The letter and the spirit
HIPAA isn't a badge you earn once — it's a standing set of safeguards you operate every day. You can only truly run them when the PHI, the keys, and the audit trail are inside your own walls.
A program, not a certificate
HIPAA is ongoing administrative, physical, and technical safeguards you operate and review continuously. Anyone selling a “HIPAA certified” stamp is selling something HIPAA doesn't issue.
A vendor BAA isn't where the risk lives
Signing a BAA with a SaaS vendor still leaves your PHI on their servers, beside their other customers, under their controls. The paper matters; the data path matters more.
Sovereignty makes it honest
Deploy the full source in your own AWS. PHI never leaves your VPC, encrypted with your keys, logged in your audit trail, governed by your access controls. You operate the safeguards — you don't outsource trust.
Built so PHI stays yours
Deployed in your AWS, PHI never leaves your cloud
Self-hosted, the entire platform runs in your AWS account (or GovCloud) — no PHI transits our servers, because we’re never in the path.
Your encryption keys
Self-hosted, encrypted at rest and in transit with your own KMS keys in your account. You hold the keys; we never hold them.
Minimum-necessary access
Role-based controls and granular permissions so each user sees only the PHI their role requires.
Full audit trail
Every access and every model/API call is logged in your environment — the evidence your compliance program needs.
Fits your clinical stack
HL7 / FHIR-compatible data flows so the AI plugs into the systems your teams already run.
BAA-ready, air-gappable
Your AWS or GovCloud, with air-gapped deployment options — and a BAA for hosted engagements where applicable.
What a security review actually needs
The questions your CISO and procurement team will ask — answered by architecture, not adjectives.
No third-party model vendor in the PHI path
Run inference on AWS Bedrock or self-hosted open-weight models (Ollama) inside your VPC. You can serve a HIPAA workload with no external LLM provider ever touching PHI — the data path stays entirely in your cloud.
No shadow copy of PHI on our side
Deployed in your AWS, prompts and model outputs live only in your VPC — never on our infrastructure. Our operational telemetry is pseudonymized and content-free by design. There is no shadow copy of PHI to subpoena, leak, or train on.
Enterprise identity & access
SSO / SAML (Okta and others), MFA, and role-based access control with granular permissions — so authentication and minimum-necessary access map to the identity provider you already run.
Honest about shared responsibility
Bike4Mind is software you run; HIPAA compliance is shared. We provide the architecture — PHI in your cloud, your keys, full audit, your controls — so your team can meet its obligations. We'll sign a BAA for hosted engagements where applicable. We don't claim a badge HIPAA doesn't grant; we give you the foundation to operate the program honestly.