This data processing is done on Nabla's servers, which are powered by the HIPAA and GDPR compliant Google Cloud Platform (GCP), and on HIPAA-eligible LLM servers.
I was very curious about this and did a bit of research. The answer to it is squishy. It seems to be mostly a marketing term. The best definition I found was this:
"A service that is HIPAA eligible is one that is capable of being configured in a way that could meet HIPAA compliance requirements, but you have to know how to do it, it doesn’t happen ‘out of the box.’"
* they may be HIPAA-compliant (ie: they fulfill the requirements),
* they haven't gone through a HIPAA-certification (no third-party cert),
* they aren't using services that aren't HIPAA-certifiable
The latter point is important, because there are some services (ie: firebase) that apparently won't be HIPAA compliant. Some services are HIPAA-compliant if configured correctly. AWS has a list. I believe google does too.
There are a bunch of HIPAA guides out there.
So as a demo, it's not a big deal. But if they start selling this they need at least to be HIPAA-compliant with certification on the roadmap.
HIPAA is a self certification. You can claim compliance simply by following the rules. Therefore, you’re either HIPAA compliant or your not. I have never heard anyone describe it as being HIPAA-eligible.
HITRUST is a third party audit with higher standards than HIPAA. That is not a self-attestation.
I’ve spent a bunch of time in this space. Most of the major players offer HIPAA compliant services and sign BAAs. As of now, I don’t believe OpenAI offers a BAA, so this is dead in the water.
Well, HIPAA can be self-certified, but that probably won't stand up in court so most organizations will pay a third-party provider to perform the certification for them. That also lets you see the gaps, because HIPAA is big.
Here's AWS's list of HIPAA-eligible services. HIPAA-eligible is technology provider specific:
Hi everyone! We’re of course well aware of the importance of HIPAA for all organizations operating in the US. To clear up any confusion: HIPAA-eligible means in our case that we’re ready to sign BAAs.
Either they are offering to sign a HIPAA BAA or they aren’t. If they aren’t, its HIPAA-radioactive. HIPAA-eligible for this kind of service is meaningless; when you have PHI going through a third party system, its BAA or GTFO.
Their website seems to suggest it is a French company with a US office. The issues around HIPAA would not be there and instead replaced by GDPR.
The blog posts also mention French trained ML.
> Cedille is a new open source French language model created by Coteries. It is trained to understand and write French and is also the largest model of its kind for French. Cedille is trained using large databases of publicly available content on the internet filtered for toxic content.
Expanding into the US, yes - they would need to deal with HIPAA, but until they do they likely don't need to.
Secure and HIPAA-eligible
Digging deeper (https://www.nabla.com/blog/privacy-security/):This data processing is done on Nabla's servers, which are powered by the HIPAA and GDPR compliant Google Cloud Platform (GCP), and on HIPAA-eligible LLM servers.