Governance & Compliance
HIPAA

HIPAA Compliance

Xilos supports HIPAA compliance for organizations handling Protected Health Information (PHI). With a Business Associate Agreement (BAA), PII detection, audit logging, and data residency controls, Xilos helps you use AI while maintaining HIPAA compliance.

Warning: Xilos is a Business Associate under HIPAA when processing PHI. A BAA must be executed between your organization (the Covered Entity) and Xilos before processing any PHI. Contact Xilos to execute a BAA.

How Xilos Supports HIPAA

PHI Protection

Restriction rules let you block or mask queries that contain PHI before they reach the LLM. Use keyword rules for specific identifiers (e.g., "social security number", "medical record number") and AI rules for semantic detection of health-related content.

PII Detection

Xilos includes PII detection that identifies sensitive information in queries and responses. When PII is detected, restriction rules can:

  • Block the query entirely — the query never reaches the LLM.
  • Mask the sensitive content — the query proceeds with PII redacted.
  • Flag the query — the query proceeds but is logged for review.

Audit Logs

Every query, routing decision, restriction trigger, and configuration change is logged in the audit trail. Audit logs include:

  • The full query text (configurable — can be hashed for additional privacy).
  • The routing rule that matched.
  • The model that processed the query.
  • The response (configurable).
  • Quality scores (faithfulness, relevance).
  • Timestamps and user identity.

Audit logs are searchable and exportable for compliance reviews.

Business Associate Agreement (BAA)

A BAA is a legally binding agreement between a Covered Entity and a Business Associate that defines how PHI is handled. Xilos executes BAAs for all deployment options:

DeploymentBAA Available
Managed SaaS
Private Cloud
On-Premise

Data Residency

Configure data residency to the US region to ensure all data stays within the United States. Enable enforcement to prevent any query from being processed by a model outside the US.

Encryption

  • In transit — All API traffic is encrypted via TLS 1.2+.
  • At rest — All stored data is encrypted with AES-256.
  • Key management — For Private Cloud and On-Premise, you manage the encryption keys.

Setting Up HIPAA Compliance

Execute a BAA

Contact Xilos to execute a Business Associate Agreement. This is required before processing any PHI.

Configure Data Residency

Set the region to us in Model Config and enable enforcement. See Data Residency.

Enable PII Detection

Ensure PII detection is enabled for your organization. This is configured in Settings.

Create Restriction Rules

Create restriction rules to block or mask PHI:

  • Keyword rules for specific identifiers (SSN, MRN, etc.)
  • AI rules for semantic PHI detection

Configure Audit Logging

Verify audit trail logging is active. Configure retention to meet your compliance requirements.

Set Up SIEM Export

Forward governance events to your SIEM via the SIEM API for continuous monitoring.

Train Your Team

Ensure all users understand the restriction rules, audit logging, and their responsibilities under HIPAA.

Conduct Regular Audits

Periodically review audit logs, restriction rule effectiveness, and access controls.

Roles and Access

Use role-based access control to limit who can access PHI-related configuration and audit logs:

  • SuperAdmin — Full access, including audit log export and BAA management.
  • Org Admin — Configuration access (rules, keys) but cannot manage the BAA.
  • User — API access only. Cannot view audit logs or configuration.

Info: Limit the number of SuperAdmin and Org Admin roles. Most users should have the User role with a virtual key scoped to their needs.

Related