Most AI vendors quietly aren't HIPAA-ready
When your legal team asks “can this vendor handle PHI?” the vendor's answer is often some variation of “yes, we're secure” — which is not the same thing. HIPAA readiness for an LLM-based workflow is a specific set of four conditions that must all hold simultaneously. Most AI vendors check one or two and hope no one notices.
| HIPAA condition | Typical AI vendor | UNMIRI |
|---|---|---|
| Signed BAA with customer | Available only on $$$ enterprise tier, if at all | Available on every paid tier |
| BAA with downstream LLM provider | Often absent or unclear | Anthropic HIPAA-ready API with signed BAA |
| Zero-retention of PHI | Vague 'we don't store it' assurances | Contractually enforced, documented in BAA chain |
| BAA with infrastructure (hosting, DB, storage) | Rarely addressed | Vercel + AWS BAAs |
| US-only data residency | Often not guaranteed | Enforced at region-config layer |
| Audit logging of PHI access | Sometimes | Every read/write logged with user + timestamp |
| Training on customer data | Default opt-in on consumer tiers | Contractually forbidden on enterprise tier |
The architecture, briefly
PHI enters via a single authenticated endpoint, is processed in-memory through the GraphRAG pipeline, and exits as either structured JSON or a rendered PDF. Nothing about the patient persists in UNMIRI systems after the response is sent. The LLM call itself happens over an enterprise-tier API with a signed zero-retention BAA — the provider contractually cannot store or learn from the prompt.
What your procurement team receives
Before pilot kickoff, we provide a compliance package ready for your legal and compliance review:
- UNMIRI BAA — executable, not boilerplate. Reviewed by healthcare counsel.
- Data-flow diagram — every PHI touchpoint labeled with provider, BAA status, and retention policy.
- Downstream BAA references — Vercel, AWS, Anthropic — confirmed active.
- Zero-retention attestations — direct references to enterprise-tier API terms.
- Access controls summary — RBAC model, audit log retention, incident response.
- SOC-2 Type II roadmap — honest about timing (Q4 2026 target). No false claims.
What “HIPAA-ready” does not mean
We say “HIPAA-ready” deliberately. UNMIRI does not claim “HIPAA-certified” (not a thing), “HIPAA-approved” (also not a thing), or “fully compliant” in a way that suggests external audit. We claim a BAA-backed, zero-retention, US-residency architecture with the paperwork to prove it — and we mark SOC-2 Type II as roadmap until the audit is done. Lab procurement teams respect honesty here; they catch the difference instantly.
Full compliance posture is on the security page.
How UNMIRI actually does this
Clinical reasoning lives in a Neo4j knowledge graph grounded in OncoKB, ClinVar, ClinicalTrials.gov, and openFDA. The 2-page output is rendered by deterministic templates — not by an LLM. Anthropic is the single LLM subprocessor, scoped to extraction edge cases and long-tail variant fallback on de-identified data only. BAAs are in place with every PHI-touching service. More on the architecture.