HASP and HIPAA
HASP signs a Business Associate Agreement, handles PHI inside its own substrate, and emits a tamper-evident audit chain — on every paid tier. Direct BAAs with every inference provider in the path are inherited through the single HASP BAA you sign.
Is HASP HIPAA compliant?
Yes. HASP is built as the regulated-AI substrate for healthcare — identity, policy, audit, and PHI handling for AI inference, exposed across four product surfaces (Assistant chat, Studio internal-app builder, public API, Agent SDK). The HIPAA controls do not live in a wrapper layer; they live in the gateway every surface routes through. Specifically:
- A countersigned BAA is required before any AI traffic is processed. The BAA check is enforced at the gateway, not in application code — no surface can bypass it, and a missing or expired BAA fails closed.
- PHI handling is yours to configure. Send PHI straight through under our BAA — that's the default and the reason most teams pick us. Or turn on HASP's built-in anonymization pipeline (healthcare-tuned recognizers, redaction before the prompt leaves, re-identification on the response) when a workflow calls for it. Per-org, per-app, your call.
- Every PHI-adjacent event is on a signed audit chain. Ed25519 signatures, hash-chained entries, RFC 3161 timestamp anchors. Verifiable on your auditor's machine without HASP software.
- Inference providers operate under HASP-direct BAAs. You sign one BAA; you inherit every downstream provider BAA in the path.
- It is not gated to higher tiers. Every paid plan, and the Free Evaluation tier, receive the same compliance floor.
A real BAA, available before you commit.
The HASP BAA is the contractual instrument that makes everything else enforceable. It defines Customer as the covered entity, HASP as the business associate, and assigns the downstream provider BAAs as HASP's responsibility — not yours. The full BAA is published for pre-signature review — no procurement gate, no email request. Email [email protected] only if you need negotiated or redlined terms.
Once your organization is provisioned, an authorized signer countersigns the BAA in-app. The countersignature event is captured on the audit chain — the same chain your auditor verifies — so there is no later question about when, by whom, and under what terms the agreement took effect. From that moment forward, the gateway enforces an active BAA on every inference request; an expired or absent BAA fails closed.
Enterprise customers who require negotiated edits, custom data-residency commitments, or specific covered-entity addenda can run the BAA through [email protected]. The Data Processing Agreement (DPA) covers GDPR and CCPA obligations separately and is referenced by the BAA.
PHI is HASP's job, not a third party's.
PHI handling is a HASP-owned core capability — not an outsourced gateway. The pipeline runs on managed compliance infrastructure inside the same compliance boundary as the rest of the platform. There is no third party in the loop between the gateway and the inference provider whose only job is to handle PHI.
The pipeline is HASP's PHI anonymization service with healthcare-specific custom recognizers layered on top. Every chat turn, uploaded text, and tool definition on its way to an inference provider can be scanned through it for HIPAA Safe Harbor categories. What happens on detection is your org's policy: allow PHI through to the model under your BAA (the default, and the reason most teams pick us — no redaction required to stay compliant), redact pre-model with re-identification on the response, or block outright. Every scan that runs emits an audit entry recording the categories that fired, the action taken, and the user who initiated the request.
PHI handling is governed per organization. Orgs that do not handle PHI route through the same gateway but skip the PHI scanning path — they still get the audit chain, the BAA check, and the rest of the compliance floor.
Tamper-evident recordkeeping that satisfies §164.312.
HIPAA §164.312(b) requires audit controls; §164.312(c)(1) requires integrity controls that protect ePHI from improper alteration or destruction. HASP satisfies both with one construct: every product-level event is an entry in a hash-chained log, signed at write time with an Ed25519 key bound to your tenant. Each entry references the hash of the previous one, so quietly altering a past entry breaks every entry that follows.
Periodic checkpoints are countersigned by an external RFC 3161 Time Stamping Authority — timestamps are attested by an independent third party, not by HASP's clock. The public key is published. Your auditor can download the export, run the verification recipe, and confirm chain integrity on their own machine without any HASP software in the loop. The recipe and a sample export are on the verify page.
Audit retention is 7 years across every paid tier — long enough to cover the HHS Office for Civil Rights statute-of-limitations window for HIPAA enforcement actions. Enterprise customers may configure longer windows per contract. Audit data is retained even after account deletion where required by law.
BAA status is a precondition for AI, not an honor system.
Every AI call across every surface routes through a single gateway. Before a request reaches a provider, the gateway verifies that the calling organization holds a countersigned, in-date BAA. The check runs at the gateway, not in application code — meaning the Assistant UI, the public REST API, an Agent SDK workflow, and an embedded Studio runtime all share the same enforcement point. No surface can bypass it.
The gateway also resolves caller identity (human user, API key, or agent), applies tool authorization, scans for PHI, selects the inference provider, signs the audit entries, and emits metering. Each step is independently auditable. A failure at one step doesn't silently collapse the others.
One BAA covers every inference provider in the path.
HASP holds direct BAAs with the inference providers it routes to. The compliance substrate, where compute and managed databases live, carries the HIPAA-aligned infrastructure controls HASP inherits.
Customer signs one BAA — HASP's — and inherits each of those downstream agreements through it. Customer does not need to negotiate separate BAAs with any inference provider. When a new inference provider is added, the 30-day sub-processor change notice applies; on Business and Enterprise tiers, Customer-configurable inference policy can restrict workloads to specific provider routes.
Inference providers
Inference for chat, document analysis, AI Studio, public API, and agent workflows — direct integrations under HASP-direct BAAs. The canonical named list is published in the sub-processor register.
The full sub-processor register, including non-PHI providers and their purposes, is kept in sync with the DPA.
HIPAA protections are not a feature flag.
HASP's compliance posture is universal: every tier receives the same floor. Signed BAA on request. Gateway-enforced PHI handling. Ed25519-signed audit chain. HIPAA-aligned data plane on the compliance substrate. There is no plan on which HIPAA controls are weaker than another.
What scales with tier is operational surface area: a dedicated data plane on Enterprise (no logical multi-tenancy at the data layer), Customer-configurable inference policy on Business and above, custom contractual terms on Enterprise. The compliance controls themselves — including 7-year audit retention — are universal.
This is a deliberate architectural commitment. Treating compliance as a tier feature is how regulated workloads end up running on the wrong plan. HASP's position is that if you can sign up, you can sign a BAA.
HIPAA questions buyers ask
Is HASP HIPAA compliant?
Yes. HASP signs a Business Associate Agreement with every customer that handles PHI, runs on a HIPAA-aligned compliance substrate, and enforces BAA status at the AI gateway before any inference call is processed. PHI handling, audit logging, and breach notification are built into the platform from V1 — not bolted on per tier. Sending PHI to the model under your BAA is the default; opt-in redaction of HIPAA Safe Harbor categories before content leaves HASP's substrate is available when a workflow calls for it.
Does HASP sign a BAA?
Yes. The HASP BAA is offered to every customer that handles Protected Health Information, on every paid tier. The full BAA is published for pre-signature review. Customers countersign in-app once their organization is provisioned; signature is captured on the audit chain like any other compliance event.
What does HASP's BAA cover?
HASP's BAA covers all Protected Health Information that Customer transmits to or stores on the HASP platform across every product surface: the Assistant chat product, the Studio internal-app builder, the public REST and JS APIs, and any Agent SDK workflow. It covers PHI at rest in the data plane, in flight to BAA-covered inference providers (each under a HASP-direct BAA), in document ingestion, and in the audit trail. Required HIPAA safeguards — access control, audit controls, integrity controls, and transmission security — are implemented at the platform level.
Is PHI handled inside the BAA scope?
Yes, and it never leaves the BAA scope. PHI flows to BAA-covered inference providers under HASP-direct BAAs by default — no redaction required to stay compliant. When an org opts in, PHI scanning, redaction, and re-identification is performed by HASP's own PHI anonymization pipeline with healthcare-specific custom recognizers, running on managed compliance infrastructure inside the HASP compliance boundary. PHI handling is not delegated to a third party. PHI handling is a HASP-owned core capability.
Where does PHI flow inside HASP?
End-user request enters at the HASP gateway. The gateway confirms the organization holds a countersigned, in-date BAA before any further processing. The request is then authenticated and authorized against the caller's role (human user, API key, or agent). If the org has opted into PHI scanning, content runs through HASP's PHI anonymization pipeline and configured categories are replaced with placeholders; otherwise PHI flows straight through under your BAA. The prompt is sent to the selected inference provider over a direct, BAA-covered integration. If redaction ran, the response is re-identified before reaching the end user. Every hop emits a signed audit entry. The full inventory — including which sub-processors see what data and which BAAs apply — is published on the data-flow page.
Can I get a copy of the BAA before signing?
Yes. The BAA, the control matrix, and the data-flow inventory are available to active prospects before commitment. The full BAA is published for pre-signature review. There is no procurement gate between a covered entity and the BAA.
How does HASP's audit chain support HIPAA recordkeeping?
Every product-level event — chat turn, document upload, RAG retrieval, BAA countersign, API call, admin action, PHI scan result — is an immutable entry in a hash-chained log. Each entry is signed with an Ed25519 key bound to your tenant; the public key is published. Periodic checkpoints are anchored to an RFC 3161 Time Stamping Authority, so timestamps are attested by an independent third party. The chain can be verified on your auditor's machine without any HASP software, using standard cryptography tooling — the step-by-step verification guide walks through it. This satisfies HIPAA §164.312(b) audit-control obligations and gives Office for Civil Rights investigators a tamper-evident record under §164.312(c)(1) integrity controls. Audit retention is 7 years across every paid tier; Enterprise customers may configure longer windows per contract.
What happens if there's a breach?
HASP notifies affected customers without undue delay and in no event later than 60 days from discovery, per 45 CFR §164.412 — in practice, materially faster. The notification includes the nature of the breach, the categories and approximate number of individuals affected, likely consequences, and the technical and organizational measures taken or proposed to address it. HASP will work with Customer to support its own §164.404 individual notice and §164.408 HHS notification obligations as the covered entity of record.
Which inference providers operate under HASP's BAA?
HASP holds direct BAAs with every inference provider in the path. All are exposed to Customer through the single HASP BAA — Customer does not need to negotiate a separate BAA with each provider. The current providers are listed on the sub-processor register; as new inference providers are added, the 30-day sub-processor change notice applies.
Is HIPAA compliance gated to higher tiers?
No. The HASP compliance posture is universal — every tier receives the same floor: signed BAA on request, PHI handling at the gateway, Ed25519-signed audit chain (7-year retention), and HIPAA-aligned data plane. What scales with tier is operational surface area (dedicated data plane on Enterprise, custom contractual terms on Enterprise) — not whether HIPAA protections apply.
Keep reading
Ready to put PHI on a substrate that was built for it?
Read the BAA, or start an evaluation. The template is published — no procurement gate, no email request.