Healthcare BAA + the no-PHI runtime gate
Cavaridge™ has a standard BAA in place. Healthcare tenants sign it before activation. This page describes how the platform technically enforces what the BAA promises.
The no-PHI runtime gate
Section titled “The no-PHI runtime gate”Cavaridge™ products are not PHI containers. The runtime gate rejects content matching PHI signatures (US SSN, MRN-shaped strings, dates of birth in name/DOB pairs, common health-record patterns) at the API boundary before it ever reaches a model or persistent store.
Tenants that need PHI workflows route through partner systems with their own BAA — Cavaridge™ orchestrates, never stores. The CVG-HIPAA app provides the assessment + gap-analysis surface that healthcare admins use to track their own posture.
Healthcare-mode features
Section titled “Healthcare-mode features”- CVG-HIPAA — assessment, gap analysis, attestation tracking.
- CVG-AEGIS — security scoring with healthcare-aware framework attestation.
- Tenant config —
tenant.healthcare_mode = trueenables the additional gates and removes free-tier promotions that aren’t BAA-compatible.
What the BAA covers
Section titled “What the BAA covers”- Cavaridge™ as a Business Associate of the Covered Entity (the tenant).
- Breach notification timing and process.
- Subcontractor flow-down (any third-party Cavaridge™ uses to process PHI must accept equivalent terms).
- Permitted uses and disclosures.
What the platform does NOT do
Section titled “What the platform does NOT do”- Storing raw PHI in conversational AI surfaces.
- Sending PHI to LLM providers — even those with their own BAAs — without an explicit, BAA-compatible routing path.
- Retaining transient health context past the session boundary.
Pitfalls
Section titled “Pitfalls”- Don’t paste PHI into a Cavaridge AI prompt. The gate will redact, but redaction is a backstop, not a workflow.
- Don’t enable healthcare-mode tenants on free tiers — sign the BAA first.
See docs/architecture/CVG-HIPAA-ARCH-*.md for the full HIPAA module architecture.