L LLM Cloud Hub
Compliance category

HIPAA-compliant LLM APIs

LLM providers that sign a Business Associate Agreement (BAA) for HIPAA-eligible workloads.

Why this matters

Required when LLM traffic may contain Protected Health Information (PHI). Without a BAA in place, sending PHI to an LLM API is a HIPAA violation.

Badge legend EU EU-hosted: inference and logs run inside EU data centers. Glossary → US US-hosted: data residency in US data centers (often configurable per region). Glossary → HIPAA Provider signs a Business Associate Agreement enabling PHI traffic under HIPAA. Glossary → SOC 2 SOC 2 Type II report — controls audited as effective over a 6–12 month observation window. Glossary → ISO 27001 ISO/IEC 27001 — international information-security management standard. Often required by enterprise procurement. Glossary →

Matching providers

5 total
Amazon
/amazon
AWS Bedrock: not used for training, no retention beyond request
EU US HIPAA SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
Anthropic
/anthropic
Zero retention by default for API traffic
US HIPAA SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
Google
/google
Configurable; zero retention available on Vertex AI
EU US HIPAA SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
Microsoft
/microsoft
Azure OpenAI: prompts not used for training
EU US HIPAA SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file
OpenAI
/openai
Zero retention available via API; 30 days otherwise
US HIPAA SOC 2 ISO 27001
Last reviewed 2026-05-09 · source on file

Compliance posture changes over time. The "last reviewed" date on each card is when a human last verified the corresponding flag against the provider's published security material. For a regulated workload, always confirm directly with the provider before sending production data.

Frequently asked questions

Which LLM providers offer hipaa-compliant llm apis?

5 providers in our catalog are flagged for HIPAA-compliant LLM APIs, including Amazon, Anthropic, Google, Microsoft and OpenAI. The flags are based on the providers' own published documentation; verify with their legal/sales team before signing.

Why does HIPAA-compliant LLM APIs matter for LLM workloads?

Required when LLM traffic may contain Protected Health Information (PHI). Without a BAA in place, sending PHI to an LLM API is a HIPAA violation.

How do I verify a provider really has HIPAA-compliant LLM APIs?

Compliance flags on LLM Cloud Hub track whether providers publicly document the relevant attestation, BAA, or DPA — not whether *your* contract will include it. Always request a copy of the actual document from the provider before sending any regulated traffic. Pricing and compliance flags are refreshed nightly; the date of last review is shown on each provider page.

Keyboard shortcuts

?
Show this overlay
/
Focus the first form field
g h
Go to / (home)
g b
Go to /best-llm-for
g c
Go to /cost
g s
Go to /self-hosted
g x
Go to /compliance
Esc
Close any overlay

Inspired by Linear and GitHub conventions. The two-key sequences (g then h) work within ~1 second.