Skip to main content

HIPAA Compliance

Gravity Rail is built for healthcare. The platform is engineered to handle Protected Health Information (PHI) under the requirements of the U.S. Health Insurance Portability and Accountability Act (HIPAA), and we sign Business Associate Agreements (BAAs) with healthcare customers who handle PHI through our service.

This guide explains what "HIPAA compliance" means on Gravity Rail in practical terms, how to turn the workspace-level hipaa_compliance feature on, and how AI agents in HIPAA-enabled workspaces behave when patients ask about data privacy.

What HIPAA Compliance Means on Gravity Rail

HIPAA compliance on Gravity Rail spans three layers:

  1. Infrastructure and operations — encryption at rest and in transit, audit logging, workspace-isolated data storage, access controls, and the technical safeguards required by 45 CFR 164.312. These are always on for every workspace; they do not depend on a feature flag.
  2. Legal coverage (BAA) — a Business Associate Agreement between your organization and Gravity Rail that establishes the contractual basis for handling PHI. Customers handling PHI must have a signed BAA in place. Contact sales@gravityrail.com to start the BAA process if you do not yet have one.
  3. AI agent affirmation — controlled by the hipaa_compliance workspace feature flag. When enabled, AI agents are instructed to confidently affirm HIPAA compliance to patients who ask about data privacy, rather than dodging or deflecting the question.

The first two layers are infrastructure and contract; the third is the behavior change you opt into per workspace.

Enabling the hipaa_compliance Feature Flag

The hipaa_compliance feature is set at the workspace level. Once enabled, every AI agent in the workspace receives the HIPAA compliance prompt component automatically — there is no per-agent or per-task configuration.

Through Gravity Rail Support

The recommended path for production workspaces is to ask Gravity Rail to enable hipaa_compliance. Support will verify that your BAA is in place before turning the flag on.

Email support@gravityrail.com with:

  • Your workspace UUID (you can find it in the URL of any workspace page)
  • Confirmation that you have a signed BAA with Gravity Rail (or a request to start the BAA process)

Verifying Feature Status via the API

You can check whether hipaa_compliance is currently enabled on your workspace by querying the workspace API:

curl "https://api.gravityrail.com/api/v2/w/{workspace_uuid}" \
  -H "Authorization: Bearer YOUR_API_KEY"

The response includes a features array. If hipaa_compliance is in that array, the feature is enabled for the workspace.

The API surface is read-only for this flag — turning it on requires Gravity Rail support, since feature provisioning is gated on BAA verification. To request activation, contact support as described above.

What Happens When the Feature Is Enabled

When hipaa_compliance is enabled on a workspace, the platform automatically injects a HIPAA compliance prompt component into the system prompt of every AI agent in the workspace. The prompt is added by the system:hipaa_compliance ability, which runs as part of the system ability resolution pipeline (alongside system abilities for task navigation, email context, voice channel rules, and similar concerns).

The injected prompt instructs the agent to:

  • Acknowledge that the platform it represents is HIPAA compliant
  • Confidently affirm that patient data is protected under HIPAA regulations
  • Provide a clear affirmation of HIPAA compliance when asked about data privacy or security

In practice, this means a patient asking "Is my information safe? Are you HIPAA compliant?" will get a direct, reassuring answer from your agent rather than a hedged or evasive response.

The exact text injected into the system prompt is:

HIPAA Compliance

The platform you represent is HIPAA compliant. All patient data is protected under HIPAA regulations. You can confidently assure patients that their health information is secure and compliant with federal privacy requirements. If asked about data privacy or HIPAA compliance, provide clear affirmation that the platform meets HIPAA standards for protecting health information.

This prompt is added early in the system prompt assembly, so it informs the agent's identity rather than competing with task-specific instructions.

What the Feature Flag Does Not Do

It is important to understand that the hipaa_compliance feature flag is not what makes Gravity Rail HIPAA compliant. The underlying technical safeguards — encryption, access controls, audit trails, workspace isolation, PHI handling — are always in effect, regardless of the flag's value.

The feature flag only controls AI agent messaging. Specifically:

  • It does not change how PHI is stored, encrypted, or transmitted
  • It does not change which audit logs are written
  • It does not grant or revoke access to PHI for any user
  • It does not sign a BAA on your behalf

If you operate a healthcare workspace without a BAA in place, you should not be processing PHI through Gravity Rail regardless of whether this feature flag is on.

PHI Handling on Gravity Rail

Gravity Rail treats the following storage locations as containing PHI:

  • Data records (DataRecord.field_values) — structured patient and clinical data
  • Messages (Message.content) — chat, SMS, voice transcripts, and email bodies
  • Members — patient identity information
  • Memory — long-term agent memory storing patient context

PHI is stored in workspace-isolated PostgreSQL schemas, encrypted at rest, and transmitted only over TLS. Audit logs record access to PHI-bearing endpoints.

For deeper detail on the technical safeguards covering 45 CFR 164.312 (Access Controls, Audit Controls, Integrity, Authentication, and Transmission Security), see Gravity Rail's internal security and compliance documentation, available on request through your Gravity Rail account team.

Best Practices for HIPAA-Enabled Workspaces

If your workspace handles PHI, follow these practices:

  • Have a signed BAA before enabling the feature. A BAA is a legal prerequisite for PHI handling under HIPAA, not a step you can take retroactively.
  • Limit access by role. Use Gravity Rail's role and scope system to grant PHI access only to members who need it for their job function.
  • Treat audit logs as compliance evidence. The audit trail Gravity Rail produces is part of your HIPAA compliance posture. Do not bypass logging or attempt to delete log entries.
  • Disclose AI usage. HIPAA compliance does not exempt you from AI disclosure requirements. See the AI Disclosure Requirements guide.
  • Don't paste PHI into agent system prompts. Workflow and task prompts are stored as configuration, not as PHI. Refer to patient data through Forms, DataRecords, and the patient context Gravity Rail loads at runtime, rather than embedding identifiers or clinical notes directly in prompts.

Getting Help

For questions about HIPAA compliance, BAA execution, or enabling the hipaa_compliance feature for your workspace, contact support@gravityrail.com.