HIPAA / PHI Handling

HIPAA (the Health Insurance Portability and Accountability Act) applies to Covered Entities and their Business Associates when handling Protected Health Information (PHI). If you build or operate AI systems that process health information for HIPAA-regulated entities, this page describes how VeriProof fits into that context.

A Business Associate Agreement (BAA) is required before using VeriProof in a production environment where PHI may be captured. Contact legal@veriproof.app to request a BAA before going live.

Does VeriProof Handle PHI?

That depends entirely on what your SDK adapters send to VeriProof.

VeriProof captures what your AI pipeline produces — the inputs you send to language models and the outputs they return. If those inputs or outputs contain PHI (patient names, diagnoses, treatment plans, dates of birth, insurance information, or other identifiers listed in the HIPAA Safe Harbor or Expert Determination standards), then VeriProof becomes a Business Associate processing that PHI on your behalf.

VeriProof does not require PHI to function. The system captures observability signals — you control what’s included through your SDK adapter configuration.

PHI Minimisation

The recommended approach for HIPAA-regulated use cases is to minimise PHI at the point of capture:

Python


from veriproof import VeriproofClient
from veriproof.adapters import OpenAIAdapter
 
client = VeriproofClient(api_key="vp_live_...")
adapter = OpenAIAdapter(
    client=client,
    # Redact before capture — pre-process your inputs/outputs
    # to remove PHI before they reach the VeriProof SDK
    redact_fields=["patient_name", "dob", "mrn"],
)

TypeScript


import { VeriproofClient, OpenAIAdapter } from '@veriproof/sdk';
 
const client = new VeriproofClient({ apiKey: 'vp_live_...' });
const adapter = new OpenAIAdapter({
  client,
  // Transform inputs and outputs before capture
  transformInput: (messages) => redactPHI(messages),
  transformOutput: (response) => redactPHI(response),
});

.NET


using Veriproof.Sdk;
using Veriproof.Sdk.Adapters;
 
var client = new VeriproofClient("vp_live_...");
var adapter = new OpenAIAdapter(client, options =>
{
    options.TransformInput = messages => RedactPHI(messages);
    options.TransformOutput = response => RedactPHI(response);
});

If your use case requires capturing clinical notes or other PHI for auditability — for example, in a clinical decision support system — ensure your BAA is in place before submitting PHI-containing sessions.

HIPAA Safeguards and VeriProof’s Controls

Administrative Safeguards

HIPAA requirement	VeriProof control
Security officer designation	VeriProof has a designated security officer
Workforce security training	Staff complete annual security awareness training
Access management procedures	Role-based access in the Staff Portal; Managed Identity for system access
Audit controls	Staff Portal access is logged; Customer Portal access logs available via API
Business Associate Agreements	BAA available; see below

Technical Safeguards

HIPAA requirement	VeriProof control
Access controls	API key authentication; compound key model with scope limitations
Audit controls	Immutable session records with blockchain-anchored Merkle proofs
Integrity controls	AES-256-GCM application-layer encryption; blockchain proof verification
Transmission security	TLS 1.3 enforced for all external communication; internal communication via Managed Identity

Physical Safeguards

VeriProof runs on Microsoft Azure infrastructure. Azure’s physical safeguards — including data centre access controls, environmental controls, and media disposal — satisfy HIPAA’s physical safeguard requirements for cloud-hosted infrastructure. Refer to Microsoft’s HIPAA implementation guidance for Azure-level documentation.

What VeriProof Does Not Do

To avoid misunderstanding, VeriProof does not:

Provide clinical decision support or diagnostic features
Validate whether your AI system is appropriate for clinical use
Guarantee that the AI outputs captured in session records meet any clinical quality standard
Serve as a substitute for clinical audit systems required under state or federal healthcare regulations

VeriProof records what your AI system decided. Assessing whether those decisions were clinically appropriate is your responsibility.

Business Associate Agreement

A standard BAA is available for customers processing PHI through VeriProof. The BAA covers:

VeriProof’s obligations as a Business Associate under HIPAA and HITECH
Permitted uses and disclosures of PHI
Safeguard requirements VeriProof commits to maintaining
Breach notification procedures (aligned with the 60-day notification requirement)
Termination and data return/destruction procedures

To request a BAA:

Email legal@veriproof.app from your registered account email
Include your organisation name, account ID, and a brief description of your use case
We’ll send the standard BAA for review within two business days

Enterprise customers may negotiate custom BAA terms as part of their contract.

If you serve patients in both the United States and the European Union, your AI system may need to satisfy both HIPAA and GDPR simultaneously. VeriProof supports this:

GDPR’s cryptographic erasure mechanism handles Article 17 Right to Erasure without disrupting HIPAA’s record retention requirements (blockchain anchors persist; content becomes inaccessible)
Legal holds can block erasure requests that would conflict with HIPAA’s 6-year record retention minimum
Data residency can be configured separately for EU and US customer populations on the Enterprise tier

Next Steps

GDPR — EU data protection obligations
SOC 2 — security controls audit status
Encryption at Rest — encryption implementation details
Data Processing Agreement — DPA terms for non-US customers