For healthcare

Your BAA covers how they handle your data. It can't stop your AI from being tricked into leaking it.

Bridgekeeper is an in-process containment layer that reduces prompt-injection and data-exfiltration risk across your AI pipeline — whether you run Claude, OpenAI, Gemini, or a local model, behind LiteLLM, Ollama, or Bifrost.

Talk to our teamStart free →

The gap

The attack surface a BAA doesn't reach

A Business Associate Agreement is a legal instrument: it extends HIPAA protections to how your model provider handles the data you send them, and assigns liability for their mishandling.4 It says nothing about your AI being manipulated.

The dangerous surface isn't the model — it's the application around it. A poisoned document pulled into a RAG context, a malicious instruction hidden in an inbound message, a forged tool result — all can steer the model into exfiltrating a record set or calling a tool it shouldn't. That happens inside yourapplication, not the provider's infrastructure. So your provider's BAA and built-in guardrails don't cover it — and when PHI leaks that way, it's your reportable breach.

Untrusted inputsdocs · email · webRAG · tool resultsYour appRAG · agent · toolsBridgekeepercontainment layerModelClaude · OpenAIGemini · localinjection rides in →PHI exfiltration — containedBAA covers this link

Bridgekeeper sits in-process between your application and the model — the boundary your provider's BAA and guardrails don't reach. It isolates untrusted content, authorizes tool calls, and controls what can leave. It reduces this risk; like any single layer, it does not prevent or eliminate it.

Know your coverage

What your provider's BAA does — and doesn't — do

✓ Covered by your model provider's BAA

  • The provider's handling of the PHI you send their infrastructurestorage, processing, retention controls on their side
  • Liability for the provider's own mishandling or sub-processor chain
  • The provider's security posture and certifications

✗ Not covered — and it's your breach

  • Your app being injected via a poisoned document, email, or tool resultindirect prompt injection through your own data
  • PHI exfiltrated through model output or a tool call
  • A forged instruction triggering an action on your EHR, inbox, or database
  • Your notification, OCR, and litigation exposure when it happensthe BAA does not reduce your own breach liability

Most healthcare AI teams that fail their first compliance review fail by assuming universal BAA coverage — when in reality coverage is enterprise-tier and feature-specific, and never extends to your application logic.4

How it works

Containment at the boundary you own

Bridgekeeper is architectural, not just a content filter — it constrains what untrusted content and a possibly-manipulated model are allowed to do.

Untrusted-content isolation

Tags and quarantines inbound documents, email, web content, and tool results so retrieved text can't issue instructions to the model.

Tool / function-call authorization

Gates which actions a prompt can actually trigger against your EHR, inbox, or databases — so an injected instruction can't act on its own.

Outbound / exfiltration controls

Inspects what's leaving — blocking attempts to push PHI out through a model response or a tool call.

Provenance & replay resistance

Traces where each piece of context came from and defeats reused or captured-request attacks.

Audit logging you own

Independent records of every decision — your own compliance evidence, not a black box you can't inspect, tune, or export.

Provider-agnostic

One consistent policy and audit trail across Claude, OpenAI, Gemini, and local models — instead of a different guardrail per provider.

Bridgekeeper drops in as a plugin in front of your existing gateway. It is one layer in a defense-in-depth posture — it materially reduces and contains prompt-injection and exfiltration risk; it does not prevent or eliminate it.

The cost of the gap

A BAA doesn't reduce what a breach costs you

The average reported healthcare breach runs $7.42M1 — but that figure deliberately excludes mega-breaches.2 A successful exfiltration of a large record set is exactly that excluded tail:

~$375M

average cost once 50 million or more records are compromised2

$145 – $2.19M
HIPAA civil penalty, per violation, with a $2.19M annual cap per provision3
$6 – $20
typical class-action settlement exposure per affected individual5
$0
amount your provider's BAA contributes to any of the above
Estimate your exposure →

Compliance & trust

Built for the people who sign the BAAs

HIPAA-ready, BAA available

We support your HIPAA compliance program and will sign a BAA. We don't claim to make you compliant — that's a status only your organization holds — we give you a control and the evidence to demonstrate it.

SOC 2 (Type II in progress)

Our own Type II attestation is underway. We'll publish status rather than imply a completed audit.

An independent control you own

Regulated security teams want layered, auditable controls they can inspect — not a single vendor's assurances. Bridgekeeper is yours to configure, log, and export.

We protect your data — including from us

Threat-intelligence telemetry is strictly opt-in. By default we capture detection metadata and attack signatures, never your prompts, with redaction before anything leaves your environment.

Drops in behind your gateway

Pull the image. Keep your model, your gateway, and your data.

A Docker image and a Kubernetes update path. Works with frontier providers and local models, with an air-gapped option for on-prem deployments.

Important:Bridgekeeper reduces and contains prompt-injection and data-exfiltration risk; it does not prevent or eliminate it, and is one layer in a broader security architecture. Nothing here is legal advice. “HIPAA-ready” means the product is designed to support a customer's HIPAA compliance program and that a BAA is available; it does not by itself make any organization HIPAA compliant.

Sources

1Average healthcare breach cost $7.42M — IBM Security & Ponemon Institute, Cost of a Data Breach Report 2025. summary →

2IBM's averages exclude the largest breaches; per-record/per-incident figures are based on breaches under ~100,000 records and should not be extrapolated to mega-breaches, which are modeled separately — reaching ~$375M average at 50M+ records. methodology →

3HIPAA civil monetary penalties, per violation $145–$2,190,294 by tier with a $2,190,294 annual cap per identical provision (HHS inflation adjustment effective Jan 28, 2026). OCR often applies lower discretionary caps and settles below maximums. HHS update →

4A BAA is a contractual instrument extending HIPAA protections to PHI processed by the provider's infrastructure; coverage is enterprise/API-tier and feature-specific. BAA scope guide →

5Per-affected-individual exposure derived from recent healthcare settlement funds ÷ class size (e.g., ApolloMD $4.02M/662K; Outcomes One $1.7M/257.5K; American Addiction Centers $2.75M/148.5K). Highly variable; larger and willful-neglect cases run higher.

Figures are industry references for illustration; verify against current sources before publishing. [TEAM: replace CTA links and confirm trademark and SOC 2 status before launch.]