Working definitions

Multi-step AI workflows where the model selects tools, makes decisions, and chains actions — rather than producing a single response from a single prompt.

Recording every model invocation — the requesting user, the input, the retrieved context, the model's output, and the tools it called — in a tamper-evident log.

A contract under HIPAA between a covered entity and any third party that handles PHI on its behalf, defining each party's responsibilities for protecting that data.

Numerical vector representations of text (or images) that place semantically similar inputs near each other in vector space.

An HL7-published standard for exchanging healthcare data over HTTPS using JSON or XML resources — the modern lingua franca of healthcare integrations.

Updating a base model's weights on a domain-specific dataset to improve its behavior on that domain — distinct from RAG, which keeps weights frozen and provides context at query time.

AI systems designed so that protected health information (PHI) flows only through HIPAA-eligible services, with audit logging, access controls, and BAA coverage end-to-end.

An AI system design where humans review or approve specific model outputs before they take effect — the standard pattern for any AI decision with regulatory or safety consequences.

Any health information that can be linked to an individual — names, dates, addresses, medical record numbers, biometric identifiers, and 18 specific identifier types under HIPAA.

An LLM pattern that retrieves relevant documents at query time and feeds them to the model as context, instead of relying on the model's training data alone.

An auditing framework from the AICPA for service organizations, evaluating controls across security, availability, processing integrity, confidentiality, and privacy.

A retrieval method that ranks documents by semantic similarity — typically cosine distance between embedding vectors — rather than keyword overlap.