Healthcare AI development for US hospital networks, healthtech, payers, and providers.

HIPAA does not have a third-party vendor certification scheme — that is precisely why the Business Associate Agreement structure exists under the Privacy Rule. What Aiinfox provides is HIPAA-aligned engineering controls: a signed BAA before any PHI is shared, US-region inference, customer-controlled cloud deployment, audit logs on every model and tool call, least-privilege access through your identity provider, and PHI masking in non-production environments. We will not market a HIPAA certification we cannot hold. We will sign the BAA, document the data flow, and stand behind the controls in writing. For US healthcare engagements, our control set is also SOC 2-aligned at the engagement level — your CISO can drop our work into your existing Type II scope.

The BAA covers permitted uses and disclosures of PHI, the safeguards required (administrative, physical, and technical, mapped to HIPAA Security Rule sections 164.308 / 164.310 / 164.312), subcontractor flow-down, breach notification timing (no later than 60 days after discovery, sooner where contractually agreed), termination and return-or-destruction obligations, and indemnification. We sign it before any PHI is shared — typically before kickoff. We work from your template or provide ours. If your engagement involves managed LLM inference, we ensure the downstream BAA chain holds: AWS Bedrock with Anthropic Claude has a BAA path, Azure OpenAI Service has a BAA path, and self-hosted open-weight models on vLLM inside your VPC do not require an external BAA because no third party is processing PHI.

Epic, Cerner Oracle Health, Athenahealth, NextGen, eClinicalWorks, and Meditech via the standards your team already operates. FHIR R4 is the default modern surface — patient, encounter, observation, medication, condition, allergy, document reference resources read and written through standard endpoints. SMART on FHIR for in-EHR app launch where the workflow embeds inside the clinician's Epic or Cerner session. HL7 v2 ADT and ORU feeds for legacy interfaces. DICOM for imaging where the workflow requires it. We do not screen-scrape, we do not maintain a parallel patient database, and we do not require the customer to grant us a tenant-wide Epic App Orchard or Cerner Code account — we work inside your existing EHR integration posture.

Inside your AWS, Azure, or GCP account by default, in a US region you specify — us-east-1 (N. Virginia), us-west-2 (Oregon), and AWS GovCloud for federal-adjacent workloads are the patterns we run most. For inference, you have three options. One: managed LLMs with BAA — Anthropic Claude via AWS Bedrock (US-region, BAA available), OpenAI via Azure OpenAI Service (US-region, BAA available). Two: self-hosted Llama 3 / 3.1 on vLLM inside your VPC — zero third-party inference, full control of logging, GPU autoscaling, sub-second latency for ambient scribing. Three: hybrid — non-PHI prompts route to managed Claude or GPT-4o, PHI-bearing prompts route to self-hosted Llama. We will not silently route PHI through a non-US endpoint or an LLM provider's default logging path.

Five layers, applied together. Hybrid retrieval grounds every answer in your clinical corpus. Required inline citations link every claim to a source document — answers without retrievable citations are blocked at generation time. A refusal layer activates explicitly on safety-critical categories — drug dosage, contraindications, triage acuity, pediatric weight-based dosing — saying 'I cannot answer this — escalating to a clinician' rather than guessing. Confidence scoring routes low-confidence answers to a human review queue. An eval harness blocks any prompt or model change that regresses safety-critical accuracy against a clinician-reviewed reference set. The reference deployment lands 98.4% citation accuracy and zero policy-violating answers across 90 days of production traffic.

We will build systems that assist clinicians — ambient scribing, document intelligence, patient inquiry, clinical RAG, prior auth triage — without crossing into Software as a Medical Device territory. For deployments that genuinely produce a clinical diagnosis, a treatment recommendation, or a triage acuity that drives clinical action without a clinician in the loop, the build belongs inside your regulatory affairs team's FDA SaMD pathway, and we will tell you on the first call. We are happy to serve as the engineering partner inside that pathway — design controls, traceability matrices, verification and validation against your QMS — but we will not be the regulatory authority for an SaMD submission, and we will not pretend the FDA's 510(k), De Novo, or PMA pathways are paperwork your AI vendor handles on the side.

Yes — takeover audits for HIPAA workloads are routine. Step one is a PHI data-flow audit: where does PHI actually touch storage, inference, logging, and analytics, and which of those endpoints has a BAA? Step two is reading the code, evals (if any), refusal layer, and audit-log schema, then shipping the smallest valuable change to prove the system is now operable. Step three is the longer-term plan — incremental remediation, a parallel rebuild, or shutting it down. Most takeovers we see did not need a full rewrite; they needed a missing BAA, US-region inference pinning, a refusal layer, and an audit-log schema that could survive an OCR question.

Senior engineering rates at Aiinfox land roughly 30 to 50 percent below equivalent US HIPAA-experienced AI consultancies — real, but it is not the headline. The headline is the delivery model: senior engineers only, fixed-price six-week scope, overrun cost on us if we miss for reasons on our side, BAA in hand before kickoff. Most US healthcare AI consultancies bill timesheets, run multi-month discovery, and either churn senior staff onto bigger accounts or staff a junior pool behind a senior nameplate. We bill shipped systems; the engineer on your kickoff call writes your code through launch. Most v1 US healthcare AI engagements land between $40,000 and $180,000 fixed-price depending on EHR integration depth and regulatory scope.