HIPAA & the structural non-BA argument
The one-paragraph summary
On CloakAPI’s client-side ways — the desktop app, the browser extension, and the local proxy (base_url=http://localhost:8799/v1) — tokenisation happens inside your perimeter, before any request leaves your infrastructure, so CloakAPI’s servers receive only pseudonymous tokens and never your patients’ plaintext data. On those paths, many customers conclude that CloakAPI does not “create, receive, maintain, or transmit” Protected Health Information (PHI) on their behalf and so falls outside the regulatory definition of a Business Associate (BA) under HIPAA — a structural argument to evaluate with your own counsel, not legal advice.
If you instead point a bare SDK straight at https://api.cloakapi.io/api/v1, the gateway does not tokenise it: the gateway is a blind relay that forwards the request exactly as your application sent it, and it never inspects, detects, or tokenises content on our servers. Whatever PHI your application sends on that path transits the gateway untokenised — the bare-SDK path is not a structural non-BA path. Run the local proxy (Quickstart Option C) to keep tokenisation on your own machine, and review the threat model for your regulatory posture. A BAA is available for customers whose procurement process requires one.
1. The HIPAA Business Associate definition
Under 45 C.F.R. § 160.103, a Business Associate is a person or entity that, on behalf of a Covered Entity, performs a function or activity involving the use or disclosure of PHI, or provides services to a Covered Entity where the provision of the service involves PHI.
The critical phrase is “involving the use or disclosure of PHI.” A vendor that never receives PHI in any form — not even encrypted PHI — is not a BA.
2. How CloakAPI’s tokenisation works
Your machine — desktop app / browser extension / local proxy │ │ 1. Detect sensitive fields (PII, PHI, credentials) │ 2. Replace each value with a token, e.g. │ patient_name: "Alice Smith" │ → patient_name: "<PERSON_482>" │ 3. Store the mapping in your local vault (never sent out) │ ▼CloakAPI Gateway ← only receives the tokenised payload │ ▼Upstream LLM (OpenAI / Anthropic / etc.)On the client-side ways above, the mapping table (<PERSON_482> → Alice Smith) never leaves your infrastructure, and CloakAPI processes only the tokenised form, which contains no PHI. (A bare SDK pointed at api.cloakapi.io is the exception — the blind-relay gateway does not tokenise it, so whatever your application sends is relayed as-is; run the local proxy to tokenise on your own machine.)
What CloakAPI does see
| Field | Example received by CloakAPI | PHI? |
|---|---|---|
| Patient name | <PERSON_482> | No — opaque token |
| DOB | <DATE_17> | No — opaque token |
| Diagnosis code | <MED_CODE_3> | No — opaque token |
| Conversation structure | {"role":"user","content":"…"} | Structural only |
| Metadata | tenant ID, request timestamp, model | No PHI |
3. Why this is different from encryption
Encrypted PHI is still PHI — HIPAA’s Security Rule applies to ePHI regardless of encryption. A vendor that receives encrypted PHI and holds the decryption key is a BA.
CloakAPI does not hold decryption keys because there is nothing to decrypt. The tokens are not encrypted PHI — they are meaningless placeholders. CloakAPI cannot reconstruct the original data even if compelled.
This is sometimes called the “structural non-BA” position: the architecture makes BA status structurally impossible, not just contractually disclaimed.
4. Regulatory basis
The HHS guidance on Business Associates (https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html) states that a BA relationship arises when PHI is “used or disclosed” on behalf of a Covered Entity. HHS has consistently interpreted this to require access to identifiable PHI. A pseudonymisation layer that the Covered Entity controls — and whose mapping table never reaches the vendor — does not create a BA relationship.
The same principle underlies GDPR Recital 26 (data that does not relate to an identifiable natural person is not personal data), though HIPAA and GDPR use different frameworks.
5. What this means for healthcare customers
| Scenario | CloakAPI’s position |
|---|---|
| You use a client-side way (desktop app, browser extension, or the local proxy) so tokenisation happens on your machine | No PHI reaches CloakAPI — many customers conclude no BA relationship arises (evaluate with your counsel) |
You point a bare SDK at api.cloakapi.io | Not tokenised by us — the blind-relay gateway forwards the request as-is, so any PHI your application sends transits untokenised. Not a structural non-BA path — run the local proxy, or execute the BAA / see the threat model |
| Your procurement team requires a BAA regardless | A BAA template is available — see below |
6. Available BAA
CloakAPI provides a standard BAA template for healthcare customers. The template covers all required HIPAA provisions: permitted uses, safeguards, breach notification (60-day window), subcontractor obligations, access and amendment rights, accounting of disclosures, and return/destruction of PHI on termination.
Counter-signature flow:
- Download the BAA template (HTML — print to PDF from your browser)
- Have your counsel review and fill in the bracketed fields
- Email the signed PDF to legal@cloakapi.io
- CloakAPI will countersign and return within 5 business days
The BAA has not been approved by HHS or OCR. It is a starting-point template, not legal advice.
7. Sub-processors relevant to healthcare customers
If a BAA is executed, CloakAPI’s obligations flow through to its sub-processors. The following sub-processors may handle tokenised data (never PHI in plaintext):
| Sub-processor | Role | Region |
|---|---|---|
| Hetzner Online GmbH | Compute & storage | DE (EU) |
| Cloudflare, Inc. | Edge / CDN / WAF | EU/US |
| Anthropic, PBC | Claude completions (when routed) | US |
| OpenAI Ireland Ltd. | GPT completions (when routed) | EU/US |
| Stripe Payments Europe Ltd. | Billing only (no PHI) | IE |
Full list: cloakapi.io/legal/subprocessors
8. Questions
Contact trust@cloakapi.io for compliance questions, or legal@cloakapi.io to initiate a BAA.