HIPAA isn't a certificate. It's how you operate.

There is no such thing as “HIPAA certified.” HIPAA is a continuous program — and the cleanest way to honor it is for PHI to never leave your walls. Deploy Bike4Mind in your own AWS: your BAA, your encryption keys, your audit trail, your controls.

The letter and the spirit

HIPAA isn't a badge you earn once — it's a standing set of safeguards you operate every day. You can only truly run them when the PHI, the keys, and the audit trail are inside your own walls.

A program, not a certificate

HIPAA is ongoing administrative, physical, and technical safeguards you operate and review continuously. Anyone selling a “HIPAA certified” stamp is selling something HIPAA doesn't issue.

A vendor BAA isn't where the risk lives

Signing a BAA with a SaaS vendor still leaves your PHI on their servers, beside their other customers, under their controls. The paper matters; the data path matters more.

Sovereignty makes it honest

Deploy the full source in your own AWS. PHI never leaves your VPC, encrypted with your keys, logged in your audit trail, governed by your access controls. You operate the safeguards — you don't outsource trust.

Built so PHI stays yours

Deployed in your AWS, PHI never leaves your cloud

Self-hosted, the entire platform runs in your AWS account (or GovCloud) — no PHI transits our servers, because we’re never in the path.

Your encryption keys

Self-hosted, encrypted at rest and in transit with your own KMS keys in your account. You hold the keys; we never hold them.

Minimum-necessary access

Role-based controls and granular permissions so each user sees only the PHI their role requires.

Full audit trail

Every access and every model/API call is logged in your environment — the evidence your compliance program needs.

Fits your clinical stack

HL7 / FHIR-compatible data flows so the AI plugs into the systems your teams already run.

BAA-ready, air-gappable

Your AWS or GovCloud, with air-gapped deployment options — and a BAA for hosted engagements where applicable.

What a security review actually needs

The questions your CISO and procurement team will ask — answered by architecture, not adjectives.

No third-party model vendor in the PHI path

Run inference on AWS Bedrock or self-hosted open-weight models (Ollama) inside your VPC. You can serve a HIPAA workload with no external LLM provider ever touching PHI — the data path stays entirely in your cloud.

No shadow copy of PHI on our side

Deployed in your AWS, prompts and model outputs live only in your VPC — never on our infrastructure. Our operational telemetry is pseudonymized and content-free by design. There is no shadow copy of PHI to subpoena, leak, or train on.

Enterprise identity & access

SSO / SAML (Okta and others), MFA, and role-based access control with granular permissions — so authentication and minimum-necessary access map to the identity provider you already run.

Request the security package

For your security review we'll share, under NDA: our BAA terms, current SOC 2 status, and a one-page HIPAA reference architecture showing the in-your-AWS data flow — Bedrock/Ollama inference, your KMS keys, audit logging, and no prompt retention.

Honest about shared responsibility

Bike4Mind is software you run; HIPAA compliance is shared. We provide the architecture — PHI in your cloud, your keys, full audit, your controls — so your team can meet its obligations. We'll sign a BAA for hosted engagements where applicable. We don't claim a badge HIPAA doesn't grant; we give you the foundation to operate the program honestly.

Deploying AI in a HIPAA environment?

Let's walk through a deployment in your own cloud — PHI in, PHI never out.