HIPAA Compliance
Xilos supports HIPAA compliance for organizations handling Protected Health Information (PHI). With a Business Associate Agreement (BAA), PII detection, audit logging, and data residency controls, Xilos helps you use AI while maintaining HIPAA compliance.
Warning: Xilos is a Business Associate under HIPAA when processing PHI. A BAA must be executed between your organization (the Covered Entity) and Xilos before processing any PHI. Contact Xilos to execute a BAA.
How Xilos Supports HIPAA
PHI Protection
Restriction rules let you block or mask queries that contain PHI before they reach the LLM. Use keyword rules for specific identifiers (e.g., "social security number", "medical record number") and AI rules for semantic detection of health-related content.
PII Detection
Xilos includes PII detection that identifies sensitive information in queries and responses. When PII is detected, restriction rules can:
- Block the query entirely — the query never reaches the LLM.
- Mask the sensitive content — the query proceeds with PII redacted.
- Flag the query — the query proceeds but is logged for review.
Audit Logs
Every query, routing decision, restriction trigger, and configuration change is logged in the audit trail. Audit logs include:
- The full query text (configurable — can be hashed for additional privacy).
- The routing rule that matched.
- The model that processed the query.
- The response (configurable).
- Quality scores (faithfulness, relevance).
- Timestamps and user identity.
Audit logs are searchable and exportable for compliance reviews.
Business Associate Agreement (BAA)
A BAA is a legally binding agreement between a Covered Entity and a Business Associate that defines how PHI is handled. Xilos executes BAAs for all deployment options:
| Deployment | BAA Available |
|---|---|
| Managed SaaS | ✅ |
| Private Cloud | ✅ |
| On-Premise | ✅ |
Data Residency
Configure data residency to the US region to ensure all data stays within the United States. Enable enforcement to prevent any query from being processed by a model outside the US.
Encryption
- In transit — All API traffic is encrypted via TLS 1.2+.
- At rest — All stored data is encrypted with AES-256.
- Key management — For Private Cloud and On-Premise, you manage the encryption keys.
Setting Up HIPAA Compliance
Execute a BAA
Contact Xilos to execute a Business Associate Agreement. This is required before processing any PHI.
Configure Data Residency
Set the region to us in Model Config and enable enforcement. See Data Residency.
Enable PII Detection
Ensure PII detection is enabled for your organization. This is configured in Settings.
Create Restriction Rules
Create restriction rules to block or mask PHI:
- Keyword rules for specific identifiers (SSN, MRN, etc.)
- AI rules for semantic PHI detection
Configure Audit Logging
Verify audit trail logging is active. Configure retention to meet your compliance requirements.
Set Up SIEM Export
Forward governance events to your SIEM via the SIEM API for continuous monitoring.
Train Your Team
Ensure all users understand the restriction rules, audit logging, and their responsibilities under HIPAA.
Conduct Regular Audits
Periodically review audit logs, restriction rule effectiveness, and access controls.
Roles and Access
Use role-based access control to limit who can access PHI-related configuration and audit logs:
- SuperAdmin — Full access, including audit log export and BAA management.
- Org Admin — Configuration access (rules, keys) but cannot manage the BAA.
- User — API access only. Cannot view audit logs or configuration.
Info: Limit the number of SuperAdmin and Org Admin roles. Most users should have the User role with a virtual key scoped to their needs.
Related
- Data Residency — Configure US-only data storage.
- Audit Trail — Search and export audit logs.
- Restriction Rules API — Block or mask PHI in queries.
- SIEM Export API — Forward events to your SIEM.