HIPAA (US healthcare)#
swarm's hipaa compliance profile maps features to 45 CFR § 164.312 Technical Safeguards and HITECH requirements. Sign a BAA with swarm to deploy for PHI-handling workloads.
BAA status (April 2026)
swarm is working toward HIPAA BAA-ready status. Target: month 12 after launch (v0.13 timeframe). Until then, we can execute a BAA for design-partner deployments on customer-VPC infrastructure only (swarm-managed SaaS BAA not yet available).
Technical Safeguards mapping — § 164.312#
§ 164.312(a)(1) — Access control#
Required. Standard: implement technical policies and procedures that allow access only to authorized persons / software.
| swarm feature | Evidence |
|---|---|
| RBAC (viewer / operator / admin) | Roles enforced at every API route |
| OIDC SSO with enterprise IdP | Authentication tied to organizational directory |
| Per-agent tool allowlists | Agents cannot invoke tools outside declared allowlist |
| Permission engine YAML policies | Fine-grained authorization (e.g., time-based, role+tool combination) |
| Unique user identification | UUID per user; correlation id in every log |
| Emergency access procedure | swarm admin break-glass CLI for auditor-approved emergency access |
| Automatic logoff | Session timeout configurable via SWARM_SESSION_TIMEOUT_MINUTES |
| Encryption | TLS in transit; BYOK AES-256 at rest |
§ 164.312(b) — Audit controls#
Required. Standard: implement hardware/software/procedural mechanisms that record and examine activity in systems containing or using PHI.
| swarm feature | Evidence |
|---|---|
run_events append-only journal |
Every system action logged with who/what/when/why |
permission_denials SQLite table |
Every denied action preserved with rule-source attribution |
| Conversation JSONL per agent | Full record of agent reasoning + tool calls |
| 6-year retention default | SWARM_RETENTION_RUN_EVENTS_DAYS=2555 satisfies HITECH 6-year requirement |
| Log tamper-evidence | Append-only via DB constraints; audit PDF SHA-256 pin |
§ 164.312(c)(1) — Integrity#
Required. Standard: implement policies to protect PHI from improper alteration or destruction.
| swarm feature | Evidence |
|---|---|
| Model artefact SHA-256 pinning | Every model.joblib hash-verified at serving time |
| Audit PDF SHA-256 manifest | swarm audit verify detects any post-hoc modification |
| Database-level constraints | Approvals, denials, run_events are append-only |
| Checksums on stored PHI | Object storage (S3/GCS/Azure) uses provider-level integrity checks |
| Input validation at tool boundary | Pydantic schemas reject malformed inputs |
§ 164.312(d) — Person or entity authentication#
Required. Standard: verify identity before granting access.
| swarm feature | Evidence |
|---|---|
| OIDC with enterprise IdP (Okta/Azure AD/Google) | Multi-factor authentication inherited from IdP policy |
| JWT bearer tokens with short expiry | 24-hour default; refresh-token rotation |
| API keys rotatable + audit-logged | Every key has creation + revocation record |
§ 164.312(e)(1) — Transmission security#
Required. Standard: protect PHI during electronic transmission.
| swarm feature | Evidence |
|---|---|
| TLS 1.3 mandatory | Dashboard + API + database + object storage |
| Pinned TLS for LLM providers | Outbound calls to Anthropic/OpenAI pinned |
| No plaintext egress | security.networkPolicy.denyPlaintext: true |
§ 164.312(a)(2)(iv) — Encryption and decryption#
Addressable. Implementation specification.
| swarm feature | Evidence |
|---|---|
| Encryption at rest via BYOK | Customer-managed KMS keys |
| Envelope encryption for large artefacts | Per-object DEK wrapped by customer CMK |
| Database encryption | Postgres TDE / cloud-provider-managed encryption |
PHI handling under hipaa profile#
When a pipeline runs with --compliance hipaa, the profile activates:
1. PHI-detecting POST_TOOL hook#
Every tool result passes through a PHI-detection hook that redacts: - Names (PERSON entities via spaCy or regex-based pattern) - Dates of birth (MM/DD/YYYY, YYYY-MM-DD patterns) - SSNs (9-digit patterns) - Email addresses matching patient domains - Phone numbers - Medical record numbers - Addresses with zip codes
Redacted content passes to the LLM; the original landed only in the (encrypted) conversation journal.
2. Denial policies#
config/permission_policies_hipaa.yaml:
rules:
- id: HIPAA-001
description: "No raw data export"
when: { tool: export_raw_data }
behaviour: deny
reason: "HIPAA: raw PHI export requires separate de-identification workflow"
- id: HIPAA-002
description: "Block external web search from PHI-handling agents"
when:
tool: web_search
agent: [data_cleaner, data_profiler, feature_engineer]
behaviour: deny
reason: "HIPAA: no external data egress from PHI-handling agents"
- id: HIPAA-003
description: "Require approval for production deployment"
when:
tool: promote_challenger
args_pattern: '"env"\\s*:\\s*"prod"'
behaviour: ask
reason: "HIPAA § 164.312(a)(1): deliberate access decision required"
3. Mandatory artefacts#
- De-identification audit — evidence the training data was de-identified per § 164.514 Safe Harbor or Expert Determination
- Minimum Necessary justification — for every feature used, document why it was needed
- Access audit — who accessed which models + when (via OIDC + permission logs)
4. 6-year retention (HITECH § 13402)#
Retention daemon enforces: - Run events: 6 years - Audit PDFs: 6 years - Conversation journals: 6 years - Model artefacts: 6 years
BAA workflow#
- Contact
hello@theaisingularity.orgto request BAA - We provide our standard BAA (reviewable) or review yours
- Signature both sides
- BAA covers the swarm platform; does not cover:
- Your chosen LLM provider (sign their BAA separately — Anthropic Enterprise and OpenAI Enterprise both offer BAAs)
- Your chosen cloud provider (AWS BAA / GCP BAA / Azure BAA — you already have these)
- Third-party plugin authors (their BAA if applicable)
- Deploy in customer-VPC or air-gapped mode (swarm SaaS BAA in v0.13)
LLM provider BAA requirements#
HIPAA requires a BAA with any entity that handles PHI — including LLM providers. Verified BAA-eligibility:
| Provider | BAA eligible? | Notes |
|---|---|---|
| Anthropic (Enterprise) | Yes | Enterprise tier only; zero data retention configured via contract |
| OpenAI (Enterprise / ZDR) | Yes | Enterprise or Zero-Data-Retention customers only |
| Azure OpenAI | Yes (inherits Microsoft BAA) | Azure customer agreement covers |
| AWS Bedrock | Yes (inherits AWS BAA) | AWS BAA required first |
| Self-hosted (vLLM) | No BAA needed | You're the data processor |
| OpenAI standard tier | No | Do not use with PHI |
| Anthropic standard (api.anthropic.com) | No | Do not use with PHI |
SWARM_LLM_PROVIDER_DEFAULT=openai with the public endpoint would be a HIPAA violation; switch to Enterprise tier or self-hosted.
Breach notification (§ 164.400)#
HITECH requires notification within 60 days of breach discovery. swarm's incident response:
- Internal detection within 72h target (via anomaly monitoring)
- Customer notification via registered contact + email within 48h of internal confirmation
- Public filing with HHS within required timelines (customer drives; we provide evidence)
See Operations: Incident response.
What's NOT addressed by technical controls#
HIPAA requires Administrative (§ 164.308) and Physical (§ 164.310) safeguards too — mostly your organizational responsibility:
- Security Officer designation — you nominate; swarm logs their actions
- Workforce training — your policies; swarm provides material for swarm-specific admin tasks
- Facility security — physical access to your data center / cloud console; not swarm's scope
- Device and media controls — BYOK ensures PHI can't leave your boundary even via compromised device
Next#
- Concepts: Compliance profiles — how profiles work under the hood
- Deployment: Data residency — BYOK + US-region deployment
- Reading the audit PDF — the HIPAA-flavored audit PDF layout