{
  "module": "FT21 — HIPAA and BAA Elimination",
  "course": "3 — LLM Fine-Tuning Masterclass",
  "version": "1.0.0",
  "duration_minutes": 40,
  "total_questions": 15,
  "bloom_distribution": {
    "target": "20% recall / 40% application / 40% analysis-design",
    "actual": { "recall": 3, "application": 6, "analysis": 6 }
  },
  "passing_score_percent": 70,
  "questions": [
    {
      "id": "Q01", "bloom": "recall", "type": "multiple_choice",
      "prompt": "Under HIPAA, when does a vendor become a 'business associate' requiring a BAA?",
      "options": [
        "When the vendor sells software to a covered entity, regardless of whether it processes PHI.",
        "When the vendor creates, receives, maintains, or transmits PHI on behalf of a covered entity.",
        "Only when the vendor stores PHI at rest; transient processing does not count.",
        "Only when the vendor is itself a health care provider."
      ],
      "answer_index": 1,
      "rationale": "A business associate is any vendor that creates, receives, maintains, or transmits PHI on a covered entity's behalf. Processing PHI — even transiently for inference — is sufficient. The BAA is the contractual instrument that flows HIPAA obligations to that vendor and onward to its subcontractors."
    },
    {
      "id": "Q02", "bloom": "recall", "type": "multiple_choice",
      "prompt": "Why does running an open-weights model on your own on-prem GPUs eliminate the need for a BAA (for the LLM)?",
      "options": [
        "Because on-prem GPUs are automatically HIPAA-certified by the hardware vendor.",
        "Because the BAA requirement only applies to cloud deployments, not on-prem.",
        "Because no third party processes the PHI — a BAA exists to flow obligations to a vendor processing PHI, and there is no such vendor in the local path.",
        "Because open-weights models are exempt from HIPAA by statute."
      ],
      "answer_index": 2,
      "rationale": "The BAA exists because a third party (business associate) processes PHI. In the local path, no third party touches the PHI for inference — you operate the GPUs and the model. With no business associate, there is no regulatory hook for a BAA. The instrument disappears with the third party. (Open-weights and on-prem are not themselves HIPAA-exempt; they remove the vendor relationship.)"
    },
    {
      "id": "Q03", "bloom": "recall", "type": "multiple_choice",
      "prompt": "Is any LLM 'HIPAA certified'? What is the correct framing?",
      "options": [
        "Yes — HHS certifies specific models that pass a security review.",
        "Yes — any model served behind a signed BAA is HIPAA certified.",
        "No — HHS does not certify models, vendors, or software. 'HIPAA compliant' is a property of a deployment (BAA chain or local elimination + safeguards + audit + risk analysis), not of a model.",
        "Yes — open-weights models are HIPAA certified by virtue of being auditable."
      ],
      "answer_index": 2,
      "rationale": "There is no such thing as a 'HIPAA-certified' model. HHS does not certify models. Compliance is a property of the SYSTEM around the model — an unbroken BAA chain (or its elimination via local), technical safeguards (encryption at rest/transit, access controls), audit trails, administrative/physical safeguards, and a documented risk analysis. The model is a component."
    },
    {
      "id": "Q04", "bloom": "application", "type": "multiple_choice",
      "prompt": "Your clinical app sends a wound photo through a vendor's vision endpoint under a signed BAA with zero-data-retention on chat completions. Why might this still be a compliance problem?",
      "options": [
        "It is not — the BAA covers all endpoints uniformly.",
        "Because vision/multimodal inputs are frequently EXCLUDED from zero-data-retention even under a signed BAA. The text path may be covered; the image path may not. Coverage must be verified per-endpoint.",
        "Because wound photos are not PHI.",
        "Because the vendor's BAA only applies to text outputs, not image inputs."
      ],
      "answer_index": 1,
      "rationale": "ZDR coverage is endpoint-specific (Section 21.3). Image/vision inputs are frequently excluded from ZDR per analyses like Protecto's. A request can succeed while PHI silently flows through an uncovered surface. The BAA covers the vendor relationship; it does not guarantee every surface honors ZDR. You must maintain a per-endpoint coverage matrix."
    },
    {
      "id": "Q05", "bloom": "application", "type": "multiple_choice",
      "prompt": "A team says 'we're running local on-prem, so we can fine-tune directly on the raw clinical notes.' What is wrong with this?",
      "options": [
        "Nothing — local means no compliance constraints on training data.",
        "Local eliminates the egress/BAA risk, but NOT the memorization risk. A model fine-tuned on raw PHI can memorize identifiers that become extractable. De-identify the corpus first; treat the model as one control, not the only one.",
        "Fine-tuning is not allowed under HIPAA under any circumstances.",
        "They should use the raw notes but train with a smaller learning rate to avoid memorization."
      ],
      "answer_index": 1,
      "rationale": "This is the memorization anti-pattern (Section 21.6). Local protects against egress, not against memorization-then-extraction-by-insider. The defense-in-depth posture is: de-identify before training (Presidio/Tonic, Safe Harbor or Expert Determination), train on the PHI-scarce corpus, evaluate for memorization before deploy, and serve under audit. The model is one control in a stack."
    },
    {
      "id": "Q06", "bloom": "application", "type": "multiple_choice",
      "prompt": "Rank the four ways to run an LLM on PHI from weakest to strongest data-exposure posture.",
      "options": [
        "On-prem GPUs → self-hosted VPC → dedicated capacity → cloud BAA (strongest first)",
        "Cloud BAA → dedicated capacity → self-hosted VPC → on-prem GPUs (weakest first, strongest last)",
        "Dedicated capacity → cloud BAA → on-prem GPUs → self-hosted VPC",
        "Self-hosted VPC → on-prem GPUs → cloud BAA → dedicated capacity"
      ],
      "answer_index": 1,
      "rationale": "Section 21.2: (1) Cloud endpoints under BAA (multi-tenant, PHI leaves to vendor infra), (2) Dedicated capacity (single-tenant, PHI still leaves), (3) Self-hosted open weights in your VPC (PHI may stay in your tenancy), (4) On-prem GPUs (PHI never leaves the building). Each step rightward moves the boundary from contractual (a BAA) to physical (a cable not plugged in)."
    },
    {
      "id": "Q07", "bloom": "application", "type": "multiple_choice",
      "prompt": "Which of these MUST be logged in an audit trail for a local LLM serving a clinical PHI workflow, per the HIPAA Security Rule?",
      "options": [
        "Only failed requests and error responses; successful calls contain PHI and must not be logged.",
        "Only aggregate statistics (call count per hour) to minimize stored PHI.",
        "Every prompt, every response, every model invocation, every access (who, when, model version, prompt hash, response hash), retained per the org's security-rule posture.",
        "Nothing — local deployments are exempt from the audit-controls requirement."
      ],
      "answer_index": 2,
      "rationale": "The Security Rule requires audit controls (Section 21.4, 21.6). An LLM processing PHI on every call means every call must be logged. The log store itself contains PHI and must be access-controlled. A local deployment with no logging is non-compliant AND un-forensicable — worse than a logged API deployment. Local exempts you from the BAA, not from the safeguards."
    },
    {
      "id": "Q08", "bloom": "application", "type": "multiple_choice",
      "prompt": "A vendor's marketing says 'our model is HIPAA compliant.' As a senior engineer, what should you ask to evaluate the claim?",
      "options": [
        "Ask for the model's HIPAA certification number from HHS.",
        "Ask what they actually mean: do they offer a BAA? For which endpoints/surfaces is ZDR available? Compliance is a property of the deployment, not the model — the model is a component.",
        "Ask whether the model was trained on de-identified data (if yes, it is automatically compliant).",
        "Nothing — vendor HIPAA-compliance claims are reliable at face value."
      ],
      "answer_index": 1,
      "rationale": "There is no 'HIPAA certification' for models. The right questions surface what the vendor actually offers (a BAA, ZDR, for which surfaces) and force the conversation to the deployment-level artifacts (BAA chain, coverage matrix, safeguards) rather than a property-claim about the model. Compliance is a property of the system around the model."
    },
    {
      "id": "Q09", "bloom": "application", "type": "multiple_choice",
      "prompt": "Your team chooses 'self-hosted open weights in our VPC' (Option 3). Which residual risk does this option carry that Option 4 (on-prem GPUs) does not?",
      "options": [
        "PHI egress to a multi-tenant API provider.",
        "The cloud provider's physical/administrative access to the instances and any provider-managed services (telemetry, host agents, snapshots) that touch the VMs.",
        "The need to sign a BAA with the model publisher.",
        "Higher per-token inference cost than the API path."
      ],
      "answer_index": 1,
      "rationale": "Option 3 (self-hosted in VPC) keeps PHI in your tenancy but the cloud provider still has physical/administrative access to the host and may run provider-managed services that touch the instances. With careful config you can argue the provider is a 'conduit' rather than a business associate, but the residual risk is provider-side access. Option 4 eliminates this by putting the metal in your building."
    },
    {
      "id": "Q10", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why is the local path 'structurally cleaner' than the API-under-BAA path — beyond just being cheaper or easier to operate?",
      "options": [
        "Because local deployments never have security vulnerabilities.",
        "Because it eliminates the business-associate relationship at the structural level: no data egress to litigate, no subcontractor chain to map, no endpoint-coverage matrix to maintain for the life of the product, no silent uncovered surface. The risk surface is your own infrastructure.",
        "Because local deployments are automatically compliant with the HIPAA Security Rule.",
        "Because local models cannot memorize training data."
      ],
      "answer_index": 1,
      "rationale": "Section 21.3: the real driver for local is not cost or ease — it is structural cleanliness. Local eliminates the coverage question entirely (no endpoint matrix to maintain, no ZDR to negotiate, no silent uncovered surface). The risk surface becomes your network, your GPUs, your access controls — things you directly own. A cable you never plugged in cannot leak; a contract can be breached, mis-scoped, or out-of-date."
    },
    {
      "id": "Q11", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "A model is fine-tuned on 5,000 clinical notes containing patient names. Under adversarial prompting, one name is emitted verbatim. What does this demonstrate, and what control was missing?",
      "options": [
        "It demonstrates that fine-tuning teaches knowledge; the missing control is a larger model.",
        "It demonstrates memorization (Carlini et al.) — the model stored training examples verbatim and they are extractable. The missing control is de-identification of the training corpus before fine-tuning (and evaluation for memorization before deploy).",
        "It demonstrates an API egress leak; the missing control is a BAA.",
        "It demonstrates overfitting due to too many epochs; the missing control is early stopping."
      ],
      "answer_index": 1,
      "rationale": "This is the fine-tuning data risk (Section 21.5). Fine-tuned models can memorize training data, including identifiers, and memorized data is extractable (Carlini et al., 'Extracting Training Data from Large Language Models'). The missing controls are: (1) de-identify the corpus before training (Presidio/Tonic, Safe Harbor), (2) evaluate for memorization before deploy (canary insertion, extraction attacks). Local protects against egress, NOT against memorization-by-insider."
    },
    {
      "id": "Q12", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "How does FT21's thesis ('local eliminates the BAA') connect to the course thesis ('the model steers; the harness bounds')?",
      "options": [
        "They contradict each other — one is about compliance, the other about model behavior.",
        "Pillar 7 is where 'the harness bounds' becomes load-bearing in the most literal sense: the boundary is not a policy gate, it is a PHYSICAL boundary — the data does not leave the premises. Local serving is the boundary enforced by topology rather than by contract.",
        "FT21 is unrelated to the course thesis and belongs in a separate compliance course.",
        "The course thesis supersedes FT21 — the harness is irrelevant once you are local."
      ],
      "answer_index": 1,
      "rationale": "Pillar 7 (Sensitive Domains) is where 'the harness bounds' becomes a physical, topological boundary rather than a policy/contractual one. Local serving enforces the boundary by topology: data does not leave the premises. Contracts can be breached, mis-scoped, or out-of-date; a cable you never plugged in cannot leak. This is the boundary at its strongest."
    },
    {
      "id": "Q13", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "A team deploys local on-prem but skips encryption at rest and access controls, arguing 'we're on-prem so we're compliant.' Why is this the worst-of-both-worlds?",
      "options": [
        "It is not — local deployments are exempt from the Security Rule.",
        "Local eliminates the BAA/data-egress problem but does NOT eliminate the Security Rule. Skipping encryption, access controls, and risk analysis makes the deployment non-compliant AND exposed. Local is the strongest data-exposure posture, but it is the FOUNDATION for the safeguards, not a substitute for them.",
        "Because on-prem GPUs are inherently insecure compared to cloud.",
        "Because skipping encryption invalidates the open-weights license."
      ],
      "answer_index": 1,
      "rationale": "The 'treating local as sufficient' anti-pattern (Section 21.6). Local eliminates the BAA problem but not the Security Rule obligations: encryption at rest/transit, access controls (RBAC, MFA, least privilege), audit logging, risk analysis, workforce training, incident response. A non-compliant local deployment is strictly worse than a compliant API-under-BAA deployment — it has the operational cost of local without the compliance posture."
    },
    {
      "id": "Q14", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "For a clinical-decision-support LLM with a phase-2 imaging workflow (wound/skin photos), why is API-under-BAA eliminated as a defensible option?",
      "options": [
        "Because API vendors do not offer BAAs to health systems.",
        "Because phase-2 imaging routes identifiable body images through a vision endpoint whose ZDR coverage is typically EXCLUDED. Combined with the 'we will not police endpoint-by-endpoint for the life of the product' constraint, the API path creates a silent uncovered surface the org has explicitly refused to maintain.",
        "Because imaging workflows are exempt from HIPAA entirely.",
        "Because the latency of vision endpoints exceeds clinical-decision-support tolerances."
      ],
      "answer_index": 1,
      "rationale": "The binding constraint is phase-2 imaging: vision/multimodal endpoints are frequently excluded from ZDR (Protecto analysis). The compliance office's refusal to maintain an endpoint-coverage matrix for the life of the product eliminates Options 1 and 2. Local eliminates the coverage question entirely — there are no endpoints you do not own. This is the structural reason local wins for this scenario."
    },
    {
      "id": "Q15", "bloom": "analysis", "type": "multiple_choice",
      "prompt": "Why is defense-in-depth the correct posture for HIPAA-LLM, and which control compensates for the failure mode of de-identification?",
      "options": [
        "Defense-in-depth is unnecessary if you have a signed BAA.",
        "De-identification is sufficient alone; no other control is needed.",
        "No single control is trusted alone. De-identification compensates for the model's tendency to memorize; audit logging compensates for de-identification missing something; local serving compensates for the API leaking; access controls compensate for insider risk. Each layer addresses the failure modes of the others.",
        "Defense-in-depth means using as many tools as possible regardless of overlap."
      ],
      "answer_index": 2,
      "rationale": "Defense-in-depth (Section 21.5): no single control is trusted alone. De-identify because the model might memorize; audit because de-identification might miss something; DP-SGD for high-sensitivity subsets; access controls for insider risk; local for egress. Each control compensates for the failure modes of the others. HIPAA's own structure encodes this — the Security Rule lists administrative, physical, and technical safeguards as categories, not alternatives."
    }
  ]
}
