Disclaimer
This document is for informational purposes only and does not constitute legal advice. Use of Nebius products with Protected Health Information (PHI) or electronic Protected Health Information (ePHI)is subject to a signed Business Associate Agreement (BAA), proper configuration, and customer responsibilities consistent with the Health Insurance Portability and Accountability Act (HIPAA).Intended Audience
This guide is intended for compliance officers, security engineers, and technical leads at healthcare organizations or partners who wish to use Nebius Token Factory in HIPAA-regulated environments.Definitions
Any capitalized terms used but not otherwise defined in this document have the same meaning as in HIPAA.Overview
- HIPAA compliance is a shared responsibility: Nebius provides infrastructure, controls, and features designed to support HIPAA, but the customer must configure and use them correctly (as is common in cloud and AI settings).
- Nebius is prepared to enter into a Business Associate Agreement (BAA) to cover HIPAA use, subject to meeting the constraints described here.
- Only certain Nebius features and API methods are eligible under the BAA; usage outside those scopes is not covered.
Covered Products
Below is the list of Nebius capabilities that can be included under the BAA, when used under specific constraints:| Feature / Method | Covered under BAA? | Requirements / Notes |
|---|---|---|
| /chat/completions API | Yes | Must enable Zero Data Retention |
| /completions API | Yes | Must enable Zero Data Retention |
| Fine-tuning / training APIs | No | Excluded from BAA scope |
| Batch inference | No | Excluded from BAA scope |
| Embeddings, file upload, storage, dataset management | No | Not covered unless explicitly added |
Customer Responsibilities
A customer must determine whether or not they, the customer, are a Covered Entity (or a Business Associate of a Covered Entity) and, if so, whether they require a Business Associate Agreement with Nebius. While Nebius can assist in this determination and provide a secure and compliant infrastructure for the storage and processing of PHI/ePHI, the customer bears sole and ultimate responsible for ensuring that the environment and applications that the Customer builds and utilizes alongside or in conjunction with the Nebius Token Factory are properly configured and secured according to HIPAA requirements. This may also be called a “shared security model” or “shared responsibility” as outlined above. To operate within HIPAA scope using Nebius, customers must:- Sign a BAA
Engage Nebius to execute a Business Associate Agreement before transmitting any PHI/ePHI. - Use only the covered API methods
Restrict your application to /chat/completions and /completions for PHI/ePHI traffic. - Enable Zero Data Retention
Configure Nebius so that request and response content (including PHI/ePHI) is not persisted beyond ephemeral processing. - Do not include ePHI/PII in metadata, tags or key names
How to Obtain a BAA with Nebius
- Contact Nebius support or your account manager and request a HIPAA / BAA evaluation.
- Provide your intended use case, confirming that you will adhere to the covered methods and zero data retention constraints.
- Once reviewed and accepted, Nebius will supply a BAA document for your signature.
- After execution, your use of supported endpoints with proper configuration will be eligible to carry PHI/ePHI under the BAA.