anonym.legal

By · Last updated 2026-03-10

Back to BlogHealthcare

HIPAA in the Cloud: Zero-Knowledge for PHI

Business Associate Agreements don't prevent HIPAA violations when your cloud AI vendor processes PHI in plaintext. Here's what zero-knowledge architecture.

March 10, 20269 minute read
HIPAA compliancezero-knowledge architecturePHI anonymizationcloud securityBAA limitations

Updated for 2026

The HIPAA Assumption That Puts Patients at Risk

Every healthcare IT team hears the same advice. Sign a Business Associate Agreement and you are covered under HIPAA.

The BAA requirement is real. HIPAA's Privacy Rule requires covered entities to sign BAAs with business associates. These are third parties who handle protected health information on their behalf. Any AI tool that touches clinical notes needs a BAA first.

But a BAA covers the legal relationship. It does not cover what happens to patient records on the AI provider's servers after the contract is signed.

The key question is not whether you have a BAA. It is whether the AI provider can read your patients' health records. And what happens when they get breached.

What a Business Associate Agreement Actually Does

A BAA commits the business associate to four things:

  • Use patient records only for agreed purposes
  • Put safeguards in place to protect them
  • Report any breach to the covered entity
  • Return or destroy files when the contract ends

The BAA is a contract. The provider promises to handle clinical files carefully, apply reasonable security, and notify you if something goes wrong.

What the BAA does not do:

  • Stop attackers from breaching the provider's servers
  • Remove the ability to read patient records in decrypted form
  • Protect your organization from HIPAA liability when the provider is hit

When a cloud AI provider suffers a breach, the BAA covers the notification step. But the health record exposure is real. Patients are harmed. The covered entity faces an HHS inquiry. The contract does not change that.

The Server-Side Problem

Cloud AI tools that handle health records share one core design. Files travel to the provider's servers. The AI processes them there. Results come back to the user.

For this to work, the provider must read the files in a usable form. That means one of two things. The files sit unencrypted. Or the provider manages the encryption keys.

Provider-managed encryption is not end-to-end encryption. If the provider holds the keys, the provider can decrypt. If a server is breached, patient records are exposed in plain text.

This is the gap BAAs do not close. The BAA requires "appropriate safeguards." Server-side encryption with provider-held keys meets that standard on paper. It does not protect against a breach on the provider's side.

The AI uses clinical notes, billing records, and care plans to generate output. All of that content sits in readable form on the provider's servers. A breach there means patient records are out.

HIPAA enforcement does not care that you had a BAA. The HHS Office for Civil Rights asks one question: did you use safeguards that actually protected the records? Technical controls determine the answer. Contract language does not.

How Zero-Knowledge Architecture Fixes This

Zero-knowledge design solves the server-side access problem at the root.

Before any files leave your environment, patient details get replaced with tokens. The AI provider receives only anonymized content. Clinical notes have names swapped out. Billing records have account numbers replaced. Care plans have personal information removed.

The AI processes the anonymized version. Your system re-links the results to the original patient record using the token map. That map never left your control.

What this changes in practice:

The AI provider never receives protected health information. Clinical notes sent through zero-knowledge anonymization contain no names, dates of birth, addresses, or record numbers. The AI operates on clean files.

A breach at the provider exposes nothing. If their servers are breached, the stored content has no patient information in it. Exposure cannot happen because the protected records were never sent.

Technical safeguards go beyond what the contract requires. The covered entity has made patient record exposure technically impossible. Not just prohibited by contract. That is a far stronger position.

See how the anonymization layer works on the security compliance page and in the legal conformance docs.

The Standard That Holds Under Enforcement

HIPAA enforcement under the HHS Office for Civil Rights turns on one test. Did the covered entity use reasonable safeguards given the known risk?

Cloud AI providers handling health records under BAAs have been breached. The risk is real. Not theoretical. Investigators ask whether the covered entity addressed it.

One type of covered entity relied on a BAA and provider-managed encryption. That is a contractual fix for a technical problem. Another type anonymized patient records before sending anything. That removed the exposure at the source.

The second approach gives a clear answer to any inquiry. The protected records never reached the AI provider in usable form. There is no breach to report. There is no patient to notify. There is no inquiry to respond to. The design made that outcome impossible.

For healthcare organizations adopting cloud AI, the right compliance approach is clear. A BAA is not enough on its own. Patient records must never reach a third party in recoverable form. The BAA satisfies the legal requirement. Zero-knowledge architecture satisfies the technical one.

Learn more in the token system docs and the FAQ hub.

anonym.legal's anonymization layer strips patient details before they reach any AI tool. Tokens replace names, dates, and record numbers. Results return with the original details restored — only on your side. See the pricing page.

Sources

Related Articles

Healthcare

HIPAA OCR: 725 Breaches, 275M Records

HHS OCR reported 725 HIPAA breaches in 2024 affecting 275M records — the highest ever. $10.22M average healthcare breach cost.

Healthcare

Handwritten Form OCR & PII Detection

A mid-size hospital processes 50,000 handwritten intake forms per year. Manual PII redaction at this volume requires 0.5 FTE.

Healthcare

HHS 2025: AI Clinical Notes Need PHI

AI transcription systems can inadvertently put Patient A's PHI in Patient B's record. Here's why real-time PHI detection before EHR commit is the control.

Ready to protect your data?

Start anonymizing PII with 285+ entity types across 48 languages.

Start Free TrialView Features

About this page

We update this page when our platform or the law changes.

Read our founder note for how we work.

Each change shows up in the timestamp at the top.

Related reading

We follow these rules

  • GDPR (EU 2016/679).
  • ISO/IEC 27001:2022.
  • NIS2 (EU 2022/2555).
  • HIPAA safe harbor under 45 CFR § 164.514(b)(2).

Our promise

We do not sell your data.

We do not train models on your text.

We store your files in Germany.

You can delete your account at any time.

You own your work.

Where we run

Our servers live in Falkenstein, Germany.

We use Hetzner. They hold ISO 27001 certification.

All data stays in the EU.

Backups run every day.

Need help?

Email support@anonym.legal.

We reply within one business day.

How we test

We run a full check suite on every release.

Each surface gets its own sweep script and report.

Human reviewers spot-check the output each week.

We track recall and precision on a labelled set.

Bad runs block the deploy.

What we never do

  • We never sell your information to third parties.
  • We never train models on what you upload.
  • We never keep your work after you delete it.
  • We never share keys with any outside firm.
  • We never run ads inside the product.

Plans in plain words

We sell credits, not seats.

One credit covers one short job.

Long jobs use a few credits each.

You can top up at any time.

Unused credits roll over each month.

Read the plans page for current rates.

Who built this

A small team of engineers and lawyers built this.

We ship from Europe and work in the open.

Our founder note spells out why we started.

Where to start

How the parts fit

A browser add-on cleans text inside Chrome.

A Word plug-in handles drafts in Office.

A small desktop tool works on whole folders.

An agent protocol link feeds large models safely.

All four share one core engine and one rule set.

Words from our team

We started this work after a lunch about cookies.

One friend kept getting odd ads on her phone.

We asked why a court file leaked through a draft.

We sketched the first build on a napkin that week.

By month three we had a tiny demo for a friend.

She used it on her first case the next day.

Common questions we hear

Can the tool read scanned PDFs? Yes, with OCR.

Does it work on long files? Yes, in small chunks.

Can I roll my own rule set? Yes, save it as a preset.

Does it run offline? The desktop build runs offline.

Do you keep my files? No, the cloud build wipes after each run.

Will it learn from my work? No, we never train on inputs.

A short tour of the workflow

Upload a file or paste a snippet of prose.

Pick the entities you want gone from the draft.

Choose a method: replace, mask, hash, encrypt, or redact.

Press run and watch the side panel show each hit.

Skim the result and tweak any rule that misfired.

Save the cleaned file or send it to a teammate.