Module FT21 — HIPAA and BAA Elimination

HIPAA and BAA Elimination

The first module of Pillar 7. Under HIPAA, any vendor processing PHI is a business associate requiring a BAA; run an open-weights model on your own on-prem GPUs and no third party processes the PHI — no business associate, no BAA. Local eliminates the business-associate relationship at the structural level. The module covers the four deployment postures, the API-BAA coverage gaps (you can't get a BAA that covers everything), the 'no model is HIPAA certified' correction, de-identification as defense-in-depth, and the fine-tuning memorization risk.

60
minutes
8
artifacts
6
sub-sections
The single cleanest move in the HIPAA-LLM space: the BAA exists because a third party touches the data. Remove the third party — serve the model on your own GPUs — and the regulatory hook disappears with it. This is structurally cleaner than any patched-up API arrangement. The catch: 'you can't get a BAA that covers everything' is the real driver, not cost. Even under local, de-identify before fine-tuning, because the model can memorize PHI (Carlini et al.) and local protects against egress, not against memorization-by-insider.
Key Claims
Load-Bearing Claims

Under HIPAA, any vendor that processes PHI on a covered entity's behalf is a business associate and must sign a BAA. Run an open-weights model on your own on-prem GPUs and NO third party processes the PHI — no business associate, no BAA for the LLM. The BAA is a contractual instrument that flows obligations down a vendor chain; eliminate the vendor and the instrument has nothing to attach to. This is structurally cleaner than patching API gaps.

The API-BAA alternative has structural coverage gaps. Even with a signed BAA + zero-data-retention, coverage is ENDPOINT-SPECIFIC, not product-wide. Image/vision inputs are frequently EXCLUDED from ZDR; stateful products (Assistants/Threads) have unclear or narrower coverage; batch/embeddings/fine-tuning endpoints must be checked individually (Protecto analysis, OpenAI community discussion). 'You can't get a BAA that covers everything' is the real driver for local — not cost, not ease.

No model is 'HIPAA certified' — that designation does not exist. HHS does not certify models, vendors, or software. 'HIPAA compliant' is a property of a DEPLOYMENT: an unbroken BAA chain (or its elimination via local), technical safeguards (encryption at rest/transit, access controls), audit trails, administrative/physical safeguards, and a documented risk analysis. The model is a component; compliance is the system around it.

The four ways to run an LLM on PHI form a gradient from weakest to strongest data-exposure posture (Definite.app): (1) cloud endpoints under BAA (multi-tenant), (2) dedicated capacity (single-tenant), (3) self-hosted open weights (your VPC), (4) on-prem GPUs (your metal). Every step rightward moves the boundary from contractual (a BAA) to physical (a cable not plugged in). Options 3 and 4 are the destination.

Fine-tuning on PHI risks memorization. A model trained on raw PHI can memorize identifiers, making them extractable by prompting (Carlini et al., foundational evidence). Mitigation is defense-in-depth: de-identify before training (Presidio, Tonic Textual, custom — Safe Harbor or Expert Determination), evaluate for memorization before deploy (canary, extraction attacks), DP-SGD for high-sensitivity subsets, serve under audit. Local protects against egress, NOT against memorization-by-insider.

After This Module
01
State the core HIPAA logic for LLMs — any third party processing PHI is a business associate requiring a BAA — and explain why running an open-weights model on your own on-prem GPUs eliminates the business-associate relationship entirely (no third party, no BAA).
02
Distinguish the four ways to run an LLM on PHI (cloud endpoints under BAA, dedicated capacity, self-hosted open weights, on-prem GPUs) and rank them by data-exposure posture, naming the local/self-hosted path as the strongest.
03
Describe the gaps in the API-BAA alternative — coverage is endpoint-specific, image inputs typically excluded from ZDR, Assistants/Threads coverage unclear, no BAA covers everything — and explain why this gap is the real driver for local.
04
Correct the misconception that some LLM is 'HIPAA certified' and enumerate what is actually required: an unbroken BAA chain or its elimination via local, plus audit trails and technical safeguards.
05
Apply de-identification as defense-in-depth even under local — de-identify fine-tuning data before training — and explain why fine-tuning on raw PHI risks memorization (extractable PHI in the weights).
06
Design, for a clinical-decision-support LLM, the architecture (local vs API-under-BAA), the serving stack, the de-identification pipeline, and the audit-logging approach — and defend the choice.
Artifacts
01
Teaching Document
~3,400 words; 6 sub-sections — the core logic (local eliminates the BAA), the four deployment postures, the API-BAA coverage gaps, the 'no model is HIPAA certified' correction, de-identification as defense-in-depth, anti-patterns. Learning Objectives, Key Terms, Anti-Patterns, References (Definite.app, Protecto, Tonic.ai, PMC, HHS, Carlini et al.).
READ
02
Diagrams
5 Mermaid diagrams (dark #14141f/#5eead4) — the BAA chain and its elimination via local; the API-BAA coverage gaps (green/red surface matrix); the four ways to run an LLM on PHI (gradient weakest-to-strongest); the local architecture (data stays on-prem, trust boundary); the fine-tuning data risk and de-identification (wrong path vs right path).
READ
03
Slide Deck
11 slides (reveal.js, exact head/style template, dark theme) — core logic, BAA necessary-but-not-sufficient, four deployment postures, API coverage gaps, 'no model is HIPAA certified,' de-identification defense-in-depth, local architecture, anti-patterns, bridge to FT22/FT23, objectives. Title 'Module FT21 — HIPAA and BAA Elimination', footer 'Course 3 — LLM Fine-Tuning Masterclass · FT21 · Pillar 7'.
READ
04
Teaching Script
~2,240-word verbatim teaching script, ~40 min at 140 wpm, [SLIDE N] cues for all 11 slides. Senior voice, accurate HIPAA framing.
READ
05
Flashcards
26 flashcards (c3::ft21::recall/application/analysis) — the core logic, the four postures, ZDR limitations, de-identification tools, DP-SGD, the four anti-patterns, the Carlini evidence, the connection to the course thesis, the FT20 prerequisite dependency.
TEST
06
Exam
15-question exam (3 recall / 6 application / 6 analysis), 40 min, covering the core logic, the four postures, the API coverage gaps, the 'HIPAA certified' misconception, memorization/de-identification, defense-in-depth, the FT21-to-course-thesis connection, and the phase-2-imaging scenario.
TEST
07
Lab Spec
1 design lab — 'The HIPAA Architecture': design (diagram + written defense) the architecture for a clinical-decision-support LLM handling PHI. Choose local-only or API-under-BAA; specify the serving stack (FT20), de-identification pipeline, audit logging. No GPU required — architecture/judgment lab. Includes decision matrix, architecture template, deliverables, solution key.
DO
08
Module Web Page
Single-file HTML hub
HERE