A signed BAA is the contract. The architecture is what HIPAA auditors actually test. Run AI inside your perimeter, with audit logs in your SIEM and full source-code ownership.
Most healthcare organizations start their AI procurement with the right opening question: will the vendor sign a Business Associate Agreement. The answer needs to be yes — but it is not where HIPAA-aligned AI ends.
HIPAA's Security Rule applies to every system that touches Protected Health Information, and an AI inference endpoint touches PHI the moment a prompt does. The auditable surface is technical: data residency, audit chain, integrity, transmission security, authentication, and continuity.
ibl.ai is the platform layer that converts a BAA from a signature into a defensible HIPAA posture — running on your infrastructure, logging to your SIEM, with your choice of model per workload and the source code in your repository.
Single-vendor SaaS AI deployments give covered entities legal cover via a BAA, but they put PHI on someone else's infrastructure, audit logs on someone else's dashboard, and continuity on someone else's roadmap. The mismatch is the source of most failed HIPAA-AI audits.
The pattern repeats across hospitals, health systems, payers, and life-sciences companies: a BAA is signed, the deployment runs, the audit arrives, and the auditor asks for evidence in a format the vendor's dashboard cannot produce. The architecture has to support the audit — not the contract.
Vendor dashboards capture inference events but in the vendor's format, on the vendor's retention schedule, accessible only through the vendor's interface — not your audit-of-record system.
HIPAA auditors flag the gap when they request a defensible 90-day log of PHI prompts in the institution's audit format and the vendor's dashboard cannot produce it.SaaS AI routes prompts to the vendor's inference endpoint. Even with a BAA, PHI is processed on infrastructure the covered entity does not control, in regions that may not align with state residency commitments.
Data-residency commitments to patients and regulators are harder to defend, and the institution carries vendor-side breach risk it cannot directly mitigate.The sanctioned BAA-covered tier is one workflow. Clinicians and staff on personal accounts paste patient notes into unsanctioned AI tools and the BAA covers none of it.
Shadow usage is the dominant HIPAA-AI risk in 2026 — it does not appear in the vendor's dashboard and only shows up in DLP and incident-response reviews.When the vendor deprecates a model your clinical workflow depends on, raises prices, changes terms, or has an outage during an audit, the institution has no fallback inside the same architecture.
AI workloads stall mid-clinical-deployment, and the institution re-procures the platform from scratch under audit pressure.Single-vendor AI means single-model AI. PHI workloads, marketing copy, and developer tools all route to the same vendor's roadmap, with no per-workload routing to a local model when sensitivity demands it.
Highly sensitive PHI workloads share an inference path with low-sensitivity tasks, raising the audit surface for every prompt the institution sends.ibl.ai deploys in your VPC, your data center, or your air-gapped environment. The complete source code is yours. No telemetry leaves your network. Your identity, networking, and audit systems are the platform's identity, networking, and audit systems.
For PHI-heavy workloads — clinical documentation, medical coding, member services with patient context — the platform routes prompts to a local model (Llama, Mistral, Qwen, Phi) running on your GPUs. No external API call. No BAA needed for that hop.
When frontier quality matters and PHI is not involved, the platform routes to ChatGPT Enterprise, Claude via Bedrock, or Gemini via Vertex AI — under the respective BAA. The platform captures the prompt and response in your audit log before and after the external hop.
The audit layer writes structured events to your SIEM — Splunk, Elastic, Sentinel, Datadog — with user identity, timestamp, prompt reference, model identifier, and response reference. Your audit-of-record is the ground truth, not a vendor dashboard.
Identity is federated to your IdP. Role-based access controls map to your IAM. DLP integration flags PHI-shaped content leaving the sanctioned path. Training and attestation flows are first-class workflows, not bolt-on policy.
Because the platform code is yours and the model is per-workload-selectable, vendor changes do not stall clinical AI. A deprecated model is a routing change, not a re-procurement. A vendor outage is a per-workload fallback, not an institutional incident.
Open-weights models run on your GPUs, inside your perimeter. PHI prompts never leave the covered entity. No external API call, no BAA needed for the inference path.
Frontier models reachable through ChatGPT Enterprise, Claude on Bedrock, and Gemini on Vertex AI — each under its own BAA — with the platform's audit layer capturing the prompt and response locally first.
Every prompt, response, and model invocation written to your audit-of-record SIEM in your format, on your retention schedule, with structured fields for user, timestamp, model, and content reference.
Single sign-on through your existing identity provider (Okta, Azure AD, Ping, Shibboleth). No shadow accounts. Every AI session is identity-bound for HIPAA accountability.
Granular RBAC mirrors your organization's data-access policies. Clinicians, residents, administrators, and developers each see the scope appropriate to their role — enforced at the platform level, not at the workflow level.
Browser-level and platform-level guardrails detect PHI-shaped content moving toward unsanctioned AI tools. Shadow usage becomes a visible signal in your security operations, not a hidden risk.
The complete platform code ships with the deployment. Your security and compliance teams inspect, modify, and extend it. No vendor lock-in if priorities, regulations, or vendor terms change.
| Aspect | Without | With ibl.ai |
|---|---|---|
| Where PHI Is Processed | PHI prompts are processed on the vendor's inference infrastructure, even under a BAA. Data-residency commitments depend on the vendor's region selection and disclosure. | PHI workloads route to a local open-weights model running on customer GPUs inside the covered entity. PHI never leaves the perimeter for the inference path. |
| Audit Log Ownership | Audit logs live on the vendor's infrastructure, in the vendor's format, on the vendor's retention schedule. Evidence production for HIPAA audits depends on vendor cooperation. | Logs are written to the customer's SIEM in the customer's audit-of-record format, on the customer's retention schedule. Evidence production is a SIEM query, not a vendor ticket. |
| BAA Scope | A single vendor's BAA covers a single inference path. Multi-model strategies require multiple BAAs, each with separate scope and separate evidence. | Local-model inference needs no BAA; BAA-covered frontier routing is selected per workload. The platform's audit layer unifies evidence across all paths. |
| Workforce Governance | Sanctioned-path adoption depends on the vendor's UX. Shadow usage in personal accounts is invisible to the vendor and the institution. | Sanctioned path is identity-bound through the customer IdP. Shadow usage is a visible DLP and SIEM signal, not a hidden audit risk. |
| Vendor Continuity | Vendor pricing changes, model deprecation, or terms updates can interrupt clinical workflows. Mitigation is re-procurement. | Vendor changes are routing changes. The platform code is owned by the customer; the model is per-workload-selectable; continuity does not depend on any single vendor. |
| Model Choice | Single-vendor SaaS locks the institution to one vendor's roadmap. PHI workloads, marketing, and developer tools share the same inference path. | Frontier models for frontier-quality non-PHI workloads; local open-weights models for PHI workloads. Different models, one governance layer. |
| Air-Gapped Deployment Option | Air-gapped deployment is rare in SaaS AI. Strict residency or segmentation requirements often disqualify the vendor entirely. | Air-gapped deployment is a supported topology. Local-model inference on isolated networks satisfies the strictest residency and Part 2 requirements. |
PHI prompts are processed on the vendor's inference infrastructure, even under a BAA. Data-residency commitments depend on the vendor's region selection and disclosure.
PHI workloads route to a local open-weights model running on customer GPUs inside the covered entity. PHI never leaves the perimeter for the inference path.
Audit logs live on the vendor's infrastructure, in the vendor's format, on the vendor's retention schedule. Evidence production for HIPAA audits depends on vendor cooperation.
Logs are written to the customer's SIEM in the customer's audit-of-record format, on the customer's retention schedule. Evidence production is a SIEM query, not a vendor ticket.
A single vendor's BAA covers a single inference path. Multi-model strategies require multiple BAAs, each with separate scope and separate evidence.
Local-model inference needs no BAA; BAA-covered frontier routing is selected per workload. The platform's audit layer unifies evidence across all paths.
Sanctioned-path adoption depends on the vendor's UX. Shadow usage in personal accounts is invisible to the vendor and the institution.
Sanctioned path is identity-bound through the customer IdP. Shadow usage is a visible DLP and SIEM signal, not a hidden audit risk.
Vendor pricing changes, model deprecation, or terms updates can interrupt clinical workflows. Mitigation is re-procurement.
Vendor changes are routing changes. The platform code is owned by the customer; the model is per-workload-selectable; continuity does not depend on any single vendor.
Single-vendor SaaS locks the institution to one vendor's roadmap. PHI workloads, marketing, and developer tools share the same inference path.
Frontier models for frontier-quality non-PHI workloads; local open-weights models for PHI workloads. Different models, one governance layer.
Air-gapped deployment is rare in SaaS AI. Strict residency or segmentation requirements often disqualify the vendor entirely.
Air-gapped deployment is a supported topology. Local-model inference on isolated networks satisfies the strictest residency and Part 2 requirements.
PHI never leaves the hospital perimeter for the documentation workflow, and the audit trail flows directly into the hospital's SIEM for HIPAA evidence production.
Member PHI stays in the payer's environment with audit logs aligned to state insurance-regulator inquiry formats — no vendor-side dependency in adjudication evidence.
HIPAA covered workflows run on the local model; research workflows leverage frontier models — without operating two parallel AI platforms or two parallel governance regimes.
Patient-identifiable case data stays inside the covered environment; structured audit logs map directly to FDA 21 CFR Part 11 evidence requirements.
PHI stays inside agency infrastructure; the platform's air-gapped option supports the strictest regional and federal data-residency commitments.
Local-model inference keeps Part 2 records inside the provider's perimeter and the audit chain demonstrates the consent-bound access pattern Part 2 requires.
See how ibl.ai deploys AI agents you own and control—on your infrastructure, integrated with your systems.