HIPAA Architecture for AI Deployments

1. Our role under HIPAA

For most US healthcare engagements, Iedeo acts as a Business Associate to the Covered Entity client. We process Protected Health Information (PHI) only on documented instructions, captured in a signed Business Associate Agreement (BAA).

For engagements where Iedeo connects multiple Business Associates, we sign Subcontractor BAAs as required by the HIPAA Omnibus Rule.

2. Business Associate Agreement (BAA)

We sign HIPAA-compliant BAAs on every engagement involving PHI. Our standard BAA covers:

• Permitted uses and disclosures of PHI
• Safeguards against improper use and disclosure (45 CFR § 164.504(e)(2)(ii))
• Breach reporting obligations and timelines
• Subcontractor flow-down requirements
• Individual access rights (HIPAA Privacy Rule)
• Accounting of disclosures
• Audit and inspection rights
• Termination and PHI return/destruction

We accept client-issued BAAs and offer our template if preferred. Standard turnaround: 2-3 business days for legal review.

3. PHI minimization

The most powerful HIPAA control is not collecting PHI in the first place. For every AI use case we design:

• Field-level minimization — only the data needed for the AI task, nothing more
• De-identification per HIPAA Safe Harbor (45 CFR § 164.514(b)(2)) where possible
• Tokenization of PHI fields before passing to LLM providers, with mapping retained only in client tenant
• Redaction of names, MRNs, account numbers in transcripts and logs before storage
• Aggregation — analytics on aggregated data, not individual records, where the use case permits

4. Encryption

• In transit: TLS 1.3 for all PHI-handling endpoints. mTLS for service-to-service where applicable
• At rest: AES-256 encryption on databases, object stores, and logs containing PHI. AWS KMS or customer-managed keys
• In use: for highest-sensitivity workloads, AWS Nitro Enclaves or equivalent confidential-computing primitives
• Backup encryption: backups encrypted with separate keys; key rotation per AWS / Azure best practice

5. Access controls

• Least privilege: Iedeo personnel only access PHI when required for a documented task
• Role-based access control (RBAC) with documented role definitions
• MFA enforced on all internal accounts
• Time-bound access grants for development/debug — auto-revoked after task completion
• Workforce training: annual HIPAA training for all personnel with PHI access
• Background checks on personnel with PHI access
• Termination procedures: immediate access revocation on personnel exit

6. Audit logging

Comprehensive logs of every PHI access:

• User identity, timestamp, action, data accessed
• Tamper-evident log storage (write-once, append-only)
• Retention: minimum 6 years per HIPAA
• Alerts on anomalous access patterns
• Available for client audit at any time

7. LLM provider selection for PHI

Generic LLM APIs (OpenAI, Anthropic, Google Gemini) are not used for PHI processing unless the provider has executed a BAA and is using HIPAA-eligible service tiers:

• Azure OpenAI Service — Microsoft signs BAA; HIPAA-eligible
• AWS Bedrock (Claude, Llama 3) — AWS signs BAA; HIPAA-eligible
• Self-hosted Llama 3, Mistral, Mixtral — runs in client VPC; no third-party PHI access

For most HIPAA workloads we recommend self-hosted LLMs in the client VPC — eliminates external PHI transit entirely.

8. Infrastructure deployment

Standard deployment patterns for HIPAA workloads:

• Client VPC on AWS (us-east-1 / us-west-2), Azure or GCP — your tenancy
• Network isolation — private subnets, VPC endpoints, no public internet egress for PHI services
• Separate environments — dev / staging / production with prod-PHI never copied to lower environments
• De-identified test data for development
• Infrastructure as Code (Terraform / CloudFormation) — auditable, reviewable, version-controlled

9. Incident response

• 24-hour notification target to the Covered Entity on any suspected PHI incident
• Documented incident response plan with severity tiers
• Post-incident review and remediation log
• Breach notification per HITECH timelines (within 60 days)

10. Subcontractor management

Every subcontractor with PHI access signs a downstream BAA. Current PHI-handling subcontractors:

• AWS / Azure / GCP — under signed cloud-provider BAAs
• Iedeo personnel based in India — covered under workforce confidentiality agreements with HIPAA-equivalent obligations

We notify clients in advance of any new PHI-handling subcontractor.

11. International data transfer for HIPAA workloads

HIPAA does not prohibit international transfer per se but covered entities expect careful handling. For Iedeo's India-based personnel:

• By default, identifiable PHI does NOT leave US infrastructure
• Iedeo developers access via screen-share / bastion-host sessions where required, with no local data copies
• For higher-sensitivity workloads, Iedeo deploys US-based liaison personnel for PHI-touching operations
• Aggregated metrics and de-identified logs can flow to India per BAA terms

12. What we don't claim

To be straightforward:

• We are not HIPAA-certified as a corporate entity (no such certification exists — HIPAA is a practice, not a certification)
• We are not SOC 2 Type II certified yet — Type I is on roadmap for mid-2026, Type II for early 2027
• We can architect to HIPAA-grade standards and sign BAA — but each engagement requires its own risk assessment by the Covered Entity

13. Contact

• Email: [email protected]
• Compliance Lead: Iedeo Tech Labs Private Limited
• Address: First Floor, No 5, 2nd Cross St, Vijaya Nagar, Velachery, Chennai 600042, India