Does GenZAgents satisfy HIPAA requirements for healthcare AI?

HIPAA requires "hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI". AI-mediated ePHI access is in scope. The receipt feed captures: which AI activity touched ePHI, which user, which provider (with BAA), what action. Direct mapping to §164.312(b) requirements.

HIPAA Privacy Rule requires minimum necessary use / disclosure. AI prompts shouldn't include unnecessary ePHI. The redaction layer (per-project) lets you scope which fields go to the AI provider; receipts evidence that the scoping was enforced.

On Enterprise tier, we sign BAAs with covered entities. Self-hosted deployment keeps PHI entirely in your control (we don't see it). SaaS deployment with BAA: receipts are stored on our infrastructure under the BAA terms; the underlying AI provider relationships are separately BAA'd.

Each AI provider needs its own BAA. Anthropic has a BAA program (limited eligibility). OpenAI: enterprise customers can get BAAs through the Azure OpenAI route. Google: BAA via Google Cloud. Self-hosted models on your infrastructure: no BAA needed (you're the processor). The receipt provider field lets you verify per-receipt which BAA was the applicable one.

By default, receipts store content digests, not raw text. So even on receipts touching PHI, the PHI itself isn't stored. Full-content storage is opt-in per project; for HIPAA scope projects, leave it off unless you have a specific reason and the BAA covers it.

In our discussions with HIPAA-focused compliance counsel: the receipt-based audit trail is well-positioned for HHS OCR audit. The signatures provide chain of custody; the per-receipt user attribution maps directly to the access-control evidence HHS asks for. Talk to your compliance counsel for jurisdiction-specific advice.