"What is a 'business associate' under HIPAA?"	"Any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Because it processes PHI, it must sign a Business Associate Agreement (BAA) that flows HIPAA obligations down to it (and onward to its subcontractors)."	c3::ft21::recall
"Why does running an open-weights model on your own on-prem GPUs eliminate the need for a BAA (for the LLM)?"	"A BAA exists because a THIRD PARTY processes the PHI. If you run the model on your own GPUs, no third party touches the PHI for inference — so there is no business associate, and no BAA is required for the LLM itself. The regulatory hook disappears with the third party."	c3::ft21::recall
"State the core teaching point of FT21 in one sentence."	"Under HIPAA, any vendor processing PHI is a business associate requiring a BAA; run the model on your own on-prem GPUs and no third party processes the PHI — no business associate, no BAA. Local eliminates the business-associate relationship at the structural level."	c3::ft21::recall
"Name the four ways to run an LLM on PHI, weakest to strongest data-exposure posture."	"(1) Cloud endpoints under BAA (multi-tenant). (2) Dedicated capacity (single-tenant). (3) Self-hosted open weights (your VPC). (4) On-prem GPUs (your metal). Each step rightward moves the boundary from contractual (a BAA) to physical (a cable not plugged in)."	c3::ft21::recall
"Is any LLM 'HIPAA certified'? What is the correct framing?"	"No. HHS does not certify models, vendors, or software. 'HIPAA compliant' is a property of a DEPLOYMENT (a chain of BAAs or their elimination via local, plus technical safeguards, audit trails, administrative/physical safeguards, and a risk analysis) — NOT a property of the model. The model is a component."	c3::ft21::recall
"What is the teaching point 'you can't get a BAA that covers everything'?"	"Even with a signed BAA + zero-data-retention, coverage is ENDPOINT-SPECIFIC, not product-wide. Image/vision inputs are frequently excluded from ZDR; stateful products (Assistants/Threads) have unclear or narrower coverage; batch/embeddings/fine-tuning endpoints must be checked individually. A real workflow almost always touches at least one uncovered surface."	c3::ft21::recall
"What is zero-data-retention (ZDR) and what is its key limitation?"	"ZDR is a vendor commitment (where offered) to not retain customer inputs/outputs for training or other purposes. The key limitation: coverage is ENDPOINT-SPECIFIC. A covered chat-completions endpoint does not mean a covered vision, batch, embeddings, or fine-tuning endpoint. You must map every endpoint your app calls."	c3::ft21::recall
"What is de-identification as it applies to LLM fine-tuning data, and why is it defense-in-depth even under local?"	"Removing/replacing PHI (direct identifiers, quasi-identifiers, free-text PHI) from the training corpus via Safe Harbor (18 identifiers) or Expert Determination, before fine-tuning. It is defense-in-depth because the model can MEMORIZE identifiers from raw PHI and they become extractable — local protects against egress, not against memorization-by-insider."	c3::ft21::recall
"What is the fine-tuning data risk, and what is the foundational evidence for it?"	"That a model fine-tuned on data containing PHI can MEMORIZE that PHI, making it extractable by prompting. The foundational evidence is Carlini et al., 'Extracting Training Data from Large Language Models' — fine-tuned models store training examples verbatim and they can be recovered adversarially. Risk scales with repetition and rarity of the identifier."	c3::ft21::recall
"Name three tools for de-identifying clinical text before fine-tuning."	"Microsoft Presidio (open source, rule + ML), Tonic Textual (commercial, LLM-aware), or a custom pipeline (spaCy + medical NER + regex). The output is a PHI-scarce corpus verified by a re-identification scan before training."	c3::ft21::recall
"What does DP-SGD do, and when is it the right call?"	"Differentially Private Stochastic Gradient Descent bounds the model's memorization of any single training example by clipping/noising gradients. Costly (slower training, some quality loss). The right call when training data is high-sensitivity EVEN AFTER de-identification — e.g., behavioral health, substance use, HIV status."	c3::ft21::recall
"Name the four anti-patterns from FT21."	"(1) Assuming the API BAA covers everything (coverage is endpoint-specific). (2) Fine-tuning on raw PHI without de-identification (memorization → extraction). (3) No audit logging (Security Rule requires audit controls; local does not exempt you). (4) Treating 'local' as sufficient without the technical safeguards (encryption, access controls, risk analysis still required)."	c3::ft21::recall
"Why is a signed BAA 'necessary but not sufficient' for an API deployment?"	"Necessary: it flows HIPAA obligations to the vendor and subcontractors — without it the vendor cannot lawfully process PHI. Not sufficient: it does not guarantee every product surface honors ZDR. You still must audit the per-endpoint coverage matrix (vision, stateful, batch, embeddings, fine-tuning). The BAA is the floor, not the ceiling."	c3::ft21::application
"Scenario: your clinical app sends a wound photo through a vendor's vision endpoint under a signed BAA. Why might this still be a compliance problem?"	"Because vision/multimodal inputs are FREQUENTLY EXCLUDED from zero-data-retention even under a signed BAA (per Protecto's analysis). The text path may be covered; the image path may not. The request succeeds and PHI has silently flowed through an uncovered surface. Coverage must be verified per-endpoint, not assumed from the BAA."	c3::ft21::application
"A team chooses 'self-hosted open weights in our VPC' (Option 3). What residual risk remains that Option 4 (on-prem GPUs) does not have?"	"The cloud provider's physical/administrative access to the instances, and any provider-managed services (telemetry, host agents, snapshots) that touch the VMs. With careful config you can argue the provider is a 'conduit' not a business associate, but the residual risk is provider-side access. Option 4 eliminates this by putting the metal in your building."	c3::ft21::application
"For a clinical-decision-support LLM handling PHI, which deployment option is the target architecture, and which is the acceptable compromise?"	"Target: Option 4, on-prem GPUs (PHI never leaves the building; no BAA for the LLM). Acceptable compromise: Option 3, self-hosted open weights in your VPC (PHI may stay in your tenancy; BAA often avoidable with careful config). Options 1–2 (cloud under BAA) are last resorts, not defaults."	c3::ft21::application
"Your team says 'we're local, so we can train on the raw clinical notes.' What is wrong with this, and what should they do?"	"Local eliminates the EGRESS/BAA risk; it does NOT eliminate the memorization risk. A model trained on raw PHI can memorize identifiers (Carlini et al.) and they become extractable by an insider. They should de-identify the corpus first (Presidio/Tonic, Safe Harbor or Expert Determination), train on the PHI-scarce version, and evaluate for memorization before deploy."	c3::ft21::application
"What must be in the audit log of a local LLM serving a clinical workflow, per the HIPAA Security Rule?"	"Every prompt, every response, every model invocation, every access — who, when, model version, prompt hash, response hash. Retained per the organization's security-rule posture (commonly 6 years). The log store itself contains PHI and must be access-controlled. A local deployment with no logging is non-compliant AND un-forensicable."	c3::ft21::application
"A vendor claims their model is 'HIPAA compliant.' How should a senior engineer respond?"	"Ask what they actually mean: do they offer a BAA? For which endpoints/surfaces? Is ZDR available and for which endpoints? 'HIPAA compliant' is not a property of a model — it is a property of a deployment. The model is a component; compliance is the system around it (BAA chain or local elimination + safeguards + audit + risk analysis)."	c3::ft21::application
"Why is the local path structurally cleaner than 'API under BAA' — not just operationally cheaper or easier?"	"Because it eliminates the business-associate relationship at the structural level: no data egress to litigate, no subcontractor chain to map, no endpoint-coverage matrix to maintain for the life of the product, no silent uncovered surface. The risk surface is YOUR network, YOUR GPUs, YOUR access controls — things you directly own. A cable you never plugged in cannot leak."	c3::ft21::analysis
"How does the FT21 thesis ('local eliminates the BAA') connect to the course thesis ('the model steers; the harness bounds')?"	"Pillar 7 is where 'the harness bounds' becomes load-bearing in the most literal sense: the boundary is not a policy gate, it is a PHYSICAL boundary — the data does not leave the premises. Local serving is the boundary enforced by topology rather than by contract. Contracts can be breached, mis-scoped, or out-of-date; a cable you never plugged in cannot leak."	c3::ft21::analysis
"Why is defense-in-depth the correct posture for HIPAA-LLM, and what are the layers in the local case?"	"No single control is trusted alone. Layers: (1) de-identify before training (because the model might memorize), (2) evaluate for memorization (because de-identification might miss something), (3) DP-SGD for high-sensitivity subsets, (4) serve under audit + access controls, (5) run local (because the API might leak). Each control compensates for the failure modes of the others. HIPAA's own structure encodes this — the Security Rule lists safeguard categories, not alternatives."	c3::ft21::analysis
"A team deploys local but skips encryption at rest and access controls, arguing 'we're on-prem so we're compliant.' Why is this the worst-of-both-worlds?"	"Local eliminates the BAA/data-egress problem but does NOT eliminate the Security Rule. Skipping encryption, access controls, and risk analysis makes the deployment non-compliant AND exposed. Local is the strongest data-EXPOSURE posture, but it is not a substitute for the safeguards — it is the foundation they sit on. A non-compliant local deployment is worse than a compliant API-under-BAA deployment."	c3::ft21::analysis
"For the Meridian CDS scenario (phase-2 imaging workflow), why is API-under-BAA eliminated as an option?"	"Because phase-2 imaging routes PHI (identifiable body images) through a vision endpoint whose ZDR coverage is, per Protecto's analysis, typically EXCLUDED from zero-retention. Combined with the compliance office's constraint ('we will not police endpoint-by-endpoint for the life of the product'), the API path creates a silent uncovered surface that the org has explicitly refused to maintain. Local eliminates the coverage question entirely."	c3::ft21::analysis
"Why does the rarity/repetition of an identifier in training data affect memorization risk?"	"Memorization scales with repetition and rarity. A name appearing once in training is unlikely to be extracted. A name appearing in fifty notes, or a rare identifier (rare MRN format, rare ZIP + profession combination) the model latches onto as a pattern, is MORE extractable. This is why de-identification must handle quasi-identifiers, not just direct identifiers — rare combinations re-identify."	c3::ft21::analysis
"What is FT20's role as the prerequisite to FT21, and why is the dependency structural rather than incidental?"	"FT20 (Serving Stacks) gives you the operational capability to actually serve a model on your own metal: vLLM, TGI, Ollama, llama.cpp, the quant formats, the VRAM math. Without that capability, the 'local eliminates the BAA' move is theoretical — you cannot make it. FT21 is the REGULATORY PAYOFF for FT20's operational capability. The dependency is structural: the compliance posture is impossible without the serving capability."	c3::ft21::analysis
