HIPAA Compliance¶
This guide maps SIX capabilities to HIPAA Security Rule requirements, specifically the technical safeguards under 45 CFR 164.312 and the administrative safeguards under 45 CFR 164.308.
Self-Attested Alignment
This mapping represents architectural alignment with HIPAA requirements, not formal certification. Your covered entity's compliance officer and legal counsel make the final determination of HIPAA compliance. SIX provides cryptographic tools that support your compliance program.
HIPAA Requirements SIX Addresses¶
164.312(a) -- Access Control¶
Requirement: Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to authorized persons or software programs.
| HIPAA Specification | SIX Implementation |
|---|---|
| Unique user identification | API keys tied to individual accounts with unique identifiers |
| Emergency access procedure | Key management supports immediate key rotation and revocation |
| Automatic logoff | Session tokens with configurable expiration |
| Encryption and decryption | All data encrypted in transit (TLS); sovereign routing enforces boundary controls |
How it helps: Every SIX API call requires authentication. Cryptographic signature authentication (available for high-assurance environments) provides non-repudiation -- proof that a specific entity made a specific request.
164.312(b) -- Audit Controls¶
Requirement: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
| HIPAA Specification | SIX Implementation |
|---|---|
| Record system activity | Every inference generates a signed receipt with timestamp |
| Examine activity | Verification API provides on-demand receipt validation |
| Retain audit logs | Receipts are independently storable and verifiable at any future date |
| Tamper-evident audit trail | Cryptographic commitments make any modification detectable |
How it helps: SIX receipts are purpose-built audit records. Each receipt contains:
- Who made the request (via authenticated API key)
- What was requested and returned (bound by cryptographic commitment)
- When the request was processed (timestamp in attestation)
- Where the data was processed (routing field)
- Proof of integrity (signature + commitment)
# Example: HIPAA-compliant audit record
audit_entry = {
"timestamp": receipt["attestation"]["timestamp"],
"user_id": "your-authenticated-user-id",
"action": "ai_inference_phi_involved",
"receipt_id": receipt["receipt_id"],
"routing": receipt["routing"], # Must be "sovereign" for ePHI
"integrity": "verified",
"verification_method": "api",
}
164.312(c) -- Integrity¶
Requirement: Implement policies and procedures to protect ePHI from improper alteration or destruction.
| HIPAA Specification | SIX Implementation |
|---|---|
| Mechanism to authenticate ePHI | Cryptographic commitments bind all receipt fields |
| Detect unauthorized alteration | Any modification breaks the commitment -- verification fails |
| Corroborate data integrity | Independent verification via API, CLI, or manual methods |
How it helps: The receipt's cryptographic commitment functions as a tamper seal. Modify any field -- the receipt ID, the routing, the response content reference -- and the commitment will not match. This is not a policy statement; it is a mathematical property.
Demonstrating integrity to auditors
Show the auditor a receipt, then demonstrate that modifying any field causes verification to fail. This proves the integrity protection is mathematical, not procedural.
164.312(d) -- Person or Entity Authentication¶
Requirement: Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
| HIPAA Specification | SIX Implementation |
|---|---|
| Verify identity of accessor | API key authentication on every request |
| Strong authentication | Cryptographic signature authentication (high-assurance option) |
| Non-repudiation | Digital signatures provide proof of origin |
164.312(e) -- Transmission Security¶
Requirement: Implement technical security measures to guard against unauthorized access to ePHI being transmitted over an electronic communications network.
| HIPAA Specification | SIX Implementation |
|---|---|
| Integrity controls | End-to-end request/response integrity via signed receipts |
| Encryption | TLS encryption on all API communications |
Administrative Safeguards¶
164.308(a)(1) -- Security Management Process¶
| Requirement | SIX Support |
|---|---|
| Risk analysis | Sovereign routing reduces data exposure risk |
| Risk management | Cryptographic controls provide verifiable risk mitigation |
| Sanction policy | Audit trail supports accountability |
164.308(a)(8) -- Evaluation¶
| Requirement | SIX Support |
|---|---|
| Periodic evaluation | Batch receipt verification supports periodic security evaluation |
| Technical compliance testing | Receipt verification is a repeatable, automated compliance test |
Sovereign Routing for ePHI¶
When processing ePHI through SIX, use the sovereign privacy tier:
curl -X POST "$SIX_ENDPOINT/v1/chat/completions" \
-H "Authorization: Bearer $SIX_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"model": "default",
"messages": [
{"role": "user", "content": "Your ePHI-related prompt"}
],
"privacy_tier": "sovereign"
}'
The sovereign tier ensures:
- Dedicated compute (not shared infrastructure)
- Data stays within your organizational boundary
- Routing is cryptographically attested in the receipt
Always use sovereign routing for ePHI
The standard tier uses shared compute. For any workload involving ePHI, specify "privacy_tier": "sovereign" or "privacy_tier": "confidential".
Business Associate Agreement (BAA)¶
SIX is available as a Business Associate under HIPAA. A BAA establishes the contractual framework for handling ePHI through the SIX platform.
Business Associate Agreements are available for qualifying covered entities and their business associates. Contact us to discuss BAA requirements and establish the appropriate agreement.
Request BAA discussion →
HIPAA Compliance Checklist¶
Use this checklist when preparing for a HIPAA audit involving AI workloads through SIX:
| Item | Action | Status |
|---|---|---|
| BAA executed | Ensure BAA is in place before processing ePHI | |
| Sovereign routing configured | All ePHI workloads use privacy_tier: "sovereign" |
|
| Receipt storage | Receipts stored in your audit system per retention policy | |
| Periodic verification | Automated or scheduled receipt verification running | |
| Access controls documented | API key management procedures documented | |
| Incident response | Procedure for handling verification failures | |
| Workforce training | Staff aware of SIX receipt and verification procedures |
Next Steps¶
- SOX Compliance -- Financial audit trail requirements
- GDPR Compliance -- Data sovereignty requirements
- Verification Guide -- How to verify receipts
- API Reference -- Endpoint documentation