> ## Documentation Index > Fetch the complete documentation index at: https://docs.tokenfactory.nebius.com/llms.txt > Use this file to discover all available pages before exploring further. # HIPAA & BAA Support for Nebius Token Factory ### **Disclaimer**  This document is for informational purposes only and does not constitute legal advice. Use of Nebius products with Protected Health Information (PHI) or electronic Protected Health Information (ePHI)is subject to a signed Business Associate Agreement (BAA), proper configuration, and customer responsibilities consistent with the Health Insurance Portability and Accountability Act (HIPAA).  ### **Intended Audience**  This guide is intended for compliance officers, security engineers, and technical leads at healthcare organizations or partners who wish to use Nebius Token Factory in HIPAA-regulated environments.  ### **Definitions**  Any capitalized terms used but not otherwise defined in this document have the same meaning as in [HIPAA](https://www.hhs.gov/hipaa/for-professionals/index.html).   ### **Overview**  * HIPAA compliance is a **shared responsibility**: Nebius provides infrastructure, controls, and features designed to support HIPAA, but the customer must configure and use them correctly (as is common in cloud and AI settings).  * Nebius is prepared to enter into a **Business Associate Agreement (BAA)** to cover HIPAA use, subject to meeting the constraints described here.  * Only certain Nebius features and API methods are eligible under the BAA; usage outside those scopes is **not covered**.  ### **Covered Products**  Below is the list of Nebius capabilities that **can** be included under the BAA, when used under specific constraints:  | **Feature / Method** | **Covered under BAA?** | **Requirements / Notes** | | :--------------------------------------------------- | :--------------------- | :---------------------------------- | | /chat/completions API | Yes | Must enable **Zero Data Retention** | | /completions API | Yes | Must enable **Zero Data Retention** | | Fine-tuning / training APIs | No | Excluded from BAA scope | | Batch inference | No | Excluded from BAA scope | | Embeddings, file upload, storage, dataset management | No | Not covered unless explicitly added | If a capability is not listed above, it is **not considered covered** under the BAA by default.  ### **Customer Responsibilities**  A customer must determine whether or not they, the customer, are a Covered Entity (or a Business Associate of a Covered Entity) and, if so, whether they require a Business Associate Agreement with Nebius.  While Nebius can assist in this determination and provide a secure and compliant infrastructure for the storage and processing of PHI/ePHI, the customer bears sole and ultimate responsible for ensuring that the environment and applications that the Customer builds and utilizes alongside or in conjunction with the Nebius Token Factory are properly configured and secured according to HIPAA requirements. This may also be called a “shared security model” or “shared responsibility” as outlined above.  To operate within HIPAA scope using Nebius, customers must:  1. **Sign a BAA** \ Engage Nebius to execute a Business Associate Agreement before transmitting any PHI/ePHI.  2. **Use only the covered API methods** \ Restrict your application to /chat/completions and /completions for PHI/ePHI traffic.  3. **Enable Zero Data Retention** \ Configure Nebius so that request and response content (including PHI/ePHI) is **not persisted** beyond ephemeral processing.  4. **Do not include ePHI/PII in metadata, tags or key names**  Customers must not include electronic Protected Health Information (ePHI), personally identifiable information (PII), or any other confidential data in metadata, tags, or key names  ### **How to Obtain a BAA with Nebius**  1. **Contact your account manager** and request a HIPAA / BAA evaluation.  2. **Provide your intended use case**, confirming that you will adhere to the covered methods and zero data retention constraints.  3. Once reviewed and accepted, Nebius will supply a BAA document for your signature.  4. After execution, your use of supported endpoints with proper configuration will be eligible to carry PHI/ePHI under the BAA.