Enterprise · HIPAA

Need full HIPAA? How we handle it

If your program is a covered entity — or you simply want to meet the full HIPAA bar — we can support that. This is a high-level overview of how we think about the regulated path: message channel, infrastructure, AI model, and vendor BAAs.

Not every MediMatch program requires full HIPAA. For when HIPAA does not apply to typical Medicare lead flows, see our HIPAA & Medicare Lead Generation guide.

Message channel

A messaging channel that may carry PHI or PII is part of the regulated path — not just the AI behind it. The channel may be managed by Side Nerd or by your organization (covered entity / client). Depending on your maturity and contractual requirements, there are two routes:

Option A · We manage it

We sign a BAA

If Side Nerd manages the channel and your messages may include PHI or PII, we can execute a Business Associate Agreement and run the channel on BAA-covered, HIPAA-eligible infrastructure.

Option B · You manage it

Scrub in your own infrastructure

If you'd rather raw data never leave your environment, we can provide a deployment package that detects and removes PII/PHI inside your own infrastructure before messages reach us.

Infrastructure, AI model & vendor BAAs

When the full HIPAA bar applies, compliance runs through the whole stack — not just the channel endpoint. At a high level:

🏗️

Infrastructure

PHI is processed only on HIPAA-eligible services with appropriate access controls, encryption, and logging. Architecture and subprocessors are scoped to your engagement.

🤖

AI model

Model inference is configured so PHI handling matches your legal posture — including whether prompts may contain health information and how outputs are retained.

📋

Vendor BAA chain

Where Side Nerd acts as a business associate, downstream vendors in the PHI path carry appropriate BAAs or equivalent contractual protections.

⚖️

Which route fits

Organizational maturity, covered-entity status, and downstream contract requirements all factor in. We work through the right configuration with your team — there is no one-size-fits-all answer.

Additional compliance package

Need vendor-assessment depth for security, legal, or procurement review? We share a full Security & Compliance Package on request — including Security Program Overview, Subprocessor & Data-Handling Disclosure, Incident Response & Breach Notification, and Security & Compliance Overview. Available under NDA.

Request the compliance package →

Not a commitment. This is a high-level informational overview for enterprise discussions — not a proposal, offer, contract, service-level commitment, or warranty, and not legal advice. Specific scope, feasibility, and terms are established only through a written engagement agreement. Whether HIPAA applies, and your covered-entity / business-associate status, are fact-specific determinations to confirm with qualified privacy counsel.