BAA-ready, PHI-aware AI delivery.
For regulated workflows (intake, claims, prior auth, post-visit) where a wrong shortcut creates a covered incident. The same evaluation-led method as our general practice, plus the controls a CISO and compliance lead need to sign off.
Entry offer
Healthcare Scoping & BAA Kit
$10,000
14 business days · Fixed scope
The right entry point when the workflow handles PHI or a BAA must be in place before any pilot can run. You walk away with a written, implementation-ready compliance pack, not slideware.
What you walk away with
- ✓BAA inventory and gap analysis (model providers, hosting, observability, storage).
- ✓Per-engagement data-handling profile (general / regulated / eval-only).
- ✓PHI redaction policy + sample audit log of redactions on representative payloads.
- ✓Allowlisted model catalog with rationale per use case (latency, quality, cost, compliance).
- ✓Compliance pack template: BAA, DPA where applicable, retention and deletion policies.
- ✓First-engagement runbook: incident response, breach notification, escalation contacts.
Controls that ship with every healthcare engagement
Each control is enforced at the platform layer, not at the prompt layer, where it could be circumvented.
BAA-required model allowlist
Only models with executed Business Associate Agreements run in the healthcare profile. Provider-routed models without a BAA are blocked at the platform layer, not at prompt time.
Server-side PHI redaction
Inbound text passes through a redaction layer before any model call. Names, MRNs, dates of birth, addresses, and phone numbers are scrubbed and audited.
Client + engagement isolation
Knowledge bases, vector stores, and agent memory are scoped per engagement. Cross-engagement leakage is prevented at the retrieval layer and at the prompt layer.
Audit trail on every action
Each tool call, model invocation, and staff override writes a tenant-scoped audit event. Audit retention is configurable per the engagement's compliance pack.
Human approval on side effects
Email sends, EHR writes, scheduling actions, and any other side-effecting tool require an explicit human approval before execution.
Documented incident response
Runbook, escalation contacts, and breach-notification timing are documented per engagement. Available under NDA for prospective clients.
What this profile is not
Honest framing: a healthcare deployment profile is not a substitute for legal review, covered-entity status, or a HIPAA risk assessment. It is the technical and operational layer that makes those upstream steps usable in production. We won't sign off on regulatory compliance for you, but we will make sure your AI system isn't the thing that breaks compliance you've already established.
- Out of scope: covered-entity determination, OCR audit response, breach-coach retainer.
- Out of scope: EHR integration certification (Epic, Cerner, etc.), these are deep program engagements with their own gates; we partner with implementation teams that own them.
- Out of scope: claims-submission certification (X12 / EDI). We can route claims data through an AI workflow that respects the cert; we don't replace it.
Security disclosures + incident response
BAA, DPA, redaction-policy walkthrough, and the incident response runbook are available under NDA. Healthcare buyers commonly want to see these before signing the assessment; ask in your intake message and we'll route the request appropriately.