TL;DR: By deploying an in-line redaction proxy that strips PHI before it reaches external LLM APIs, we eliminated the need for Business Associate Agreements. The architecture passes HIPAA review because PHI never leaves the covered entity's trust boundary. Here's exactly how we built it.
The Problem: BAAs Are Killing Healthcare AI
Every healthcare organization I talk to has the same story. Their engineering team built an incredible AI feature—clinical documentation, prior authorization, patient messaging—and then it sat in staging for 8 months waiting for legal to negotiate a BAA with OpenAI.
Here's the math that keeps healthcare CTOs up at night:
- OpenAI doesn't offer BAAs for their standard API. Neither does Anthropic.
- Azure OpenAI does, but negotiating takes 6-18 months.
- Average legal cost: $150K-$500K in outside counsel fees.
- Opportunity cost: While you're negotiating, your competitors ship.
We estimated the total cost of a typical BAA negotiation at $847K when you factor in legal fees, internal time, and lost revenue from delayed launches.
The Insight: What If PHI Never Leaves?
HIPAA's definition of a Business Associate requires that the vendor "creates, receives, maintains, or transmits" Protected Health Information on behalf of a covered entity.
The key word is "transmits."
If PHI never actually reaches the external API—if it's stripped out before transmission and re-inserted after the response—then the external vendor never receives PHI. No PHI received = no Business Associate relationship = no BAA required.
The legal insight: A proxy that redacts PHI before transmission operates analogously to a network router inspecting packet headers. The data transits but is never persisted by the downstream service.
The Implementation: Four Steps
Step 1: Intercept
Deploy a sidecar proxy in your Kubernetes cluster that intercepts all outbound LLM API calls:
# Route OpenAI traffic through GLACIS sidecar apiVersion: networking.k8s.io/v1 kind: NetworkPolicy spec: egress: - to: - podSelector: matchLabels: app: glacis-sidecar
Step 2: Detect & Redact
The sidecar runs a RegexSet-based PHI detector that identifies and replaces sensitive data with tokens:
// Before redaction "Patient John Smith (DOB 03/15/1985) presents with..." // After redaction "Patient [PHI_NAME_1] (DOB [PHI_DATE_1]) presents with..."
Step 3: Ephemeral Vault
Original PHI values are stored in a memory-only vault with a TTL matching the request timeout. After the response returns, values are cryptographically zeroed.
Step 4: Cryptographic Attestation
Every request generates a signed attestation proving what was redacted, when, and that PHI never left the trust boundary:
{ "attestation_id": "att_7x9k2mNp...", "phi_detected": 3, "phi_transmitted": 0, "timestamp": "2025-12-01T14:32:00Z", "signature": "ed25519:..." }
Stop Waiting on BAAs
The Evidence Pack Sprint gives your security team the proof they need — in 10 business days.
Book Your Sprint Call →The Legal Analysis
The key question is whether a vendor that never receives PHI qualifies as a Business Associate. Under 45 CFR § 160.103, a Business Associate is defined as a person or entity that "creates, receives, maintains, or transmits" PHI on behalf of a covered entity.
If PHI is redacted before transmission and the downstream service only ever sees de-identified tokens, the argument is straightforward:
- No PHI transmission = No BA relationship under the statutory definition
- The conduit exception provides additional support — entities that merely transmit data (like couriers or ISPs) don't require BAAs
- Customer-controlled infrastructure means the covered entity maintains all HIPAA obligations within their own environment
This is not legal advice. This analysis is for informational purposes only. Every deployment is different, and you should consult qualified healthcare legal counsel before implementing this or any architecture involving patient data.
What This Enables
With this architecture in production, healthcare organizations can now deploy:
- Clinical documentation assistants that summarize patient encounters
- Prior authorization automation that drafts appeals
- Patient messaging copilots that help clinicians respond faster
- Quality improvement analytics that identify care gaps
All without the 6-18 month BAA delay. All with cryptographic proof of compliance.
Try It Yourself
GLACIS is currently working with select healthcare AI vendors. If you're building AI features that touch patient data and deals are stuck in security review, book a sprint call to see if the Evidence Pack can help.