HIPAA and BAA Elimination
The first module of Pillar 7. Under HIPAA, any vendor processing PHI is a business associate requiring a BAA; run an open-weights model on your own on-prem GPUs and no third party processes the PHI — no business associate, no BAA. Local eliminates the business-associate relationship at the structural level. The module covers the four deployment postures, the API-BAA coverage gaps (you can't get a BAA that covers everything), the 'no model is HIPAA certified' correction, de-identification as defense-in-depth, and the fine-tuning memorization risk.
Under HIPAA, any vendor that processes PHI on a covered entity's behalf is a business associate and must sign a BAA. Run an open-weights model on your own on-prem GPUs and NO third party processes the PHI — no business associate, no BAA for the LLM. The BAA is a contractual instrument that flows obligations down a vendor chain; eliminate the vendor and the instrument has nothing to attach to. This is structurally cleaner than patching API gaps.
The API-BAA alternative has structural coverage gaps. Even with a signed BAA + zero-data-retention, coverage is ENDPOINT-SPECIFIC, not product-wide. Image/vision inputs are frequently EXCLUDED from ZDR; stateful products (Assistants/Threads) have unclear or narrower coverage; batch/embeddings/fine-tuning endpoints must be checked individually (Protecto analysis, OpenAI community discussion). 'You can't get a BAA that covers everything' is the real driver for local — not cost, not ease.
No model is 'HIPAA certified' — that designation does not exist. HHS does not certify models, vendors, or software. 'HIPAA compliant' is a property of a DEPLOYMENT: an unbroken BAA chain (or its elimination via local), technical safeguards (encryption at rest/transit, access controls), audit trails, administrative/physical safeguards, and a documented risk analysis. The model is a component; compliance is the system around it.
The four ways to run an LLM on PHI form a gradient from weakest to strongest data-exposure posture (Definite.app): (1) cloud endpoints under BAA (multi-tenant), (2) dedicated capacity (single-tenant), (3) self-hosted open weights (your VPC), (4) on-prem GPUs (your metal). Every step rightward moves the boundary from contractual (a BAA) to physical (a cable not plugged in). Options 3 and 4 are the destination.
Fine-tuning on PHI risks memorization. A model trained on raw PHI can memorize identifiers, making them extractable by prompting (Carlini et al., foundational evidence). Mitigation is defense-in-depth: de-identify before training (Presidio, Tonic Textual, custom — Safe Harbor or Expert Determination), evaluate for memorization before deploy (canary, extraction attacks), DP-SGD for high-sensitivity subsets, serve under audit. Local protects against egress, NOT against memorization-by-insider.