +101,15 @@ export async function EmployeesOverview() {
         }
       }
     }
+
+    if (employees.length > 0 && hasHipaaFramework) {
+      hipaaCompletions = await db.employeeTrainingVideoCompletion.findMany({
+        where: {
+          memberId: { in: employees.map((e) => e.id) },
+          videoId: HIPAA_TRAINING_ID,
+        },
+      });
+    }
   }
 
   return (
@@ -104,6 +120,8 @@ export async function EmployeesOverview() {
         trainingVideos={processedTrainingVideos as any}
         showAll={true}
         securityTrainingStepEnabled={organization?.securityTrainingStepEnabled ?? true}
+        hasHipaaFramework={hasHipaaFramework}
+        hipaaCompletions={hipaaCompletions}
       />
     </div>
   );
diff --git a/apps/app/src/app/(app)/[orgId]/people/devices/data/index.ts b/apps/app/src/app/(app)/[orgId]/people/devices/data/index.ts
index 3bb1db1aa7..b14004a382 100644
--- a/apps/app/src/app/(app)/[orgId]/people/devices/data/index.ts
+++ b/apps/app/src/app/(app)/[orgId]/people/devices/data/index.ts
@@ -24,7 +24,17 @@ export const getEmployeeDevicesFromDB: () => Promise<DeviceWithChecks[]> = async
   }
 
   const devices = await db.device.findMany({
-    where: { organizationId },
+    where: {
+      organizationId,
+      // Exclude devices for users whose User.role is platform admin (not org Member.role).
+      NOT: {
+        member: {
+          user: {
+            role: 'admin',
+          },
+        },
+      },
+    },
     include: {
       member: {
         include: {
@@ -65,7 +75,7 @@ export const getEmployeeDevicesFromDB: () => Promise<DeviceWithChecks[]> = async
 
 /**
  * Fetches Fleet (legacy) devices for the current organization.
- * Returns Host[] exactly as main branch — untouched Fleet logic.
+ * Excludes members whose User.role is platform admin (same as getEmployeeDevicesFromDB).
  */
 export const getFleetHosts: () => Promise<Host[] | null> = async () => {
   const session = await auth.api.getSession({
@@ -80,11 +90,16 @@ export const getFleetHosts: () => Promise<Host[] | null> = async () => {
     return null;
   }
 
-  // Find all members belonging to the organization.
+  // Members with Fleet labels (exclude platform admins — same filter as device-agent path).
   const employees = await db.member.findMany({
     where: {
       organizationId,
       deactivated: false,
+      NOT: {
+        user: {
+          role: 'admin',
+        },
+      },
     },
     include: {
       user: true,
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/components/TaskList.test.tsx b/apps/app/src/app/(app)/[orgId]/tasks/components/TaskList.test.tsx
new file mode 100644
index 0000000000..e061d10903
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/tasks/components/TaskList.test.tsx
@@ -0,0 +1,220 @@
+import { render, screen } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+
+// Track automation status filter state for assertions
+let automationStatusValue: string | null = null;
+const mockSetAutomationStatus = vi.fn((val: string | null) => {
+  automationStatusValue = val;
+});
+
+// Mock nuqs
+vi.mock('nuqs', () => ({
+  useQueryState: (key: string) => {
+    if (key === 'automationStatus') return [automationStatusValue, mockSetAutomationStatus];
+    return [null, vi.fn()];
+  },
+}));
+
+// Mock next/navigation
+vi.mock('next/navigation', () => ({
+  useParams: () => ({ orgId: 'org_123' }),
+}));
+
+// Mock child components
+vi.mock('./ModernTaskList', () => ({
+  ModernTaskList: ({ tasks }: { tasks: { id: string }[] }) => (
+    <div data-testid="modern-task-list">
+      {tasks.map((t) => (
+        <div key={t.id} data-testid={`task-${t.id}`} />
+      ))}
+    </div>
+  ),
+}));
+
+vi.mock('./TasksByCategory', () => ({
+  TasksByCategory: ({ tasks }: { tasks: { id: string }[] }) => (
+    <div data-testid="tasks-by-category">
+      {tasks.map((t) => (
+        <div key={t.id} data-testid={`cat-task-${t.id}`} />
+      ))}
+    </div>
+  ),
+}));
+
+// Mock lucide-react icons
+vi.mock('lucide-react', () => ({
+  Check: () => <span />,
+  Circle: () => <span />,
+  FolderTree: () => <span />,
+  List: () => <span />,
+  Search: () => <span />,
+  XCircle: () => <span />,
+}));
+
+// Mock design-system components
+vi.mock('@trycompai/design-system', () => ({
+  Avatar: ({ children }: { children: React.ReactNode }) => <div>{children}</div>,
+  AvatarFallback: ({ children }: { children: React.ReactNode }) => <span>{children}</span>,
+  AvatarImage: () => <img />,
+  HStack: ({ children }: { children: React.ReactNode }) => <div>{children}</div>,
+  InputGroup: ({ children }: { children: React.ReactNode }) => <div>{children}</div>,
+  InputGroupAddon: ({ children }: { children: React.ReactNode }) => <div>{children}</div>,
+  InputGroupInput: (props: Record<string, unknown>) => <input {...props} />,
+  Select: ({
+    children,
+    value,
+    onValueChange,
+  }: {
+    children: React.ReactNode;
+    value: string;
+    onValueChange: (v: string) => void;
+  }) => (
+    <div data-testid={`select-${value}`}>
+      {children}
+      <select
+        value={value}
+        onChange={(e) => onValueChange(e.target.value)}
+        data-testid={`select-native-${value}`}
+      >
+        {/* Placeholder so the native select works */}
+      </select>
+    </div>
+  ),
+  SelectContent: ({ children }: { children: React.ReactNode }) => <div>{children}</div>,
+  SelectItem: ({
+    children,
+    value,
+  }: {
+    children: React.ReactNode;
+    value: string;
+  }) => (
+    <option value={value} data-testid={`select-item-${value}`}>
+      {children}
+    </option>
+  ),
+  SelectTrigger: ({
+    children,
+  }: {
+    children: React.ReactNode;
+    size?: string;
+    disabled?: boolean;
+  }) => <div>{children}</div>,
+  SelectValue: ({
+    children,
+  }: {
+    children: React.ReactNode;
+    placeholder?: string;
+  }) => <div>{children}</div>,
+  Separator: () => <hr />,
+  Stack: ({ children }: { children: React.ReactNode }) => <div>{children}</div>,
+  Tabs: ({
+    children,
+  }: {
+    children: React.ReactNode;
+    value?: string;
+    onValueChange?: (v: string) => void;
+  }) => <div>{children}</div>,
+  TabsContent: ({ children }: { children: React.ReactNode; value?: string }) => (
+    <div>{children}</div>
+  ),
+  TabsList: ({ children }: { children: React.ReactNode; variant?: string }) => (
+    <div>{children}</div>
+  ),
+  TabsTrigger: ({ children }: { children: React.ReactNode; value?: string }) => (
+    <div>{children}</div>
+  ),
+  Text: ({ children }: { children: React.ReactNode }) => <span>{children}</span>,
+}));
+
+import { TaskList } from './TaskList';
+
+const baseMockTask = {
+  description: 'Test',
+  status: 'todo' as const,
+  frequency: null,
+  department: null,
+  assigneeId: null,
+  organizationId: 'org_123',
+  createdAt: new Date(),
+  updatedAt: new Date(),
+  order: 0,
+  taskTemplateId: null,
+  reviewDate: null,
+  approvalStatus: null,
+  approverId: null,
+  approvedAt: null,
+  approvalComment: null,
+  controls: [] as { id: string; name: string }[],
+};
+
+const automatedTask = {
+  ...baseMockTask,
+  id: 'task_auto_1',
+  title: 'Automated Task',
+  automationStatus: 'AUTOMATED' as const,
+};
+
+const manualTask = {
+  ...baseMockTask,
+  id: 'task_manual_1',
+  title: 'Manual Task',
+  automationStatus: 'MANUAL' as const,
+};
+
+const defaultProps = {
+  tasks: [automatedTask, manualTask],
+  members: [],
+  frameworkInstances: [],
+  activeTab: 'list' as const,
+  evidenceApprovalEnabled: false,
+};
+
+describe('TaskList automation status filter', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    automationStatusValue = null;
+  });
+
+  it('renders the automation status filter dropdown', () => {
+    render(<TaskList {...defaultProps} />);
+    expect(screen.getAllByText('All types').length).toBeGreaterThan(0);
+  });
+
+  it('shows all tasks when no automation status filter is active', () => {
+    render(<TaskList {...defaultProps} />);
+    expect(screen.getByTestId('task-task_auto_1')).toBeInTheDocument();
+    expect(screen.getByTestId('task-task_manual_1')).toBeInTheDocument();
+  });
+
+  it('shows only automated tasks when AUTOMATED filter is active', () => {
+    automationStatusValue = 'AUTOMATED';
+    render(<TaskList {...defaultProps} />);
+    expect(screen.getByTestId('task-task_auto_1')).toBeInTheDocument();
+    expect(screen.queryByTestId('task-task_manual_1')).not.toBeInTheDocument();
+  });
+
+  it('shows only manual tasks when MANUAL filter is active', () => {
+    automationStatusValue = 'MANUAL';
+    render(<TaskList {...defaultProps} />);
+    expect(screen.queryByTestId('task-task_auto_1')).not.toBeInTheDocument();
+    expect(screen.getByTestId('task-task_manual_1')).toBeInTheDocument();
+  });
+
+  it('displays result count when automation status filter is active', () => {
+    automationStatusValue = 'AUTOMATED';
+    render(<TaskList {...defaultProps} />);
+    expect(screen.getByText('1 result')).toBeInTheDocument();
+  });
+
+  it('renders Automated and Manual options in the dropdown', () => {
+    render(<TaskList {...defaultProps} />);
+    expect(screen.getAllByTestId('select-item-AUTOMATED')).toHaveLength(1);
+    expect(screen.getAllByTestId('select-item-MANUAL')).toHaveLength(1);
+  });
+
+  it('renders All types text in the dropdown', () => {
+    render(<TaskList {...defaultProps} />);
+    expect(screen.getAllByText('All types').length).toBeGreaterThan(0);
+  });
+});
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/components/TaskList.tsx b/apps/app/src/app/(app)/[orgId]/tasks/components/TaskList.tsx
index a19a9c558f..c49e6556ca 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/components/TaskList.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/components/TaskList.tsx
@@ -79,6 +79,8 @@ export function TaskList({
   const [statusFilter, setStatusFilter] = useQueryState('status');
   const [assigneeFilter, setAssigneeFilter] = useQueryState('assignee');
   const [frameworkFilter, setFrameworkFilter] = useQueryState('framework');
+  const [automationStatusFilter, setAutomationStatusFilter] =
+    useQueryState('automationStatus');
   const [currentTab, setCurrentTab] = useState<'categories' | 'list'>(activeTab);
 
   // Sync activeTab prop with state when it changes
@@ -154,7 +156,16 @@ export function TaskList({
         return task.controls.some((c) => fwControlIds.has(c.id));
       })();
 
-    return matchesSearch && matchesStatus && matchesAssignee && matchesFramework;
+    const matchesAutomationStatus =
+      !automationStatusFilter || task.automationStatus === automationStatusFilter;
+
+    return (
+      matchesSearch &&
+      matchesStatus &&
+      matchesAssignee &&
+      matchesFramework &&
+      matchesAutomationStatus
+    );
   });
 
   // Calculate overall stats from all tasks (not filtered)
@@ -719,9 +730,37 @@ export function TaskList({
                     ))}
                   </SelectContent>
                 </Select>
+
+                <Select
+                  value={automationStatusFilter || 'all'}
+                  onValueChange={(value) =>
+                    setAutomationStatusFilter(value === 'all' ? null : value)
+                  }
+                >
+                  <SelectTrigger size="sm">
+                    <SelectValue placeholder="All types">
+                      {!automationStatusFilter
+                        ? 'All types'
+                        : automationStatusFilter === 'AUTOMATED'
+                          ? 'Automated'
+                          : 'Manual'}
+                    </SelectValue>
+                  </SelectTrigger>
+                  <SelectContent>
+                    <SelectItem value="all">
+                      <span className="text-xs">All types</span>
+                    </SelectItem>
+                    <SelectItem value="AUTOMATED">
+                      <span className="text-xs">Automated</span>
+                    </SelectItem>
+                    <SelectItem value="MANUAL">
+                      <span className="text-xs">Manual</span>
+                    </SelectItem>
+                  </SelectContent>
+                </Select>
               </div>
               {/* Result Count */}
-              {(searchQuery || statusFilter || assigneeFilter || frameworkFilter) && (
+              {(searchQuery || statusFilter || assigneeFilter || frameworkFilter || automationStatusFilter) && (
                 <div className="text-muted-foreground text-xs tabular-nums whitespace-nowrap lg:ml-auto">
                   {filteredTasks.length} {filteredTasks.length === 1 ? 'result' : 'results'}
                 </div>
diff --git a/apps/app/src/app/(app)/admin/layout.tsx b/apps/app/src/app/(app)/admin/layout.tsx
index 7ede9b9836..345002718d 100644
--- a/apps/app/src/app/(app)/admin/layout.tsx
+++ b/apps/app/src/app/(app)/admin/layout.tsx
@@ -21,10 +21,12 @@ export default async function AdminLayout({ children }: { children: React.ReactN
   }
 
   const meRes = await serverApi.get<AuthMeResponse>('/v1/auth/me');
-  const firstOrgId = meRes.data?.organizations?.[0]?.id;
+  const orgs = meRes.data?.organizations ?? [];
+  const activeOrgId = session.session.activeOrganizationId;
+  const targetOrg = orgs.find((o) => o.id === activeOrgId) ?? orgs[0];
 
-  if (firstOrgId) {
-    redirect(`/${firstOrgId}/admin`);
+  if (targetOrg) {
+    redirect(`/${targetOrg.id}/admin`);
   }
 
   redirect('/');
diff --git a/apps/app/src/app/(app)/setup/layout.tsx b/apps/app/src/app/(app)/setup/layout.tsx
index 6844f2b3a3..1c5a1089b0 100644
--- a/apps/app/src/app/(app)/setup/layout.tsx
+++ b/apps/app/src/app/(app)/setup/layout.tsx
@@ -21,8 +21,8 @@ export default async function SetupLayout({ children }: { children: React.ReactN
     const meRes = await serverApi.get<AuthMeResponse>('/v1/auth/me');
     const orgs = meRes.data?.organizations ?? [];
 
-    // Find the most recently relevant org (API returns them, pick first)
-    const userOrg = orgs[0];
+    const activeOrgId = session.session.activeOrganizationId;
+    const userOrg = orgs.find((o) => o.id === activeOrgId) ?? orgs[0];
     if (userOrg) {
       if (userOrg.onboardingCompleted === false) {
         return redirect(`/onboarding/${userOrg.id}`);
diff --git a/apps/app/src/app/(app)/setup/lib/constants.ts b/apps/app/src/app/(app)/setup/lib/constants.ts
index 4872027e67..42fd27b7ea 100644
--- a/apps/app/src/app/(app)/setup/lib/constants.ts
+++ b/apps/app/src/app/(app)/setup/lib/constants.ts
@@ -115,6 +115,12 @@ export const steps: Step[] = [
     placeholder: 'e.g., Google Workspace',
     options: ['Google Workspace', 'Microsoft 365', 'Okta', 'Auth0', 'Email/Password', 'Other'],
   },
+  {
+    key: 'infrastructure',
+    question: 'Where do you host your applications and data?',
+    placeholder: 'e.g., AWS',
+    options: ['AWS', 'Google Cloud', 'Microsoft Azure', 'Heroku', 'Vercel', 'Other'],
+  },
   {
     key: 'software',
     question: 'What software do you use?',
@@ -128,12 +134,6 @@ export const steps: Step[] = [
     placeholder: 'e.g., Remote',
     options: ['Fully remote', 'Hybrid (office + remote)', 'Office-based'],
   },
-  {
-    key: 'infrastructure',
-    question: 'Where do you host your applications and data?',
-    placeholder: 'e.g., AWS',
-    options: ['AWS', 'Google Cloud', 'Microsoft Azure', 'Heroku', 'Vercel', 'Other'],
-  },
   {
     key: 'dataTypes',
     question: 'What types of data do you handle?',
diff --git a/apps/app/src/app/page.tsx b/apps/app/src/app/page.tsx
index c738987486..d2124d7f40 100644
--- a/apps/app/src/app/page.tsx
+++ b/apps/app/src/app/page.tsx
@@ -62,10 +62,15 @@ export default async function RootPage({
     return redirect(await buildUrlWithParams('/setup'));
   }
 
+  // Always use the org the user last switched to (stored in session)
+  const activeOrgId = session.session.activeOrganizationId;
+  const activeOrg = activeOrgId
+    ? memberships.find((m) => m.id === activeOrgId)
+    : undefined;
   const readyOrg = memberships.find(
     (m) => m.onboardingCompleted && m.hasAccess,
   );
-  const targetOrg = readyOrg || memberships[0];
+  const targetOrg = activeOrg || readyOrg || memberships[0];
 
   if (!targetOrg.onboardingCompleted) {
     return redirect(await buildUrlWithParams(`/onboarding/${targetOrg.id}`));
diff --git a/apps/app/src/hooks/use-people-api.ts b/apps/app/src/hooks/use-people-api.ts
index 20980946dc..34b043836b 100644
--- a/apps/app/src/hooks/use-people-api.ts
+++ b/apps/app/src/hooks/use-people-api.ts
@@ -11,6 +11,7 @@ export interface PeopleResponseDto {
   createdAt: string; // ISO string from API
   department: string;
   isActive: boolean;
+  deactivated: boolean;
   fleetDmLabelId: number | null;
   user: {
     id: string;
diff --git a/apps/app/src/lib/data/hipaa-training-content.ts b/apps/app/src/lib/data/hipaa-training-content.ts
new file mode 100644
index 0000000000..e837a5b188
--- /dev/null
+++ b/apps/app/src/lib/data/hipaa-training-content.ts
@@ -0,0 +1 @@
+export const HIPAA_TRAINING_ID = 'hipaa-sat-1';
diff --git a/apps/app/src/trigger/tasks/onboarding/update-policies-helpers.ts b/apps/app/src/trigger/tasks/onboarding/update-policies-helpers.ts
index 31582ab537..899b02c074 100644
--- a/apps/app/src/trigger/tasks/onboarding/update-policies-helpers.ts
+++ b/apps/app/src/trigger/tasks/onboarding/update-policies-helpers.ts
@@ -561,8 +561,12 @@ export async function updatePolicyInDatabase(
 
     // Use transaction to ensure atomicity - if any step fails, all are rolled back
     await db.$transaction(async (tx) => {
-      // Delete all existing versions
+      // Clear version references first to avoid FK constraint issues during deletion
       if (policy.versions.length > 0) {
+        await tx.policy.update({
+          where: { id: policyId },
+          data: { currentVersionId: null, pendingVersionId: null },
+        });
         await tx.policyVersion.deleteMany({
           where: { policyId },
         });
diff --git a/apps/portal/src/app/(app)/(home)/[orgId]/components/EmployeeTasksList.tsx b/apps/portal/src/app/(app)/(home)/[orgId]/components/EmployeeTasksList.tsx
index 5734c9df2f..71bf4734a2 100644
--- a/apps/portal/src/app/(app)/(home)/[orgId]/components/EmployeeTasksList.tsx
+++ b/apps/portal/src/app/(app)/(home)/[orgId]/components/EmployeeTasksList.tsx
@@ -2,18 +2,22 @@
 
 import { trainingVideos } from '@/lib/data/training-videos';
 import { useTrainingCompletions } from '@/hooks/use-training-completions';
-import { evidenceFormDefinitionList } from '@trycompai/company';
 import type { Device, EmployeeTrainingVideoCompletion, Member, Policy, PolicyVersion } from '@db';
-import { Accordion, Button, Card, CardContent } from '@trycompai/design-system';
-import { CheckmarkFilled } from '@trycompai/design-system/icons';
+import { Accordion, Button } from '@trycompai/design-system';
 import Link from 'next/link';
 import useSWR from 'swr';
 import type { FleetPolicy, Host } from '../types';
+import { HIPAA_TRAINING_ID } from '@/lib/data/hipaa-training-content';
 import { DeviceAgentAccordionItem } from './tasks/DeviceAgentAccordionItem';
 import { GeneralTrainingAccordionItem } from './tasks/GeneralTrainingAccordionItem';
+import { HipaaTrainingAccordionItem } from './tasks/HipaaTrainingAccordionItem';
 import { PoliciesAccordionItem } from './tasks/PoliciesAccordionItem';
 
-const portalForms = evidenceFormDefinitionList.filter((f) => f.portalAccessible);
+interface PortalForm {
+  type: string;
+  title: string;
+  description: string;
+}
 
 type PolicyWithVersion = Policy & {
   currentVersion?: Pick<PolicyVersion, 'id' | 'content' | 'pdfUrl' | 'version'> | null;
@@ -26,11 +30,13 @@ interface EmployeeTasksListProps {
   member: Member;
   fleetPolicies: FleetPolicy[];
   host: Host | null;
-  agentDevice: Device | null;
+  agentDevices: Device[];
   deviceAgentStepEnabled: boolean;
   securityTrainingStepEnabled: boolean;
+  hasHipaaFramework: boolean;
   whistleblowerReportEnabled: boolean;
   accessRequestFormEnabled: boolean;
+  portalForms: PortalForm[];
 }
 
 export const EmployeeTasksList = ({
@@ -40,11 +46,13 @@ export const EmployeeTasksList = ({
   member,
   fleetPolicies,
   host,
-  agentDevice,
+  agentDevices,
   deviceAgentStepEnabled,
   securityTrainingStepEnabled,
+  hasHipaaFramework,
   whistleblowerReportEnabled,
   accessRequestFormEnabled,
+  portalForms,
 }: EmployeeTasksListProps) => {
   const { completions: trainingCompletions } = useTrainingCompletions({
     fallbackData: trainingVideoCompletions,
@@ -80,7 +88,7 @@ export const EmployeeTasksList = ({
       return res.json();
     },
     {
-      fallbackData: agentDevice ? { devices: [agentDevice] } : { devices: [] },
+      fallbackData: { devices: agentDevices },
       refreshInterval: 30_000,
       revalidateOnFocus: true,
       revalidateOnMount: true,
@@ -91,25 +99,24 @@ export const EmployeeTasksList = ({
     return null;
   }
 
-  // Pick the most recently checked-in device (matching page.tsx ordering: lastCheckIn desc, nulls last)
-  const currentAgentDevice =
-    agentDeviceResponse?.devices
-      ?.sort((a, b) => {
-        if (!a.lastCheckIn && !b.lastCheckIn) return 0;
-        if (!a.lastCheckIn) return 1;
-        if (!b.lastCheckIn) return -1;
-        return new Date(b.lastCheckIn).getTime() - new Date(a.lastCheckIn).getTime();
-      })[0] ?? null;
+  const sortedAgentDevices = [...(agentDeviceResponse?.devices ?? [])].sort(
+    (a, b) => {
+      if (!a.lastCheckIn && !b.lastCheckIn) return 0;
+      if (!a.lastCheckIn) return 1;
+      if (!b.lastCheckIn) return -1;
+      return new Date(b.lastCheckIn).getTime() - new Date(a.lastCheckIn).getTime();
+    },
+  );
 
   // Check completion status
   const hasAcceptedPolicies =
     policies.length === 0 || policies.every((p) => p.signedBy.includes(member.id));
 
   // Device agent takes priority over Fleet for completion
-  const hasAgentDevice = currentAgentDevice !== null;
+  const hasAnyAgentDevice = sortedAgentDevices.length > 0;
   const hasFleetDevice = response.device !== null;
-  const hasCompletedDeviceSetup = hasAgentDevice
-    ? currentAgentDevice.isCompliant
+  const hasCompletedDeviceSetup = hasAnyAgentDevice
+    ? sortedAgentDevices.some((d) => d.isCompliant)
     : hasFleetDevice &&
       (response.fleetPolicies.length === 0 ||
         response.fleetPolicies.every((policy) => policy.response === 'pass'));
@@ -128,10 +135,15 @@ export const EmployeeTasksList = ({
   const hasCompletedGeneralTraining =
     completedGeneralTrainingCount === generalTrainingVideoIds.length;
 
+  const hasCompletedHipaaTraining = trainingCompletions.some(
+    (c) => c.videoId === HIPAA_TRAINING_ID && c.completedAt !== null,
+  );
+
   const completedCount = [
     hasAcceptedPolicies,
     ...(deviceAgentStepEnabled ? [hasCompletedDeviceSetup] : []),
     ...(securityTrainingStepEnabled ? [hasCompletedGeneralTraining] : []),
+    ...(hasHipaaFramework ? [hasCompletedHipaaTraining] : []),
   ].filter(Boolean).length;
 
   const accordionItems = [
@@ -147,7 +159,7 @@ export const EmployeeTasksList = ({
               <DeviceAgentAccordionItem
                 member={member}
                 host={response.device}
-                agentDevice={currentAgentDevice}
+                agentDevices={sortedAgentDevices}
                 fleetPolicies={response.fleetPolicies}
                 isLoading={isValidating}
                 fetchFleetPolicies={fetchFleetPolicies}
@@ -166,6 +178,14 @@ export const EmployeeTasksList = ({
           },
         ]
       : []),
+    ...(hasHipaaFramework
+      ? [
+          {
+            title: 'Complete HIPAA security awareness training',
+            content: <HipaaTrainingAccordionItem />,
+          },
+        ]
+      : []),
   ];
   const visiblePortalForms = portalForms.filter((form) => {
     if (form.type === 'whistleblower-report') return whistleblowerReportEnabled;
@@ -173,48 +193,27 @@ export const EmployeeTasksList = ({
     return true;
   });
 
-  const allCompleted = completedCount === accordionItems.length;
-
   return (
     <div className="space-y-4">
-      {allCompleted ? (
-        <Card>
-          <CardContent>
-            <div className="flex flex-col items-center justify-center py-16 text-center">
-              <div className="text-primary mb-4">
-                <CheckmarkFilled size={48} />
-              </div>
-              <h2 className="text-xl font-semibold mb-2">You're all set!</h2>
-              <p className="text-muted-foreground text-sm max-w-md">
-                You've completed all required tasks. No further action is needed at this time.
-              </p>
-            </div>
-          </CardContent>
-        </Card>
-      ) : (
-        <>
-          {/* Progress indicator */}
-          <div>
-            <div className="text-muted-foreground text-sm">
-              {completedCount} of {accordionItems.length} tasks completed
-            </div>
-            <div className="w-full bg-muted rounded-full h-2.5">
-              <div
-                className="bg-primary h-full rounded-full"
-                style={{ width: `${(completedCount / accordionItems.length) * 100}%` }}
-              ></div>
-            </div>
-          </div>
+      <div>
+        <div className="text-muted-foreground text-sm">
+          {completedCount} of {accordionItems.length} tasks completed
+        </div>
+        <div className="w-full bg-muted rounded-full h-2.5">
+          <div
+            className="bg-primary h-full rounded-full"
+            style={{ width: `${(completedCount / accordionItems.length) * 100}%` }}
+          ></div>
+        </div>
+      </div>
 
-          <div className="space-y-3">
-            <Accordion>
-              {accordionItems.map((item, idx) => (
-                <div key={item.title ?? idx}>{item.content}</div>
-              ))}
-            </Accordion>
-          </div>
-        </>
-      )}
+      <div className="space-y-3">
+        <Accordion>
+          {accordionItems.map((item, idx) => (
+            <div key={item.title ?? idx}>{item.content}</div>
+          ))}
+        </Accordion>
+      </div>
 
       {/* Company forms */}
       {visiblePortalForms.length > 0 && (
diff --git a/apps/portal/src/app/(app)/(home)/[orgId]/components/OrganizationDashboard.tsx b/apps/portal/src/app/(app)/(home)/[orgId]/components/OrganizationDashboard.tsx
index b012692d86..a2a80a78e9 100644
--- a/apps/portal/src/app/(app)/(home)/[orgId]/components/OrganizationDashboard.tsx
+++ b/apps/portal/src/app/(app)/(home)/[orgId]/components/OrganizationDashboard.tsx
@@ -1,9 +1,14 @@
 import type { Device, Member, Organization, User } from '@db';
 import { db } from '@db/server';
+import { evidenceFormDefinitionList } from '@trycompai/company';
 import { NoAccessMessage } from '../../components/NoAccessMessage';
 import type { FleetPolicy, Host } from '../types';
 import { EmployeeTasksList } from './EmployeeTasksList';
 
+const portalForms = evidenceFormDefinitionList
+  .filter((f) => f.portalAccessible)
+  .map(({ type, title, description }) => ({ type, title, description }));
+
 // Define the type for the member prop passed from Overview
 interface MemberWithUserOrg extends Member {
   user: User;
@@ -15,7 +20,7 @@ interface OrganizationDashboardProps {
   member: MemberWithUserOrg;
   fleetPolicies: FleetPolicy[];
   host: Host | null;
-  agentDevice: Device | null;
+  agentDevices: Device[];
 }
 
 export async function OrganizationDashboard({
@@ -23,7 +28,7 @@ export async function OrganizationDashboard({
   member,
   fleetPolicies,
   host,
-  agentDevice,
+  agentDevices,
 }: OrganizationDashboardProps) {
   // Fetch policies specific to the selected organization
   const policies = await db.policy.findMany({
@@ -51,12 +56,18 @@ export async function OrganizationDashboard({
     },
   });
 
-  // Get Org first to verify it exists
-  const org = await db.organization.findUnique({
-    where: {
-      id: organizationId,
-    },
-  });
+  const [org, hipaaFramework] = await Promise.all([
+    db.organization.findUnique({
+      where: { id: organizationId },
+    }),
+    db.frameworkInstance.findFirst({
+      where: {
+        organizationId,
+        framework: { name: 'HIPAA' },
+      },
+      select: { id: true },
+    }),
+  ]);
 
   if (!org) {
     return <NoAccessMessage />;
@@ -70,11 +81,13 @@ export async function OrganizationDashboard({
       member={member}
       fleetPolicies={fleetPolicies}
       host={host}
-      agentDevice={agentDevice}
+      agentDevices={agentDevices}
       deviceAgentStepEnabled={org.deviceAgentStepEnabled}
       securityTrainingStepEnabled={org.securityTrainingStepEnabled}
       whistleblowerReportEnabled={org.whistleblowerReportEnabled}
       accessRequestFormEnabled={org.accessRequestFormEnabled}
+      hasHipaaFramework={!!hipaaFramework}
+      portalForms={portalForms}
     />
   );
 }
diff --git a/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/DeviceAgentAccordionItem.tsx b/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/DeviceAgentAccordionItem.tsx
index 6a89fecfe3..a7a7bf91ac 100644
--- a/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/DeviceAgentAccordionItem.tsx
+++ b/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/DeviceAgentAccordionItem.tsx
@@ -23,7 +23,6 @@ import {
   SelectContent,
   SelectItem,
   SelectTrigger,
-  SelectValue,
   Spinner,
 } from '@trycompai/design-system';
 import { CheckmarkFilled, CircleDash, Download, Renew } from '@trycompai/design-system/icons';
@@ -35,7 +34,7 @@ import { FleetPolicyItem } from './FleetPolicyItem';
 interface DeviceAgentAccordionItemProps {
   member: Member;
   host: Host | null;
-  agentDevice: Device | null;
+  agentDevices: Device[];
   isLoading: boolean;
   fleetPolicies?: FleetPolicy[];
   fetchFleetPolicies: () => void;
@@ -44,7 +43,7 @@ interface DeviceAgentAccordionItemProps {
 export function DeviceAgentAccordionItem({
   member,
   host,
-  agentDevice,
+  agentDevices,
   isLoading,
   fleetPolicies = [],
   fetchFleetPolicies,
@@ -58,16 +57,14 @@ export function DeviceAgentAccordionItem({
   );
 
   const hasFleetDevice = host !== null;
-  const hasAgentDevice = agentDevice !== null;
-  const hasInstalledAgent = hasFleetDevice || hasAgentDevice;
+  const hasAnyAgentDevice = agentDevices.length > 0;
   const failedPoliciesCount = useMemo(
     () => fleetPolicies.filter((policy) => policy.response !== 'pass').length,
     [fleetPolicies],
   );
 
-  // Device agent takes priority over Fleet
-  const isCompleted = hasAgentDevice
-    ? agentDevice.isCompliant
+  const isCompleted = hasAnyAgentDevice
+    ? agentDevices.some((d) => d.isCompliant)
     : hasFleetDevice
       ? failedPoliciesCount === 0
       : false;
@@ -176,7 +173,7 @@ export function DeviceAgentAccordionItem({
               <span className={cn('text-base', isCompleted && 'text-muted-foreground line-through')}>
                 Device Agent
               </span>
-              {!hasAgentDevice && hasFleetDevice && failedPoliciesCount > 0 && (
+              {!hasAnyAgentDevice && hasFleetDevice && failedPoliciesCount > 0 && (
                 <span className="text-amber-600 dark:text-amber-400 text-xs ml-auto">
                   {failedPoliciesCount} policies failing
                 </span>
@@ -191,86 +188,46 @@ export function DeviceAgentAccordionItem({
               device protected against security threats.
             </p>
 
-            {!hasInstalledAgent ? (
-              <div className="space-y-4">
-                <ol className="list-decimal space-y-4 pl-5 text-sm">
-                  <li>
-                    <strong>Download the Device Agent installer.</strong>
-                    <p className="mt-1">
-                      Click the download button below to get the Device Agent installer.
-                    </p>
-                    <div className="flex items-center gap-2 mt-2">
-                      {isMacOS && !hasInstalledAgent && (
-                        <div className="w-[136px]">
-                          <Select
-                            value={detectedOS || 'macos'}
-                            onValueChange={(value) => { if (value) setDetectedOS(value as SupportedOS); }}
-                          >
-                            <SelectTrigger>
-                              <SelectValue />
-                            </SelectTrigger>
-                            <SelectContent>
-                              <SelectItem value="macos">Apple Silicon</SelectItem>
-                              <SelectItem value="macos-intel">Intel</SelectItem>
-                            </SelectContent>
-                          </Select>
+            {agentDevices.length > 0 && (
+              <div className="space-y-3">
+                <p className="text-xs font-medium uppercase tracking-wider text-muted-foreground">
+                  Your Devices
+                </p>
+                {agentDevices.map((device) => (
+                  <Card key={device.id}>
+                    <CardHeader>
+                      <CardTitle>
+                        <span className="text-lg">{device.name}</span>
+                      </CardTitle>
+                    </CardHeader>
+                    <CardContent>
+                      <div className="space-y-3">
+                        <div className="flex items-center gap-2">
+                          {device.isCompliant ? (
+                            <div className="text-primary"><CheckmarkFilled size={16} /></div>
+                          ) : (
+                            <div className="text-amber-600 dark:text-amber-400"><CircleDash size={16} /></div>
+                          )}
+                          <span className="text-sm">
+                            {device.isCompliant
+                              ? 'All security checks passing'
+                              : 'Some security checks need attention'}
+                          </span>
                         </div>
-                      )}
-                      <Button onClick={handleDownload} disabled={isDownloading || hasInstalledAgent}>
-                        {getButtonContent()}
-                      </Button>
-                    </div>
-                  </li>
-                  <li>
-                    <strong>Install the Comp AI Device Agent</strong>
-                    <p className="mt-1">
-                      {isMacOS
-                        ? 'Double-click the downloaded DMG file and follow the installation instructions.'
-                        : detectedOS === 'linux'
-                          ? 'Install the downloaded DEB package using your package manager or by double-clicking it.'
-                          : 'Double-click the downloaded EXE file and follow the installation instructions.'}
-                    </p>
-                  </li>
-                  <li>
-                    <strong>Login with your work email</strong>
-                    <p className="mt-1">
-                      After installation, login with your work email, select your organization and
-                      then click &quot;Link Device&quot;.
-                    </p>
-                  </li>
-                </ol>
+                        <p className="text-muted-foreground text-xs">
+                          {device.platform} &middot; {device.osVersion}
+                          {device.lastCheckIn && (
+                            <> &middot; Last check-in: {new Date(device.lastCheckIn).toLocaleDateString()}</>
+                          )}
+                        </p>
+                      </div>
+                    </CardContent>
+                  </Card>
+                ))}
               </div>
-            ) : hasAgentDevice ? (
-              <Card>
-                <CardHeader>
-                  <CardTitle>
-                    <span className="text-lg">{agentDevice.name}</span>
-                  </CardTitle>
-                </CardHeader>
-                <CardContent>
-                  <div className="space-y-3">
-                    <div className="flex items-center gap-2">
-                      {agentDevice.isCompliant ? (
-                        <div className="text-primary"><CheckmarkFilled size={16} /></div>
-                      ) : (
-                        <div className="text-amber-600 dark:text-amber-400"><CircleDash size={16} /></div>
-                      )}
-                      <span className="text-sm">
-                        {agentDevice.isCompliant
-                          ? 'All security checks passing'
-                          : 'Some security checks need attention'}
-                      </span>
-                    </div>
-                    <p className="text-muted-foreground text-xs">
-                      {agentDevice.platform} &middot; {agentDevice.osVersion}
-                      {agentDevice.lastCheckIn && (
-                        <> &middot; Last check-in: {new Date(agentDevice.lastCheckIn).toLocaleDateString()}</>
-                      )}
-                    </p>
-                  </div>
-                </CardContent>
-              </Card>
-            ) : hasFleetDevice ? (
+            )}
+
+            {!hasAnyAgentDevice && hasFleetDevice && (
               <Card>
                 <CardHeader>
                   <div className="flex items-center gap-2">
@@ -308,7 +265,59 @@ export function DeviceAgentAccordionItem({
                   </div>
                 </CardContent>
               </Card>
-            ) : null}
+            )}
+
+            <div className="space-y-4">
+              <p className="text-xs font-medium uppercase tracking-wider text-muted-foreground">
+                {hasAnyAgentDevice ? 'Add Another Device' : 'Install on a Device'}
+              </p>
+              <ol className="list-decimal space-y-4 pl-5 text-sm">
+                <li>
+                  <strong>Download the Device Agent installer.</strong>
+                  <p className="mt-1">
+                    Click the download button below to get the Device Agent installer.
+                  </p>
+                  <div className="flex items-center gap-2 mt-2">
+                    {isMacOS && (
+                      <div className="w-[136px]">
+                        <Select
+                          value={detectedOS || 'macos'}
+                          onValueChange={(value) => { if (value) setDetectedOS(value as SupportedOS); }}
+                        >
+                          <SelectTrigger>
+                            <span>{detectedOS === 'macos-intel' ? 'Intel' : 'Apple Silicon'}</span>
+                          </SelectTrigger>
+                          <SelectContent>
+                            <SelectItem value="macos">Apple Silicon</SelectItem>
+                            <SelectItem value="macos-intel">Intel</SelectItem>
+                          </SelectContent>
+                        </Select>
+                      </div>
+                    )}
+                    <Button onClick={handleDownload} disabled={isDownloading}>
+                      {getButtonContent()}
+                    </Button>
+                  </div>
+                </li>
+                <li>
+                  <strong>Install the Comp AI Device Agent</strong>
+                  <p className="mt-1">
+                    {isMacOS
+                      ? 'Double-click the downloaded DMG file and follow the installation instructions.'
+                      : detectedOS === 'linux'
+                        ? 'Install the downloaded DEB package using your package manager or by double-clicking it.'
+                        : 'Double-click the downloaded EXE file and follow the installation instructions.'}
+                  </p>
+                </li>
+                <li>
+                  <strong>Login with your work email</strong>
+                  <p className="mt-1">
+                    After installation, login with your work email, select your organization and
+                    then click &quot;Link Device&quot;.
+                  </p>
+                </li>
+              </ol>
+            </div>
 
             <div className="mt-4 space-y-2">
               <Accordion>
diff --git a/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/HipaaTrainingAccordionItem.tsx b/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/HipaaTrainingAccordionItem.tsx
new file mode 100644
index 0000000000..bf175b64f6
--- /dev/null
+++ b/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/HipaaTrainingAccordionItem.tsx
@@ -0,0 +1,285 @@
+'use client';
+
+import {
+  HIPAA_TRAINING_ID,
+  hipaaAcknowledgements,
+  hipaaTrainingSections,
+} from '@/lib/data/hipaa-training-content';
+import { useTrainingCompletions } from '@/hooks/use-training-completions';
+import {
+  AccordionContent,
+  AccordionItem,
+  AccordionTrigger,
+  Button,
+  cn,
+} from '@trycompai/design-system';
+import { CheckmarkFilled, CircleDash } from '@trycompai/design-system/icons';
+import { useState } from 'react';
+
+export function HipaaTrainingAccordionItem() {
+  const { completions, markVideoComplete } = useTrainingCompletions();
+  const [isSubmitting, setIsSubmitting] = useState(false);
+  const [allChecked, setAllChecked] = useState(false);
+  const [checkedItems, setCheckedItems] = useState<Record<number, boolean>>({});
+
+  const hipaaCompletion = completions.find(
+    (c) => c.videoId === HIPAA_TRAINING_ID && c.completedAt !== null,
+  );
+  const isCompleted = !!hipaaCompletion;
+
+  const handleCheckChange = (index: number, checked: boolean) => {
+    const updated = { ...checkedItems, [index]: checked };
+    setCheckedItems(updated);
+    setAllChecked(
+      hipaaAcknowledgements.every((_, i) => updated[i] === true),
+    );
+  };
+
+  const handleAcknowledge = async () => {
+    if (!allChecked || isSubmitting) return;
+    setIsSubmitting(true);
+    try {
+      await markVideoComplete(HIPAA_TRAINING_ID);
+    } finally {
+      setIsSubmitting(false);
+    }
+  };
+
+  return (
+    <div className="border rounded-xs">
+      <AccordionItem value="hipaa-training">
+        <div className="px-4">
+          <AccordionTrigger>
+            <div className="flex items-center gap-3">
+              {isCompleted ? (
+                <div className="text-primary">
+                  <CheckmarkFilled size={20} />
+                </div>
+              ) : (
+                <div className="text-muted-foreground">
+                  <CircleDash size={20} />
+                </div>
+              )}
+              <span
+                className={cn(
+                  'text-base',
+                  isCompleted && 'text-muted-foreground line-through',
+                )}
+              >
+                HIPAA Security Awareness Training
+              </span>
+            </div>
+          </AccordionTrigger>
+        </div>
+        <AccordionContent>
+          <div className="px-4 pb-4 space-y-6">
+            <p className="text-muted-foreground text-sm">
+              Read the following HIPAA security awareness training and
+              acknowledge each statement at the bottom to complete this
+              requirement.
+            </p>
+
+            {isCompleted ? (
+              <CompletedBanner completedAt={hipaaCompletion?.completedAt ?? null} />
+            ) : (
+              <>
+                <TrainingContent />
+                <AcknowledgementSection
+                  checkedItems={checkedItems}
+                  onCheckChange={handleCheckChange}
+                  allChecked={allChecked}
+                  isSubmitting={isSubmitting}
+                  onAcknowledge={handleAcknowledge}
+                />
+              </>
+            )}
+          </div>
+        </AccordionContent>
+      </AccordionItem>
+    </div>
+  );
+}
+
+function CompletedBanner({ completedAt }: { completedAt: Date | null }) {
+  return (
+    <div className="flex items-center gap-3 rounded-lg border border-primary/20 bg-primary/5 p-4">
+      <div className="text-primary">
+        <CheckmarkFilled size={24} />
+      </div>
+      <div>
+        <p className="font-medium text-sm">
+          HIPAA training acknowledged
+        </p>
+        <p className="text-muted-foreground text-xs">
+          {completedAt
+            ? `Completed on ${new Date(completedAt).toLocaleDateString('en-US', {
+                year: 'numeric',
+                month: 'long',
+                day: 'numeric',
+              })}. A certificate was emailed to you.`
+            : 'You have completed the HIPAA Security Awareness Training.'}
+        </p>
+      </div>
+    </div>
+  );
+}
+
+function TrainingContent() {
+  return (
+    <div className="space-y-5">
+      {hipaaTrainingSections.map((section) => (
+        <div key={section.title} className="space-y-2">
+          <h3 className="font-semibold text-sm">{section.title}</h3>
+          <TrainingSectionContent content={section.content} />
+        </div>
+      ))}
+    </div>
+  );
+}
+
+function TrainingSectionContent({ content }: { content: string }) {
+  const lines = content.split('\n');
+  const elements: React.ReactNode[] = [];
+  let tableRows: string[][] = [];
+  let inTable = false;
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const trimmed = line.trim();
+
+    if (trimmed.startsWith('|') && trimmed.endsWith('|')) {
+      if (trimmed.replace(/[|\-\s]/g, '') === '') continue;
+      inTable = true;
+      const cells = trimmed
+        .split('|')
+        .slice(1, -1)
+        .map((c) => c.trim());
+      tableRows.push(cells);
+      continue;
+    }
+
+    if (inTable) {
+      elements.push(
+        <TrainingTable key={`table-${i}`} rows={tableRows} />,
+      );
+      tableRows = [];
+      inTable = false;
+    }
+
+    if (trimmed.startsWith('**') && trimmed.endsWith('**')) {
+      elements.push(
+        <p key={i} className="font-medium text-sm mt-2">
+          {trimmed.slice(2, -2)}
+        </p>,
+      );
+    } else if (trimmed.startsWith('- ')) {
+      elements.push(
+        <li key={i} className="text-muted-foreground text-sm ml-4 list-disc">
+          {trimmed.slice(2)}
+        </li>,
+      );
+    } else if (trimmed) {
+      elements.push(
+        <p key={i} className="text-muted-foreground text-sm">
+          {trimmed}
+        </p>,
+      );
+    }
+  }
+
+  if (inTable && tableRows.length > 0) {
+    elements.push(
+      <TrainingTable key="table-end" rows={tableRows} />,
+    );
+  }
+
+  return <>{elements}</>;
+}
+
+function TrainingTable({ rows }: { rows: string[][] }) {
+  if (rows.length === 0) return null;
+  const [header, ...body] = rows;
+
+  return (
+    <div className="overflow-x-auto rounded-md border">
+      <table className="w-full text-sm">
+        <thead>
+          <tr className="border-b bg-muted/50">
+            {header.map((cell, i) => (
+              <th
+                key={i}
+                className="px-3 py-2 text-left font-medium text-foreground"
+              >
+                {cell}
+              </th>
+            ))}
+          </tr>
+        </thead>
+        <tbody>
+          {body.map((row, ri) => (
+            <tr key={ri} className="border-b last:border-0">
+              {row.map((cell, ci) => (
+                <td
+                  key={ci}
+                  className="px-3 py-2 text-muted-foreground"
+                >
+                  {cell}
+                </td>
+              ))}
+            </tr>
+          ))}
+        </tbody>
+      </table>
+    </div>
+  );
+}
+
+function AcknowledgementSection({
+  checkedItems,
+  onCheckChange,
+  allChecked,
+  isSubmitting,
+  onAcknowledge,
+}: {
+  checkedItems: Record<number, boolean>;
+  onCheckChange: (index: number, checked: boolean) => void;
+  allChecked: boolean;
+  isSubmitting: boolean;
+  onAcknowledge: () => void;
+}) {
+  return (
+    <div className="space-y-4 rounded-lg border border-border bg-muted/30 p-4">
+      <h3 className="font-semibold text-sm">Acknowledgement</h3>
+      <p className="text-muted-foreground text-xs">
+        By acknowledging this training, you confirm the following:
+      </p>
+      <div className="space-y-3">
+        {hipaaAcknowledgements.map((statement, index) => (
+          <label
+            key={index}
+            className="flex items-start gap-3 cursor-pointer"
+          >
+            <input
+              type="checkbox"
+              checked={checkedItems[index] ?? false}
+              onChange={(e) => onCheckChange(index, e.target.checked)}
+              className="mt-0.5 h-4 w-4 rounded border-border accent-primary shrink-0"
+            />
+            <span className="text-sm text-foreground leading-snug">
+              {statement}
+            </span>
+          </label>
+        ))}
+      </div>
+      <div>
+        <Button
+          disabled={!allChecked || isSubmitting}
+          loading={isSubmitting}
+          onClick={onAcknowledge}
+        >
+          Acknowledge HIPAA Training
+        </Button>
+      </div>
+    </div>
+  );
+}
diff --git a/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/PoliciesAccordionItem.tsx b/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/PoliciesAccordionItem.tsx
index 2575029f3b..0fcb15bfde 100644
--- a/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/PoliciesAccordionItem.tsx
+++ b/apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/PoliciesAccordionItem.tsx
@@ -105,16 +105,23 @@ export function PoliciesAccordionItem({ policies, member }: PoliciesAccordionIte
                     );
                   })}
                 </div>
-                <Button
-                  onClick={handleAcceptAllPolicies}
-                  disabled={hasAcceptedPolicies || isAcceptingAll}
-                >
-                  {isAcceptingAll
-                    ? 'Accepting...'
-                    : hasAcceptedPolicies
-                      ? 'All Policies Accepted'
-                      : 'Accept All'}
-                </Button>
+                <div className="flex items-center gap-2">
+                  <Button
+                    onClick={handleAcceptAllPolicies}
+                    disabled={hasAcceptedPolicies || isAcceptingAll}
+                  >
+                    {isAcceptingAll
+                      ? 'Accepting...'
+                      : hasAcceptedPolicies
+                        ? 'All Policies Accepted'
+                        : 'Accept All'}
+                  </Button>
+                  {hasAcceptedPolicies && (
+                    <Link href={`/${member.organizationId}/policies`}>
+                      <Button variant="outline">View Signed Policies</Button>
+                    </Link>
+                  )}
+                </div>
               </>
             ) : (
               <p className="text-muted-foreground text-sm">No policies ready to be signed.</p>
diff --git a/apps/portal/src/app/(app)/(home)/[orgId]/page.tsx b/apps/portal/src/app/(app)/(home)/[orgId]/page.tsx
index 4e71a2eb6e..967d7cdd41 100644
--- a/apps/portal/src/app/(app)/(home)/[orgId]/page.tsx
+++ b/apps/portal/src/app/(app)/(home)/[orgId]/page.tsx
@@ -57,8 +57,8 @@ export default async function OrganizationPage({ params }: { params: Promise<{ o
   // Fleet policies - only fetch if member has a fleet device label
   const fleetData = await getFleetPolicies(member);
 
-  // Device agent device - fetch from DB
-  const agentDevice = await db.device.findFirst({
+  // Device agent devices - fetch all for this member
+  const agentDevices = await db.device.findMany({
     where: {
       memberId: member.id,
       organizationId: orgId,
@@ -75,7 +75,7 @@ export default async function OrganizationPage({ params }: { params: Promise<{ o
         member={member}
         fleetPolicies={fleetData.fleetPolicies}
         host={fleetData.device}
-        agentDevice={agentDevice}
+        agentDevices={agentDevices}
       />
     </PageLayout>
   );
diff --git a/apps/portal/src/app/(app)/(home)/[orgId]/policies/page.tsx b/apps/portal/src/app/(app)/(home)/[orgId]/policies/page.tsx
new file mode 100644
index 0000000000..a17f8f82f2
--- /dev/null
+++ b/apps/portal/src/app/(app)/(home)/[orgId]/policies/page.tsx
@@ -0,0 +1,116 @@
+import { auth } from '@/app/lib/auth';
+import { db } from '@db/server';
+import {
+  Breadcrumb,
+  Card,
+  CardContent,
+  PageHeader,
+  PageLayout,
+  Stack,
+  Text,
+} from '@trycompai/design-system';
+import { Document } from '@trycompai/design-system/icons';
+import { headers } from 'next/headers';
+import Link from 'next/link';
+import { redirect } from 'next/navigation';
+
+export default async function SignedPoliciesPage({
+  params,
+}: {
+  params: Promise<{ orgId: string }>;
+}) {
+  const { orgId } = await params;
+
+  const session = await auth.api.getSession({
+    headers: await headers(),
+  });
+
+  if (!session?.user) {
+    redirect('/auth');
+  }
+
+  const member = await db.member.findFirst({
+    where: {
+      userId: session.user.id,
+      organizationId: orgId,
+      deactivated: false,
+    },
+  });
+
+  if (!member) {
+    redirect('/');
+  }
+
+  const policies = await db.policy.findMany({
+    where: {
+      organizationId: orgId,
+      status: 'published',
+      isRequiredToSign: true,
+      isArchived: false,
+      signedBy: { has: member.id },
+    },
+    orderBy: { name: 'asc' },
+    select: {
+      id: true,
+      name: true,
+      description: true,
+      updatedAt: true,
+    },
+  });
+
+  return (
+    <PageLayout>
+      <Breadcrumb
+        items={[
+          {
+            label: 'Overview',
+            href: `/${orgId}`,
+            props: { render: <Link href={`/${orgId}`} /> },
+          },
+          { label: 'Signed Policies', isCurrent: true },
+        ]}
+      />
+      <Stack gap="md">
+        <PageHeader title="Signed Policies" />
+        {policies.length === 0 ? (
+          <Text variant="muted" size="sm">
+            No signed policies yet.
+          </Text>
+        ) : (
+          <div className="space-y-2">
+            {policies.map((policy) => (
+              <Link
+                key={policy.id}
+                href={`/${orgId}/policy/${policy.id}`}
+                className="block"
+              >
+                <Card>
+                  <CardContent>
+                    <div className="flex items-center gap-3">
+                      <div className="text-muted-foreground">
+                        <Document size={20} />
+                      </div>
+                      <div className="min-w-0 flex-1">
+                        <Text size="sm" weight="medium">
+                          {policy.name}
+                        </Text>
+                        {policy.description && (
+                          <Text variant="muted" size="sm">
+                            {policy.description}
+                          </Text>
+                        )}
+                      </div>
+                      <Text variant="muted" size="sm">
+                        {new Date(policy.updatedAt).toLocaleDateString()}
+                      </Text>
+                    </div>
+                  </CardContent>
+                </Card>
+              </Link>
+            ))}
+          </div>
+        )}
+      </Stack>
+    </PageLayout>
+  );
+}
diff --git a/apps/portal/src/app/components/user-menu-client.tsx b/apps/portal/src/app/components/user-menu-client.tsx
new file mode 100644
index 0000000000..a02223ff49
--- /dev/null
+++ b/apps/portal/src/app/components/user-menu-client.tsx
@@ -0,0 +1,46 @@
+'use client';
+
+import { Avatar, AvatarFallback, AvatarImage } from '@trycompai/ui/avatar';
+import {
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuLabel,
+  DropdownMenuSeparator,
+  DropdownMenuTrigger,
+} from '@trycompai/ui/dropdown-menu';
+import { Logout } from './logout';
+
+type UserMenuClientProps = {
+  name: string | null;
+  email: string | null;
+  image: string | null;
+  userInitials: string;
+};
+
+export function UserMenuClient({ name, email, image, userInitials }: UserMenuClientProps) {
+  return (
+    <DropdownMenu>
+      <DropdownMenuTrigger asChild>
+        <Avatar className="h-8 w-8 cursor-pointer rounded-full">
+          {image ? <AvatarImage src={image} alt={name ?? 'User Avatar'} /> : null}
+          <AvatarFallback>
+            <span className="text-xs font-semibold">{userInitials}</span>
+          </AvatarFallback>
+        </Avatar>
+      </DropdownMenuTrigger>
+      <DropdownMenuContent className="w-[240px]" sideOffset={10} align="end">
+        <DropdownMenuLabel>
+          <div className="flex items-center justify-between">
+            <div className="flex flex-col">
+              <span className="line-clamp-1 block max-w-[155px] truncate">{name}</span>
+              <span className="text-muted-foreground truncate text-xs font-normal">{email}</span>
+            </div>
+            <div className="rounded-full border px-3 py-0.5 text-[11px] font-normal">Beta</div>
+          </div>
+        </DropdownMenuLabel>
+        <DropdownMenuSeparator />
+        <Logout />
+      </DropdownMenuContent>
+    </DropdownMenu>
+  );
+}
diff --git a/apps/portal/src/app/components/user-menu.tsx b/apps/portal/src/app/components/user-menu.tsx
index 17185ca85d..b95938dfa7 100644
--- a/apps/portal/src/app/components/user-menu.tsx
+++ b/apps/portal/src/app/components/user-menu.tsx
@@ -1,14 +1,6 @@
 import { auth } from '@/app/lib/auth';
-import { Avatar, AvatarFallback, AvatarImageNext } from '@trycompai/ui/avatar';
-import {
-  DropdownMenu,
-  DropdownMenuContent,
-  DropdownMenuLabel,
-  DropdownMenuSeparator,
-  DropdownMenuTrigger,
-} from '@trycompai/ui/dropdown-menu';
 import { headers } from 'next/headers';
-import { Logout } from './logout';
+import { UserMenuClient } from './user-menu-client';
 
 // Helper function to get initials
 function getInitials(name?: string | null, email?: string | null): string {
@@ -33,44 +25,19 @@ export async function UserMenu() {
     headers: await headers(),
   });
 
-  const userInitials = getInitials(session?.user?.name, session?.user?.email);
+  if (!session?.user) {
+    return null;
+  }
+
+  const user = session.user;
+  const userInitials = getInitials(user.name, user.email);
 
   return (
-    <DropdownMenu>
-      <DropdownMenuTrigger asChild>
-        <Avatar className="h-8 w-8 cursor-pointer rounded-full">
-          {session?.user?.image && (
-            <AvatarImageNext
-              src={session.user.image}
-              alt={session?.user?.name ?? 'User Avatar'}
-              width={32}
-              height={32}
-              quality={100}
-            />
-          )}
-          <AvatarFallback>
-            <span className="text-xs font-semibold">{userInitials}</span>
-          </AvatarFallback>
-        </Avatar>
-      </DropdownMenuTrigger>
-      <DropdownMenuContent className="w-[240px]" sideOffset={10} align="end">
-        {' '}
-        <DropdownMenuLabel>
-          <div className="flex items-center justify-between">
-            <div className="flex flex-col">
-              <span className="line-clamp-1 block max-w-[155px] truncate">
-                {session?.user?.name}
-              </span>
-              <span className="text-muted-foreground truncate text-xs font-normal">
-                {session?.user?.email}
-              </span>
-            </div>
-            <div className="rounded-full border px-3 py-0.5 text-[11px] font-normal">Beta</div>
-          </div>
-        </DropdownMenuLabel>
-        <DropdownMenuSeparator />
-        <Logout />
-      </DropdownMenuContent>
-    </DropdownMenu>
+    <UserMenuClient
+      name={user.name}
+      email={user.email}
+      image={user.image ?? null}
+      userInitials={userInitials}
+    />
   );
 }
diff --git a/apps/portal/src/lib/data/hipaa-training-content.ts b/apps/portal/src/lib/data/hipaa-training-content.ts
new file mode 100644
index 0000000000..982c98dc54
--- /dev/null
+++ b/apps/portal/src/lib/data/hipaa-training-content.ts
@@ -0,0 +1,67 @@
+export const HIPAA_TRAINING_ID = 'hipaa-sat-1';
+
+export interface HipaaTrainingSection {
+  title: string;
+  content: string;
+}
+
+export const hipaaTrainingSections: readonly HipaaTrainingSection[] = [
+  {
+    title: '1. Why this training exists',
+    content: `This document supplements the organization's existing general security awareness training with HIPAA-specific expectations for protecting Protected Health Information (PHI), including electronic PHI (ePHI), paper records, and verbal disclosures.
+
+It is intended to support onboarding and annual refresher requirements and to provide clear evidence that personnel were informed of their HIPAA security and privacy responsibilities.`,
+  },
+  {
+    title: '2. What employees must understand',
+    content: `- PHI may exist in systems, email, chat, files, paper documents, screenshots, voicemail, and verbal conversations.
+- Access to PHI is permitted only for authorized job duties and only to the minimum extent necessary to perform those duties.
+- PHI must not be sent, stored, printed, discussed, or shared using unapproved methods or with unauthorized people.
+- Security incidents, suspected misdirected disclosures, phishing attempts, lost devices, and any possible PHI exposure must be reported immediately.`,
+  },
+  {
+    title: '3. Required day-to-day behaviors',
+    content: `**Protect PHI in all forms**
+- Do not leave records, labels, printouts, or screens containing PHI unattended.
+- Verify recipient names, addresses, and fax numbers before sending information.
+- Use only approved storage locations, applications, and workflows for PHI.
+
+**Email, messaging, and file sharing**
+- Use approved encrypted or otherwise authorized methods when transmitting PHI.
+- Do not auto-forward work email containing PHI to personal accounts.
+- Do not copy PHI into public AI tools or non-approved cloud services.
+
+**Passwords, access, and devices**
+- Use unique passwords, enable multi-factor authentication where required, and never share credentials.
+- Lock your screen when you step away and secure laptops and mobile devices physically.
+- Report lost or stolen devices immediately, even if you are unsure whether PHI was involved.
+
+**Phishing and social engineering**
+- Treat urgent requests, payment changes, unusual login prompts, and requests for credentials or patient information as suspicious until verified.
+- Use approved reporting methods to report suspicious emails, texts, calls, or pop-ups.`,
+  },
+  {
+    title: '4. Quick reference: do / do not',
+    content: `| Do | Do not |
+|---|---|
+| Access only the PHI needed for your role. | Browse records out of curiosity or convenience. |
+| Confirm identity before sharing patient or employee information. | Discuss PHI in public areas, elevators, hallways, or on speakerphone where others can hear. |
+| Use approved encrypted channels and approved repositories. | Store PHI in personal email, personal drives, USB devices, or unapproved apps. |
+| Check recipients carefully before sending messages or attachments. | Rely on autofill without verifying the recipient. |
+| Report incidents, phishing, lost devices, or mistakes immediately. | Delay reporting because you hope the issue will resolve on its own. |`,
+  },
+  {
+    title: '5. Incident reporting expectation',
+    content: `Report immediately if you suspect a phishing email, accidental disclosure, misdirected message, unauthorized access, malware infection, stolen or missing device, or any situation that could affect the confidentiality, integrity, or availability of PHI.
+
+Prompt reporting matters even when you are unsure whether PHI was actually exposed. Early notice helps the organization contain risk and meet regulatory response obligations.`,
+  },
+] as const;
+
+export const hipaaAcknowledgements: readonly string[] = [
+  'I completed the organization\'s general security awareness training and this HIPAA Security Awareness Training Add-On.',
+  'I understand that PHI includes information in electronic, paper, image, audio, and verbal form.',
+  'I will access, use, disclose, transmit, and store PHI only as authorized for my job responsibilities and in accordance with organization policy.',
+  'I will use approved safeguards, including strong authentication, secure handling practices, and prompt reporting of suspicious activity or incidents.',
+  'I understand that failure to follow security and privacy requirements may lead to disciplinary action, up to and including termination, and may create legal or regulatory consequences.',
+] as const;
diff --git a/bun.lock b/bun.lock
index f409289013..6ad098a13a 100644
--- a/bun.lock
+++ b/bun.lock
@@ -148,7 +148,7 @@
         "eslint": "^9.18.0",
         "eslint-config-prettier": "^10.0.1",
         "eslint-plugin-prettier": "^5.2.2",
-        "globals": "^16.0.0",
+        "globals": "^17.3.0",
         "jest": "^30.0.0",
         "prettier": "^3.5.3",
         "source-map-support": "^0.5.21",
@@ -657,7 +657,7 @@
         "@tiptap/extension-highlight": "3.16.0",
         "@tiptap/extension-image": "3.16.0",
         "@tiptap/extension-link": "3.16.0",
-        "@tiptap/extension-list": "3.16.0",
+        "@tiptap/extension-list": "3.18.0",
         "@tiptap/extension-table": "3.16.0",
         "@tiptap/extension-text-align": "3.16.0",
         "@tiptap/extension-typography": "3.16.0",
@@ -2377,7 +2377,7 @@
 
     "@tiptap/extension-link": ["@tiptap/extension-link@3.16.0", "", { "dependencies": { "linkifyjs": "^4.3.2" }, "peerDependencies": { "@tiptap/core": "^3.16.0", "@tiptap/pm": "^3.16.0" } }, "sha512-WPPJLtGXQadBVVwH6gcMpaXIgfvFF9NGpE2IVqleVKR3Epv2Rd4aWd4oyAdrT8KU9G6dzMXZfkrB8aArTDKxYQ=="],
 
-    "@tiptap/extension-list": ["@tiptap/extension-list@3.16.0", "", { "peerDependencies": { "@tiptap/core": "^3.16.0", "@tiptap/pm": "^3.16.0" } }, "sha512-tpjWGugfI0XYR9iG/QlYYtCY35TFWHNwGKc94wN4s7NmAjB4xlwdTkTZQ6PdZ39x1SeHkRjxAka+6GcBIoOHGQ=="],
+    "@tiptap/extension-list": ["@tiptap/extension-list@3.18.0", "", { "peerDependencies": { "@tiptap/core": "^3.18.0", "@tiptap/pm": "^3.18.0" } }, "sha512-9lQBo45HNqIFcLEHAk+CY3W51eMMxIJjWbthm2CwEWr4PB3+922YELlvq8JcLH1nVFkBVpmBFmQe/GxgnCkzwQ=="],
 
     "@tiptap/extension-list-item": ["@tiptap/extension-list-item@3.16.0", "", { "peerDependencies": { "@tiptap/extension-list": "^3.16.0" } }, "sha512-kshssUZEPoosPWbJNQEFJnVV3iPwsDU9l/RCdHJB5SE+aNWJyUk5hQ/YwngEHjV7rS+RnAuhbrcB5swgyzROuA=="],
 
@@ -4079,7 +4079,7 @@
 
     "global-directory": ["global-directory@4.0.1", "", { "dependencies": { "ini": "4.1.1" } }, "sha512-wHTUcDUoZ1H5/0iVqEudYW4/kAlN5cZ3j/bXn0Dpbizl9iaUVeWSHqiOjsgk6OW2bkLclbBjzewBz6weQ1zA2Q=="],
 
-    "globals": ["globals@16.5.0", "", {}, "sha512-c/c15i26VrJ4IRt5Z89DnIzCGDn9EcebibhAOjw5ibqEHsE1wLUgkPn9RDmNcUKyU87GeaL633nyJ+pplFR2ZQ=="],
+    "globals": ["globals@17.4.0", "", {}, "sha512-hjrNztw/VajQwOLsMNT1cbJiH2muO3OROCHnbehc8eY5JyD2gqz4AcMHPqgaOR59DjgUjYAYLeH699g/eWi2jw=="],
 
     "globalthis": ["globalthis@1.0.4", "", { "dependencies": { "define-properties": "^1.2.1", "gopd": "^1.0.1" } }, "sha512-DpLKbNU4WylpxJykQujfCcwYWiV/Jhm50Goo0wrVILAv5jOr9d+H+UR3PhSCD2rCCEIg0uc+G+muBTwD54JhDQ=="],
 
@@ -6779,8 +6779,6 @@
 
     "@prisma/streams-local/ajv": ["ajv@8.17.1", "", { "dependencies": { "fast-deep-equal": "^3.1.3", "fast-uri": "^3.0.1", "json-schema-traverse": "^1.0.0", "require-from-string": "^2.0.2" } }, "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g=="],
 
-    "@prisma/streams-local/env-paths": ["env-paths@3.0.0", "", {}, "sha512-dtJUTepzMW3Lm/NPxRf3wP4642UWhjL2sQxc+ym2YMj1m/H2zDNQOlezafzkHwn6sMstjHTwG6iQQsctDW/b1A=="],
-
     "@radix-ui/react-alert-dialog/@radix-ui/react-slot": ["@radix-ui/react-slot@1.2.3", "", { "dependencies": { "@radix-ui/react-compose-refs": "1.1.2" }, "peerDependencies": { "@types/react": "*", "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" }, "optionalPeers": ["@types/react"] }, "sha512-aeNmHnBxbi2St0au6VBVC7JXFlhLlOnvIIlePNniyUNAClzmtAUEY8/pBiK3iHjufOlwA+c20/8jngo7xcrg8A=="],
 
     "@radix-ui/react-checkbox/@radix-ui/primitive": ["@radix-ui/primitive@1.1.2", "", {}, "sha512-XnbHrrprsNqZKQhStrSwgRUQzoCI1glLzdw79xiZPoofhGICeZRSQ3dIxAKH1gb3OHfNf4d6f+vAv3kil2eggA=="],
@@ -6899,6 +6897,8 @@
 
     "@thallesp/nestjs-better-auth/express": ["express@5.2.1", "", { "dependencies": { "accepts": "^2.0.0", "body-parser": "^2.2.1", "content-disposition": "^1.0.0", "content-type": "^1.0.5", "cookie": "^0.7.1", "cookie-signature": "^1.2.1", "debug": "^4.4.0", "depd": "^2.0.0", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "etag": "^1.8.1", "finalhandler": "^2.1.0", "fresh": "^2.0.0", "http-errors": "^2.0.0", "merge-descriptors": "^2.0.0", "mime-types": "^3.0.0", "on-finished": "^2.4.1", "once": "^1.4.0", "parseurl": "^1.3.3", "proxy-addr": "^2.0.7", "qs": "^6.14.0", "range-parser": "^1.2.1", "router": "^2.2.0", "send": "^1.1.0", "serve-static": "^2.2.0", "statuses": "^2.0.1", "type-is": "^2.0.1", "vary": "^1.1.2" } }, "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw=="],
 
+    "@tiptap/starter-kit/@tiptap/extension-list": ["@tiptap/extension-list@3.16.0", "", { "peerDependencies": { "@tiptap/core": "^3.16.0", "@tiptap/pm": "^3.16.0" } }, "sha512-tpjWGugfI0XYR9iG/QlYYtCY35TFWHNwGKc94wN4s7NmAjB4xlwdTkTZQ6PdZ39x1SeHkRjxAka+6GcBIoOHGQ=="],
+
     "@trigger.dev/core/execa": ["execa@8.0.1", "", { "dependencies": { "cross-spawn": "^7.0.3", "get-stream": "^8.0.1", "human-signals": "^5.0.0", "is-stream": "^3.0.0", "merge-stream": "^2.0.0", "npm-run-path": "^5.1.0", "onetime": "^6.0.0", "signal-exit": "^4.1.0", "strip-final-newline": "^3.0.0" } }, "sha512-VyhnebXciFV2DESc+p6B+y0LjSm0krU4OgJN44qFAhBY0TJ+1V61tYD2+wHusZ6F9n5K+vl8k0sTy7PEfV4qpg=="],
 
     "@trigger.dev/core/jose": ["jose@5.10.0", "", {}, "sha512-s+3Al/p9g32Iq+oqXxkW//7jk2Vig6FF1CFqzVXoTUXt2qz89YWbL+OwS17NFYEvxC35n0FKeGO2LGYSxeM2Gg=="],
diff --git a/packages/docs/openapi.json b/packages/docs/openapi.json
index ac49c7243a..085d6f6fb3 100644
--- a/packages/docs/openapi.json
+++ b/packages/docs/openapi.json
@@ -18543,6 +18543,40 @@
         ]
       }
     },
+    "/v1/training/generate-hipaa-certificate": {
+      "post": {
+        "description": "Generates a PDF certificate for a member who has completed the HIPAA Security Awareness Training.",
+        "operationId": "TrainingController_generateHipaaCertificate_v1",
+        "parameters": [],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/SendTrainingCompletionDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "PDF certificate file"
+          },
+          "400": {
+            "description": "HIPAA training not complete or member not found"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Generate HIPAA training certificate PDF",
+        "tags": [
+          "Training"
+        ]
+      }
+    },
     "/v1/org-chart": {
       "get": {
         "operationId": "OrgChartController_getOrgChart_v1",
diff --git a/packages/ui/package.json b/packages/ui/package.json
index 412955e865..596c12b91c 100644
--- a/packages/ui/package.json
+++ b/packages/ui/package.json
@@ -43,7 +43,7 @@
     "@tiptap/extension-highlight": "3.16.0",
     "@tiptap/extension-image": "3.16.0",
     "@tiptap/extension-link": "3.16.0",
-    "@tiptap/extension-list": "3.16.0",
+    "@tiptap/extension-list": "3.18.0",
     "@tiptap/extension-table": "3.16.0",
     "@tiptap/extension-text-align": "3.16.0",
     "@tiptap/extension-typography": "3.16.0",