45 CFR Part 160 + 164

HIPAA AI Compliance

5 control categories from the HIPAA Security + Privacy Rules, mapped to platform features. Read what we ship + what stays your responsibility.

Status: HIPAA-aligned, attestation in progress. We implement the technical + administrative + AI-specific safeguards required for Covered Entities and Business Associates handling ePHI through AI systems. Third-party attestation by an accredited firm is scheduled for Q2 2027.

BAA available on request — email legal@evalguard.ai. Note that our BAA covers EvalGuard's role as your Business Associate; you also need BAAs with each upstream LLM provider you bring (OpenAI, Anthropic, etc.) — we proxy your BYOK key but cannot sign their BAA on your behalf.

Administrative Safeguards (§164.308)

Policies and procedures to manage the selection, development, implementation, and maintenance of security measures protecting ePHI in AI systems.

What EvalGuard ships

  • Role-based access controls (org_role enum: owner/admin/member/viewer) — RLS-enforced at every tenant boundary
  • Audit logging with tamper-evidence hash chain (integrity_hash column + advisory-lock concurrency)
  • Incident response: /api/v1/privacy/incidents + dashboard surface for breach triage
  • Business Associate Agreement template available on request (legal@evalguard.ai)

Your responsibility

  • Conduct your own AI risk analysis per §164.308(a)(1)
  • Train workforce on AI-PHI interaction policies
  • Execute BAAs with all upstream LLM providers (OpenAI/Anthropic/etc.) — we proxy your BYOK key but cannot sign their BAA on your behalf

Technical Safeguards (§164.312)

Technology and policies that protect ePHI and control access to it in AI systems.

What EvalGuard ships

  • Encryption-at-rest: Supabase AES-256 across all tenant data
  • Encryption-in-transit: TLS 1.3 enforced, HSTS preloaded (max-age=2y, includeSubDomains)
  • Access control: unique tenant + user identifiers, automatic session timeout, RLS row-isolation
  • Audit controls: every mutation writes to audit_logs with action/resource_type/user_id/org_id/timestamp
  • Integrity: tamper-evident hash chain on audit_logs (integrity_hash + per-org KDF advisory lock)
  • BYOK provider keys: stored in Supabase Vault, never logged, scoped per-project

Your responsibility

  • Configure session timeouts appropriate to your environment
  • Review audit log retention against your HIPAA retention requirements

AI-Specific HIPAA Requirements

Requirements unique to AI/ML systems that process, generate, or interact with PHI — prompt safety, output validation, clinical decision support.

What EvalGuard ships

  • PII firewall: pre-LLM regex + LLM-based detection across SSN / Credit Card / Email / Phone / IP / Passport / Medical Record Number patterns
  • Output guardrail: post-response scan with redact / block / flag actions (gateway-level + per-wrapper)
  • Prompt-injection defense: 249 attack plugins covering OWASP LLM Top 10 + Agentic AI Top 10
  • Output-faithfulness scorers: hallucination detection for clinical decision support contexts
  • Per-frame voice guardrails for telemedicine AI (voice-clone + deepfake detection)

Your responsibility

  • Define your PHI-detection thresholds in firewall config
  • Choose redact-vs-block policy per workload (we recommend block for chart-summarization, redact for patient-facing chat)

Breach Notification (§164.400-414)

Requirements for detecting, assessing, and reporting breaches of unsecured PHI through AI system compromise.

What EvalGuard ships

  • GDPR Article 33 breach-notification flow at /api/v1/privacy/incidents (HIPAA-compatible — both require 60-day notification for breaches affecting 500+ individuals)
  • Anomaly detection in audit logs — chain-break detection on tamper-evident integrity_hash
  • Multi-org fleet dashboard for cross-tenant breach correlation
  • Real-time alerting via configured webhooks + Sentry integration

Your responsibility

  • Notify affected individuals within 60 days of breach discovery (we provide the data; you own the notification)
  • Notify HHS Office for Civil Rights per §164.408

Privacy Rule (§164.500-534)

Standards for protecting individually identifiable health information and governing its use and disclosure by AI systems.

What EvalGuard ships

  • Minimum necessary: PII redaction at gateway boundary strips PHI from logs/traces unless explicitly opted-in
  • Consent gates: subject-email consent verification at /api/v1/privacy/consent — refuses LLM call if subject has withdrawn for the requested purpose
  • Patient rights: /api/v1/privacy/dsr intake + account_deletion_full() atomic Postgres RPC for right-to-erasure
  • Data Subject Right items: read, amend, accounting-of-disclosures all wired

Your responsibility

  • Map your specific use cases to permitted disclosures under §164.502
  • Maintain accounting-of-disclosures per §164.528

Building healthcare AI?

The HIPAA control mapping is one of 33 frameworks we ship. For dashboards + auto-generated control coverage reports against your own deployment data, see /dashboard/compliance.

Request a BAAHealthcare AI use cases →