HIPAA-eligible AI infrastructure: how a compliant AI stack is built

HIPAA-eligible AI infrastructure means every layer of the stack — cloud host, AI model provider, and database — operates under a signed Business Associate Agreement (BAA) and meets the administrative, physical, and technical safeguards required by HIPAA. Most AI tools do not meet that bar. This post breaks down what the bar actually is and how PhiClaw clears it.

What 'HIPAA-eligible' actually means

HIPAA does not certify software. It does not hand out compliance badges. What it requires is that any vendor handling protected health information (PHI) — names, dates, diagnoses, billing codes, anything that identifies a patient — signs a Business Associate Agreement with your practice and operates under appropriate safeguards.

When a cloud provider calls a service 'HIPAA-eligible,' it means that service is included in their BAA, it supports the security controls HIPAA demands, and you can use it for PHI workloads — provided you configure it correctly and sign the BAA. A service can be offered by a major cloud provider and still be excluded from that provider's BAA, which would make it off-limits for PHI.

The distinction matters enormously for AI. Many AI platforms — including raw, self-hosted OpenClaw and general-purpose tools like ChatGPT or Perplexity — are not HIPAA-eligible and will not sign a BAA. Feeding PHI into those systems is a compliance violation, regardless of how useful the tool is.

The subprocessor BAA chain: why every link must hold

When your practice uses a software vendor to handle PHI, that vendor becomes your Business Associate. But your vendor almost certainly uses its own infrastructure providers — cloud hosts, databases, AI model APIs. Those third parties are called subprocessors, and each one that touches PHI must also be covered by a BAA.

This creates a chain. If any single link in that chain lacks a BAA, the entire pipeline is non-compliant. It does not matter how carefully the top-level vendor is configured — if the underlying AI model or database is run by a subprocessor with no BAA, PHI flowing through it is exposed.

This is precisely why open-source AI platforms used off-the-shelf do not solve the compliance problem. An open-source project cannot sign a BAA with you — there is no legal entity standing behind it. The burden falls entirely on whoever self-hosts it to secure every dependency in the stack, which is a significant engineering and legal undertaking.

How PhiClaw builds its HIPAA-eligible AI infrastructure

PhiClaw signs a Business Associate Agreement (BAA) with your practice and runs on HIPAA-eligible infrastructure, with BAAs in place with our subprocessors AWS (including Amazon Bedrock) and Convex. That sentence covers the entire chain.

Here is what each layer means in practice:

• AWS — Amazon Web Services is the cloud host. AWS offers a comprehensive HIPAA BAA that covers a wide range of its services, including the compute, storage, and networking PhiClaw runs on. Data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.
• Amazon Bedrock — This is the AWS service PhiClaw uses to access foundation AI models. Amazon Bedrock is included in the AWS HIPAA BAA. Critically, Bedrock does not use your inputs to train or improve its models — PHI submitted through an API call is not retained or used to update the underlying model weights.
• Convex — Convex is PhiClaw's real-time data backend. PhiClaw has a BAA with Convex covering the data it stores and processes. Convex provides encryption at rest and in transit, and access is controlled at the application layer so that only authorized parties can query patient-linked data.
• PhiClaw itself — On top of these subprocessors, PhiClaw applies PHI minimization (only the data fields actually needed are passed to any AI call), granular access controls, and full audit logging — a timestamped record of who accessed or acted on PHI, which is required by the HIPAA Security Rule.

Why Amazon Bedrock matters for HIPAA-eligible AI

The AI model layer is where most healthcare AI stacks break down. Running a foundation model for clinical or administrative tasks requires sending text to an inference endpoint. If that endpoint is not covered by a BAA and if the provider retains inputs for training, you have a disclosure problem.

Amazon Bedrock sidesteps both issues. Because it is an AWS-managed service covered under the AWS BAA, PhiClaw can send PHI-containing prompts to Bedrock-hosted models under the same agreement that covers the rest of the infrastructure. And because Bedrock's API terms explicitly state that customer inputs are not used to train base models, there is no model-training exposure.

This is the explicit advantage of building on a major cloud provider's managed AI service rather than calling third-party model APIs directly. The HIPAA eligibility and no-training guarantees are baked into the service, not bolted on afterward.

Encryption, isolation, and access control in practice

HIPAA's Technical Safeguard requirements are specific. They call for access controls, audit controls, integrity controls, and transmission security. PhiClaw's infrastructure addresses each:

• Encryption in transit: all data moving between PhiClaw's services, between PhiClaw and your practice's devices, and between PhiClaw and its subprocessors travels over TLS. No PHI moves in plaintext.
• Encryption at rest: PHI stored in AWS and in Convex is encrypted using industry-standard ciphers. Encryption keys are managed separately from the data they protect.
• Access controls: PhiClaw enforces role-based access at the application layer. Staff members see only the data their role permits. API calls to subprocessors are scoped to the minimum data needed for each task — this is PHI minimization in action.
• Audit logging: every action that touches PHI — a message read, a note generated, a document produced — is logged with a timestamp and the identity of the actor. Logs are tamper-evident and retained per HIPAA's requirements.
• Workload isolation: each practice's data is logically isolated. One practice's PHI cannot be accessed through another practice's credentials.

On-premises option for enterprise practices

For large health systems, hospital networks, or practices with strict data-residency requirements, PhiClaw offers an on-premises deployment option. In this configuration, the entire stack — including the AI inference layer — runs inside the practice's own controlled infrastructure, behind their firewall.

On-prem removes the subprocessor question almost entirely, because data never leaves the practice's environment. It does require the practice to maintain the infrastructure, but for enterprise clients the control is often worth the operational overhead.

What this means for your practice

Choosing an AI platform for your practice is not just a software decision — it is a risk management decision. A HIPAA violation involving PHI can carry penalties ranging from $100 to $50,000 per violation, with annual caps and potential criminal liability for willful neglect.

The compliance question is not 'does this AI tool do useful things.' It is 'is every layer of this tool's infrastructure covered by a BAA, and does the vendor have the documentation to prove it.' PhiClaw can answer yes to both, down to the specific services: AWS, Amazon Bedrock, and Convex.

This is also why PhiClaw exists as a distinct product from raw OpenClaw. OpenClaw is a capable open-source AI agent platform, but an open-source project cannot sign a BAA with your practice, and self-hosting it means inheriting the entire compliance burden yourself — securing the model API, the database, the logging, the encryption, and every subprocessor. PhiClaw has done that work and will stand behind it contractually.

This post is general information about HIPAA infrastructure concepts, not legal advice. For specific compliance guidance, consult a healthcare attorney or your compliance officer.

Frequently asked questions

What does HIPAA-eligible infrastructure mean?

It means the cloud services and platforms used to handle PHI are covered under a signed Business Associate Agreement (BAA) and support the technical safeguards HIPAA requires — encryption, access controls, audit logging, and isolation. 'HIPAA-eligible' is the cloud provider's way of saying a specific service is in scope for their BAA and can be used for PHI workloads.

Is Amazon Bedrock HIPAA-eligible?

Yes. Amazon Bedrock is included in the AWS HIPAA BAA. This means PHI can be sent to Bedrock-hosted AI models under the BAA, and Amazon's terms specify that customer inputs are not used to train or improve the base models.

Can I use raw OpenClaw with patient data?

No. Raw or self-hosted OpenClaw is an open-source project — it cannot sign a BAA with your practice, and it ships with no built-in HIPAA compliance program. Using it to process PHI without a signed BAA is a HIPAA violation. PhiClaw is the HIPAA-compliant, healthcare-ready build of this technology, with BAAs in place at every layer of the stack.

What subprocessors does PhiClaw use, and are they all under BAA?

PhiClaw's primary subprocessors are AWS (the cloud host), Amazon Bedrock (AI model inference), and Convex (real-time data infrastructure). PhiClaw has signed BAAs with each of these subprocessors, completing the compliance chain from your practice to every vendor that touches PHI.

Does PhiClaw train AI models on my patients' data?

No. PhiClaw uses Amazon Bedrock for AI inference, and Bedrock's terms explicitly prohibit using customer inputs to train or improve base models. Your patients' PHI is used only to complete the specific task at hand — it is not retained by the model provider or used to update model weights.