You want to ship with AI. You also have PHI. Now what?
Every model provider sort of supports HIPAA, but only through a narrow set of surfaces, tiers, and contractual gates. Pick the wrong endpoint and you are not compliant — even when the model is identical. This tool walks you to a known-good baseline so your compliance team has somewhere real to start.
FYI A BAA is necessary, but not sufficient.
Signing a BAA only addresses one piece of HIPAA — the contractual safeguards your provider commits to. You still owe the full Privacy Rule and Security Rule on your side: administrative, physical, and technical safeguards, audit logs, breach notification, workforce training, minimum-necessary access, and so on. You also inherit your provider's subprocessor chain: any third party they pipe PHI through (hosting, observability, content moderation, evals) must itself be covered by a sub-BA. Review each provider's subprocessor list before going live. This walkthrough gets you to a vendor-side baseline; your own controls are a separate problem.
FYI Zero Data Retention is not a HIPAA requirement.
ZDR is a provider-specific contractual construct. Whether you actually need it depends on the provider (OpenAI requires it; Google and Anthropic mostly don't) and on your own internal data-handling policies — not on HIPAA itself. The walkthrough will tell you when each provider contractually requires it.