HIPAA

HIPAA compliance and Business Associate Agreement (BAA) for healthcare customers.

Overview

Future AGI supports HIPAA compliance for healthcare organizations that process protected health information (PHI) through our platform. A Business Associate Agreement (BAA) is available for customers on Scale and Enterprise plans.

HIPAA-Eligible Infrastructure

When operating under a BAA, Future AGI provisions a dedicated, HIPAA-eligible environment with the following characteristics:

  • Dedicated US region deployment (us-east-1) with data residency guarantees
  • Isolated compute and storage resources that are not shared with non-HIPAA workloads
  • Enhanced audit logging covering all access to and operations on PHI
  • Restricted administrative access with additional approval workflows for any data-plane operations

PHI Safeguards

Technical Safeguards

  • Encryption — PHI is encrypted in transit (TLS 1.2+) and at rest (AES-256) across all storage layers
  • Access controls — Role-based access with least-privilege principles, enforced MFA, and SSO integration
  • Audit logging — Comprehensive, immutable audit logs of all PHI access, modifications, and deletions
  • Automatic session termination — Configurable idle session timeouts to prevent unauthorized access

Administrative Safeguards

  • Designated Security Officer responsible for HIPAA compliance
  • Workforce training on PHI handling and privacy obligations
  • Regular risk assessments aligned with the HIPAA Security Rule
  • Documented incident response procedures specific to PHI breaches

How to Get Set Up

  1. Contact us at sales@futureagi.com to discuss your HIPAA requirements
  2. Sign a BAA — We will execute a Business Associate Agreement covering the services in scope
  3. Provision your environment — Our team will set up your dedicated HIPAA-eligible environment with the appropriate controls and configurations
  4. Onboard your team — We provide guidance on configuring your workspace to maintain HIPAA compliance

Breach Notification

In the event of a confirmed breach involving PHI, Future AGI will notify the affected customer within 72 hours of discovery, in accordance with the HIPAA Breach Notification Rule. Notifications include the nature of the breach, the data involved, steps taken to mitigate harm, and recommended actions.

Data Handling

PHI is processed only as necessary to deliver the contracted services. Customer PHI is:

  • Never used for model training — PHI is not used to train, fine-tune, or improve any machine learning models
  • Never shared with third parties except as required to deliver the service and as documented in the BAA
  • Retained only as long as necessary per the customer’s configured retention policy, after which it is securely deleted

Questions?

Reach out to our security team.

security@futureagi.com

Request documents

SOC 2 report, DPA, pen test summary.

Request documents →