HIPAA
[ on roadmap ]us health data — not supported yet
[ what it actually means ]
HIPAA governs protected health information in the United States. For a vendor like us the operative question is simple: will we sign a Business Associate Agreement and stand behind the safeguards it requires? Today the answer is no — we do not sign BAAs, and therefore Y0 is not appropriate for PHI. There is no such thing as 'HIPAA certified' — no government body certifies vendors — so the honest statuses are 'we sign BAAs and run the required safeguards' or 'we do not'. We are currently the second, and we say so before you upload anything.
[ our posture ]
No BAA today — and we say it plainly
We do not currently sign Business Associate Agreements. Customers handling PHI should not use Y0 for that data, and our terms say so. We would rather lose the deal than sign a BAA we cannot operationally honor.
The technical safeguards largely exist
Encryption at rest and in transit, access controls, audit logging, and incident response — most of the Security Rule's technical safeguards are already running for every customer. What is missing is the administrative machinery and the contractual commitment, which is exactly the part that makes a BAA real.
BAA support is roadmapped behind enterprise demand
HIPAA support enters the roadmap when there are real healthcare workloads asking for it — building the program speculatively would produce paperwork without operational truth.
PHI screening in onboarding
Enterprise onboarding asks explicitly whether the workload involves PHI. If it does, we decline that workload today rather than letting it arrive silently and become a liability for both sides.
[ request documentation ]
We can share a Security Rule safeguard mapping and the conditions under which BAA support enters the roadmap.