HIPAA Compliance at LLM Bastion

LLM Bastion provides technical safeguards to assist organizations in meeting their HIPAA (Health Insurance Portability and Accountability Act) obligations when using Large Language Models.

Technical Safeguards

• Access Control: Unique user identification and emergency access procedures are enforced via API Key management and RBAC (Role-Based Access Control).
• Audit Controls: All PHI (Protected Health Information) detection events are logged in an immutable, time-partitioned secured audit trail.
• Integrity: Data in transit is protected via TLS 1.3, and data at rest (redacted findings) is encrypted using AES-256-GCM.
• Transmission Security: LLM Bastion acts as a secure proxy, ensuring no PHI is transmitted to unauthorized LLM providers.

The 18 HIPAA Identifiers

We automatically detect and redact the following 18 identifiers:

1. Names
2. All geographic subdivisions smaller than a state
3. All elements of dates (except year) for dates directly related to an individual
4. Telephone numbers
5. Fax numbers
6. Email addresses
7. Social security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers (VIN)
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code

Implementation Details

HIPAA rules are implemented via the RegexDetector and can be enabled per-account in the Compliance Settings dashboard.