Are you a BAA-eligible vendor?

Enterprise tier supports BAA signing. Cloud Starter and Cloud Pro are not for PHI — don't send protected health information to those tiers. Talk to us about the BAA process for Enterprise.

Can I redact PHI before it reaches Bookbag?

Yes — the Gateway runs in your infrastructure, evaluates policy locally, and can redact before traces are exported. You control what leaves your walls.

How does this interact with FHIR integrations?

Bookbag doesn't store clinical data — we evaluate policy on agent tool calls and outputs. FHIR queries are one kind of tool call; the Guardrails rule engine can gate them by patient, role, and access context.

Healthcare

Health AI is high-risk by default. Govern it that way.

Bookbag blocks access to unauthorized patient records, redacts PHI before outputs leave your system, and produces HIPAA-ready + EU AI Act Annex III evidence from every agent decision.

Talk to us Read the docs

What keeps you up at night

Concrete risks Bookbag is built to mitigate.

PHI in outputs

An agent summarizes a chart and includes more than the user needed. Redaction at runtime is the only reliable control.

Unauthorized record access

An agent queries records it shouldn't. Guardrails can check user role + chart ownership in args before the call runs.

EU AI Act + state laws

Health AI is explicitly high-risk under Annex III. Colorado + New York are adding their own rules. You need evidence of oversight, not intent.

How Bookbag helps

Four products. Concrete capabilities. One data layer.

Guardrails

PHI redaction + access gates

PII detector runs on every tool call and output. Policy rules can require specific user roles or chart ownership before sensitive lookups execute.

Observe

Full chart-of-care trace

Every agent query, every returned field, every output — a clinical audit trail that maps to your existing EHR audit process.

Evaluation

Taxonomy grounded in clinical policy

Score outputs against your clinical AI acceptable-use policy. Flag hallucinated dosages, missing disclaimers, inappropriate advice.

Governance

HIPAA + Annex III evidence

Pre-built controls for HIPAA administrative safeguards and EU AI Act high-risk logging. Evidence bundles your compliance officer can hand to auditors.

Frameworks we auto-map for this industry

EU AI Act

Annex III controls

NIST AI RMF

Govern · Map · Measure · Manage

ISO 42001

AI management system

SOC 2

Type II evidence

HIPAA

Health AI risk tier

FAQs for this industry

Frequently Asked Questions

Stop flying blind. Put your agents on a governance platform.

Join the teams shipping safer AI with real-time evaluation, audit trails, and continuous improvement.

Talk to us See all products