HIPAA

BAA on roadmap — controls available now

A HIPAA Business Associate Agreement is on our roadmap. In the meantime, Gateco's architecture structurally supports the technical safeguard requirements of the HIPAA Security Rule — particularly the minimum necessary standard for PHI access in AI retrieval pipelines.

Technical safeguards alignment

Access control (§164.312(a))
RBAC and ABAC policies gate access to PHI documents by principal role, group, and department. Deny-by-default means access is denied unless a policy explicitly allows it.
Audit controls (§164.312(b))
25 audit event types. Every retrieval is logged with principal ID, resource ID, policy ID, decision (allow/deny/error_deny), and timestamp. 90-day retention by default.
Person authentication (§164.312(d))
JWT authentication on all API calls. OAuth 2.0 (Google, GitHub) supported. IDP-synced principal identifiers for all access decisions.
Transmission security (§164.312(e))
TLS 1.3 enforced for all connections — API, SDK, and dashboard traffic.
Integrity (§164.312(c))
Connector credentials encrypted with KMS envelope encryption. Audit records are append-only. Policy changes are versioned.
Minimum necessary standard
Late-binding policy evaluation ensures AI applications retrieve only the specific PHI documents a given principal is authorized to see — not all documents matching a query.

Enforcing minimum necessary with Gateco policies

Example: restrict PHI access to clinical staff only

{
  "name": "PHI access — clinical staff only",
  "effect": "allow",
  "rules": [{
    "conditions": [
      {"field": "resource.classification", "operator": "eq", "value": "phi"},
      {"field": "principal.groups", "operator": "contains", "value": "clinical-staff"}
    ]
  }],
  "selectors": [{"connector_type": "pgvector"}]
}

Pair with a deny policy for restricted classifications to ensure PHI never flows to unauthorized principals, even if a future allow policy is misconfigured.

Frequently asked questions

Is a HIPAA Business Associate Agreement (BAA) available?
A HIPAA BAA is on our roadmap. Contact enterprise@gateco.ai to discuss your timeline and current controls. Many customers use Gateco's deny-by-default model and ABAC policies today for PHI access control before formal BAA availability.
How does Gateco's architecture support the HIPAA minimum necessary standard?
The minimum necessary standard requires limiting access to PHI to the minimum required to accomplish a purpose. Gateco's late-binding authorization enforces this at retrieval: policy conditions can classify documents as PHI and limit access to principals with specific clinical roles, ensuring AI applications only retrieve the specific records a given user is authorized to see.
Can I classify PHI documents in Gateco and restrict access to authorized users?
Yes. Use resource classification (e.g. classification=phi or classification=restricted) combined with ABAC conditions on principal attributes like role or department. A policy allowing only principals with role=clinician to retrieve resources with classification=phi enforces the minimum necessary standard at the retrieval layer.

BAA roadmap

We are targeting HIPAA BAA availability alongside our SOC 2 Type II certification (H2 2026). Enterprise customers with active HIPAA requirements can contact enterprise@gateco.ai to discuss current controls, timeline, and whether Gateco's existing technical safeguards are sufficient for their use case under a custom agreement.

HIPAA questions

Contact us to discuss your HIPAA requirements and whether Gateco's current controls meet your compliance posture.

Contact enterprise teamSecurity overview