MICKAI
Compliance · Protected health information that never leaves the building

HIPAA

The US HIPAA Privacy, Security and Breach Notification Rules govern how protected health information is used, disclosed, safeguarded and audited by covered entities and their business associates. Mickai runs the entire clinical and administrative workload on hardware the organisation owns, fully offline, so protected health information is never disclosed to a cloud AI service and there is no business associate to contract with. Because the data physically cannot leave the building, the technical safeguards, access control, audit controls, integrity and transmission security, are enforced by architecture, and every access is sealed to a post-quantum Open Audit Record a regulator can inspect.

Why the cloud cannot satisfy this

Protected health information is among the most sensitive data any organisation holds, and HIPAA treats every disclosure to a third party as a controlled event. Sending it to a cloud AI service creates a business-associate relationship under the Privacy Rule, an agreement to negotiate and police, and expands the attack surface the Security Rule must defend across an environment you neither own nor can inspect. The Security Rule's technical safeguards demand enforced access control, audit controls that record every access to health data, integrity protection and transmission security, all of which are difficult to evidence when the data and the model sit in a multi-tenant cloud. The Breach Notification Rule then holds you accountable for incidents inside that vendor environment, with tight reporting deadlines. Mickai removes the business associate entirely by keeping every record, model and audit entry on hardware the organisation owns, fully offline, so protected health information is never disclosed outside your perimeter. Access control is enforced locally, every read and write is sealed to an immutable Open Audit Record, and there is no transmission to a third party to secure, which satisfies the technical safeguards by construction.

How Mickai meets it

The 6 obligations this framework imposes, each met by construction on hardware you own and mapped to the subsystem that enforces it.

Enforced by Air-gapped architectureRemoves Cloud business-associate agreements and third-party PHI disclosure

No Business Associate Disclosure

Because the sovereign brains process protected health information on hardware you own, no health data is ever disclosed to an external AI service, so there is no business associate relationship to establish, contract or police under the Privacy Rule. Your organisation retains full custody of every record, and no shared model is exposed to patient data on behalf of another customer. This removes the vendor from the disclosure chain entirely. Custody is enforced by architecture rather than by a business-associate agreement.

Enforced by TPM attestationRemoves Cloud identity and access controls over PHI

Access Control (Technical Safeguards)

Mickai gates every read and write of protected health information behind hardware-attested identity and least-privilege clearance, satisfying the Security Rule's access-control safeguard on hardware you own. Access descends to the record level and can be scoped per role and per tenant, so a clinician sees only what their authority permits. Nothing is exposed to a shared cloud identity layer. Every access decision is made and enforced inside your perimeter.

Enforced by Open Audit RecordRemoves Cloud logging and SIEM services for PHI access

Audit Controls Over Every PHI Access

The Security Rule requires mechanisms that record and examine activity in systems containing protected health information, and Mickai meets this by sealing every access, use and disclosure to a post-quantum Open Audit Record. The trail captures the actor, the record touched, the purpose and the time, and it is tamper-evident and reproducible for an auditor. There is no reliance on a vendor's logging tenancy. The audit control is generated as a by-product of the work itself.

Enforced by Open Audit RecordRemoves Cloud transmission encryption and data-integrity tooling

Integrity and Transmission Security

Because protected health information is processed in place on owned hardware, there is no transmission to an external service to secure, which satisfies the transmission-security safeguard by removing the exposure rather than encrypting around it. Integrity is protected by sealing each record change to the audit trail, so any improper alteration is detectable and attributable. Health data never crosses a network to a third party. Both safeguards are enforced by construction.

Enforced by NomosRemoves Cloud data-access policies and manual minimum-necessary review

Minimum Necessary Use and Disclosure

Mickai processes only the health information required for each clinical or administrative task and enforces minimum-necessary rules against your own policy, all on owned hardware. This supports the Privacy Rule's minimum-necessary standard by keeping the scope of every use and disclosure tightly bounded and locally enforced. The limits are expressed as signed policy and applied before any processing. No excess data is ever surfaced to a model or an operator.

Enforced by SentinelRemoves Cloud breach-notification dependencies and shared-tenancy PHI exposure

Breach Surface Reduction and Notification Evidence

By removing the cloud AI service and the network egress path, Mickai eliminates the multi-tenant breach classes that dominate health-data incidents, materially reducing the surface assessed under the Breach Notification Rule. Any incident is contained within your own perimeter, and the sealed audit trail evidences exactly what health data was accessed to support timely, accurate notification. There is no vendor environment you cannot see into. Containment and evidence are both local and provable.

The sovereign advantages

The advantages hold across every framework, and they are architectural, not promotional. The third-party cloud-exposure vector is removed; your own physical, insider and compliance controls remain yours.

Zero-trust data privacy

The data never leaves your hardware, so no third party and no cloud-provider employee ever sees it. What happens in the server room stays in the server room.

No vendor lock-in or outage exposure

You own the compute and the capability, so the system runs independent of the internet and of any cloud vendor's pricing, terms, or availability.

Data residency by default

The data never crosses a geographical or digital border because it never leaves the building, which removes the cross-border-transfer and third-party-processing friction of UK GDPR, Schrems II, and the sector rules. You keep your own obligations.

Proprietary advantage stays private

Fine-tune and run retrieval on your deepest archives to build a hyper-customised co-pilot, with no risk of your proprietary edge training a public model or leaking.

Predictable total cost of ownership

After the hardware and licence, queries cost essentially electricity. A capital asset you own and depreciate, instead of volatile per-token cloud bills.

The zero-espionage trust vault

There is no third-party cloud path, so no competitor and no vendor insider can scrape, intercept, or subpoena your prompts or your fine-tuned weights from the internet. The trust vault is closed by architecture.

Immunity to regulatory drift

You own the software snapshot on your own hardware, so a change to a cloud vendor's terms, a model deprecation, or an outage cannot reach you. The system stays predictable and auditable on-premise as the rules evolve.

Questions
Can a healthcare AI system meet HIPAA fully on-premise and offline?

Yes. Mickai runs the entire clinical and administrative workload on hardware the organisation owns, fully offline, so protected health information is never disclosed to a cloud AI service and there is no business associate in the chain. Access control, audit controls, integrity and transmission security are enforced by architecture, and every access is sealed to a post-quantum Open Audit Record. The obligations are met by construction rather than by a vendor agreement.

Does Mickai become a business associate under HIPAA?

No. Because the sovereign brains process protected health information on your own hardware, no health data is disclosed to an external service, so no business associate relationship is created under the Privacy Rule. Your organisation retains full custody of every record, and no shared model is exposed to patient data. This removes the vendor from the disclosure chain entirely.

How does Mickai satisfy the Security Rule technical safeguards?

Access control is enforced locally behind hardware-attested identity and least-privilege clearance, every access to health data is sealed to a tamper-evident Open Audit Record for the audit-controls safeguard, and integrity is protected by recording each change to the trail. Because health data is processed in place, there is no transmission to a third party to secure, which satisfies transmission security by removing the exposure. All four safeguards are met on hardware you own.

Where does protected health information sit when Mickai runs a clinical task?

All protected health information remains on hardware the organisation owns, behind its own firewall, with zero data egress. Nothing is copied to a multi-tenant cloud or shared with an external provider at any stage of processing, and every access is sealed to a post-quantum Open Audit Record. The data physically cannot leave the building.

How does on-premise AI help with the HIPAA Breach Notification Rule?

By removing the cloud AI service and the network egress path, Mickai eliminates the multi-tenant breach classes that dominate health-data incidents, which materially reduces the surface assessed under the rule. Any incident is contained within your own perimeter, and the sealed audit trail evidences exactly what health data was accessed to support timely, accurate notification. There is no vendor environment you cannot see into.

Is Mickai a cloud service for healthcare providers?

No. Mickai is a Sovereign Intelligence Operating System that runs entirely on hardware the customer owns, on-premise and offline, acquired as an owned asset rather than a metered subscription. The public cloud remains useful for non-regulated work; Mickai is the answer for the regulated health-data boundary where protected health information cannot safely sit in a shared environment.

Lawful B2B engagement

Bring HIPAA in-house.

Briefings are for organisations weighing a sovereign, on-premise deployment. Tell us about your estate and we will walk the obligations, the regulatory crosswalk and the deployment that fits.

Other frameworks
Regulated markets this bites hardest in