Comment by ktbwrestler

am I correct that you basically cannot comply with HIPAA in this case, even if you had a BAA with Anthropic?

I'm new to the whole governance / compliance thing and wondering like even if you use a HIPAA compliant tool like Bedrock to serve up your inference in your VPC, this sort of puts you in a dangerous legal spot?

it seems like the data retention, even if it's metadata and they promise not to log the actual full logline, messes you up here since it's leaving your autonomous system

Also what about things like GH copilot using an anthropic model as the backend? This feels like a mess with chained data agreements