Question 1

Is Sanolith actually HIPAA-compliant?

Accepted Answer

We sign a BAA. PHI is redacted before any inference call. All data is encrypted at rest and in transit. Audit logs are append-only, tenant-scoped, and exportable. We pass through annual third-party HIPAA security risk assessments.

Question 2

How is Sanolith different from ChatGPT Enterprise with a BAA?

Accepted Answer

ChatGPT Enterprise is one model from one vendor. Sanolith routes to whichever model fits the task (GPT, Claude, Llama, your own fine-tune) without rewriting integrations. Clinical tools (PubMed, DailyMed, RxNav, FAERS) are native. The audit ledger captures per-prompt redaction events, not just access logs.

Question 3

What does the PHI redactor actually catch?

Accepted Answer

Names, MRN, DOB, SSN, ITIN, phone, email, addresses, dates within 1 day of admission, plus 40+ other identifiers. It is fail-closed: if the redactor errors, the request errors. PHI does not pass through to inference under any failure mode.

Question 4

Who owns the fine-tuned model trained on our data?

Accepted Answer

The tenant owns the Sano adapter weights. They're trained on the tenant's data and live inside the tenant boundary. Sanolith is the custodian under the BAA, not the owner. On churn, the tenant receives the weights exported and Sanolith purges from its infrastructure within the BAA's deletion SLA.

Question 5

Can we bring our own model or our own GPUs?

Accepted Answer

Yes, on the Enterprise tier. Point Sanolith at your vLLM cluster, your AWS Bedrock account, or your on-prem inference endpoint. Same redactor, same audit, same API. Self-hosted inference works for air-gapped deployments.

Question 6

What happens to our data if we churn?

Accepted Answer

On termination, the customer receives a full export of documents, audit ledger, and fine-tuned model weights within 30 days. Sanolith purges all tenant data (embeddings, chat history, audit ledger backups) within 60 days, per the BAA. Certified destruction report on request.

Question 7

How long does it take to go live?

Accepted Answer

Starter tier is self-serve, live in 15 minutes. Team tier with BAA takes about 5 business days for paperwork and onboarding. Enterprise with custom integrations runs 2 to 4 weeks depending on scope.

Question 8

Is the Sanolith audit ledger really tamper-evident?

Accepted Answer

Append-only Postgres table with row-level security, plus hash-chained checkpoints written hourly to immutable object storage. Every entry is timestamped, signed, and the chain is reproducible from the checkpoints.

Writing on HIPAA-aligned LLMs

How HIPAA-compliant is ChatGPT Enterprise, really?

What a fail-closed PHI redactor actually does

Per-tenant fine-tuning without leaking your data