Cypherz.
Start free

United States · HIPAA

HIPAA-compliant AI

Under HIPAA, sending PHI to an LLM provider that doesn't sign a BAA is a violation. The major model providers either won't sign BAAs at all or only sign them for their enterprise tiers. Cypherz lets you keep using whichever model you want by stripping PHI before it leaves your infrastructure — the model sees a tokenized surrogate, your application sees the real value restored after the response.

Start freeTry the free PII detector

  • 01

    Detectors tuned for PHI

    Patient names, SSNs, dates of birth, medical record numbers via custom regex, addresses, phone numbers, insurance IDs.

  • 02

    Custom dictionaries for clinical terms

    Paste your patient roster or facility list; Cypherz tokenizes those terms on sight.

  • 03

    Encrypted file pipeline

    Upload clinical notes (DOCX), lab reports (PDF), or scanned charts (image OCR). Files are AES-256-GCM encrypted at rest with per-project keys.

  • 04

    Self-host option

    If your compliance posture requires on-prem, `docker-compose up` in your VPC — same binaries, same tokenizer, no data leaves your network.

What HIPAA requires you to do

• Minimum necessary use — HIPAA requires you to disclose only the minimum PHI needed for the task. Tokenization is the most aggressive minimum-necessary posture: zero PHI is disclosed.

• Business Associate Agreements — Any third party that touches PHI needs a BAA. With Cypherz, the LLM provider never touches PHI — only your infrastructure does. (We sign BAAs at Business and Enterprise tiers.)

• Audit controls — 164.312(b) requires audit trails for PHI access. Cypherz logs every tokenize, detokenize, and proxy call with structured metadata.

• Access controls — Per-project encryption keys and API keys enforce role-based access. No global plaintext access path.

How Cypherz helps

• Detectors tuned for PHI — Patient names, SSNs, dates of birth, medical record numbers via custom regex, addresses, phone numbers, insurance IDs.

• Custom dictionaries for clinical terms — Paste your patient roster or facility list; Cypherz tokenizes those terms on sight.

• Encrypted file pipeline — Upload clinical notes (DOCX), lab reports (PDF), or scanned charts (image OCR). Files are AES-256-GCM encrypted at rest with per-project keys.

• Self-host option — If your compliance posture requires on-prem, `docker-compose up` in your VPC — same binaries, same tokenizer, no data leaves your network.

Important caveat

Cypherz provides infrastructure that helps you implement HIPAA controls. It is not, by itself, a HIPAA compliance certification. Work with your compliance officer or counsel to confirm your end-to-end posture.

Common questions

Frequently asked.

Does Cypherz make my app HIPAA-compliant by itself?

No tool can — compliance is a posture across people, process, and technology. Cypherz handles a critical technical layer (pseudonymization, encryption, audit logging) but you still need policy, training, and assessment.

Where is Cypherz hosted?

EU (Hetzner — Helsinki and Falkenstein) by default for the managed product. Self-host anywhere with one docker-compose command if your compliance posture requires it.

Do you sign formal agreements?

Yes — Business and Enterprise tiers include DPAs and BAAs. We're working through SOC 2 Type II audit; ask for our latest report.

Can I get an audit log export?

Yes — every action is logged with structured metadata, exportable via the API. Common formats supported for SIEM ingestion.

Get started

Bring your AI features into HIPAA scope cleanly.

Sign up free. Create a project. The audit trail starts logging from request one.

Start freeTry the free PII detector

Other compliance topics