BAA Registry
Source of truth: apps/api/src/config/baa-registry.yml
Every third-party service capable of receiving PHI is registered per-environment with BAA status, effective date, and region. Services call BaaRegistry.assertCovered(vendor, service, env) at module init. Missing coverage in prod → service refuses to start (FR-032).
Current vendors (summary)
| Vendor | Staging | Prod | Rationale |
|---|---|---|---|
| MongoDB Atlas | ✓ signed | ✓ signed (research cluster pending) | Core DB |
| Azure | ✓ signed | ✓ signed | Compute + Key Vault + Monitor |
| OpenAI | ✓ signed | ✓ signed | LLM primary (GPT-4o) |
| Google Cloud (Vertex AI) | ✓ signed | ✓ signed | LLM fallback (Gemini) |
| Epic | ✓ signed | ✓ signed | FHIR R4 EHR integration |
| Google Workspace | ✓ signed | ✓ signed | IdP (GIS) |
| Microsoft Entra ID | ✓ signed | ✓ signed | IdP (MSAL) |
| NEJM | pending_compliance | fail_closed (not yet) | Publisher AI partner |
| JAMA · JBJS · Clinical Ortho (LWW shared) | pending_compliance | fail_closed | Journal content |
| JOR · JBMR-B (Wiley shared) | pending_compliance | fail_closed | Journal content |
| Spine · Acta · J. Arthroplasty (Elsevier shared) | pending_compliance | fail_closed | Journal content |
| NCCN | pending_compliance | fail_closed | Guidelines |
| Cochrane | pending_compliance | fail_closed | Systematic reviews |
| ClinicalTrials.gov | pending_compliance | fail_closed | Public US Gov — no PHI outbound |
| ClinVar | pending_compliance | fail_closed | Public NIH-NCBI — no PHI outbound |
| DrugBank | pending_commercial_license | fail_closed | Commercial license gate |
Current tracker: docs/research-infrastructure/pending-requirements.md.
Registry schema
environments:
production:
vendors:
- name: OpenAI
services:
- LLM completions (apps/ml LLMClient)
baa_signed: true
effective_date: "2026-01-15"
approval_status: active # for deferred: pending_compliance | pending_commercial_license
target_signoff_date: null # for deferred: target date
region: US
evidence_ref: "compliance-system/tickets/BAA-OPENAI-PROD"
notes: >-
Zero-retention endpoint. Prompt + completion never used for training.
Dev-phase deferral posture
Per CLAUDE.md § Development Phase — Approval Deferral, during dev phase:
- BAA registry entry is still required — every integration PR registers the vendor
baa_signed: falseis acceptable in dev/QA ifapproval_status: pending_compliance+target_signoff_date- Production still fails closed on
baa_signed: false— this gate never turns off
When BAAs countersign, the entry flips to baa_signed: true + effective_date: <signing-date> + evidence_ref: <doc-link> via a one-line PR.
Compliance-checklist probes
Several probes verify the registry at every PR:
p4_6— BAA registry has OpenAI + Google Cloud for staging + prod (FR-405)- Additional per-vendor probes in compliance-checklist.yml
- Registry-coverage probe for any service that imports a 3rd-party SDK
When a new vendor lands
Use the hipaa-baa-check skill to verify or update the registry. The skill:
- Confirms every PHI-processing vendor for target env is covered
- Refuses changes that would introduce an uncovered vendor
- Emits a check report
See /hipaa-baa-check.