FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryhealthcareHIPAAPHI

Medical Coding AI and the HIPAA Boundary You Cannot See

By Basel IsmailMay 4, 2026

Medical Coding AI and the HIPAA Boundary You Cannot See

Medical coding is one of the first places where AI delivers obvious, measurable ROI in healthcare operations. Automated code suggestion, claim scrubbing, denial prediction. The efficiency gains are real. But there is a compliance problem baked into the workflow that a surprising number of organizations are not examining closely enough: every medical coding AI tool, by the nature of what it does, touches protected health information.

This is not a maybe. ICD-10 and CPT code assignment requires clinical documentation. Diagnoses, procedures, treatment narratives, provider notes. Under 45 CFR 160.103, individually identifiable health information that relates to a patient's past, present, or future health condition is PHI. The moment your AI coding assistant ingests a clinical encounter to suggest a code, it is processing PHI. Full stop.

The BAA Gap in Off-the-Shelf Coding Tools

Here is where things get uncomfortable. A large number of AI coding assistants on the market today are built on top of general-purpose large language models hosted by third-party cloud providers. Many of these tools route data through APIs to foundation models from OpenAI, Anthropic, Google, or similar providers. The tool vendor may have a BAA with their cloud infrastructure provider. But the question is whether you have a BAA with every entity in the chain that handles the PHI.

Under the HIPAA Privacy Rule and the 2013 Omnibus Rule (78 FR 5566), business associate obligations extend to subcontractors. If your coding vendor sends clinical text to a model provider, that model provider is a subcontractor handling PHI, and a BAA must exist between the vendor and that subcontractor. If it does not, your vendor is in violation. And because you are the covered entity (or a business associate yourself), the liability chain runs uphill to you.

OpenAI's enterprise API, as of early 2024, does offer BAA eligibility for certain configurations. But their standard API tier does not. Google Cloud's Vertex AI can be covered under Google's Cloud BAA, but only with specific configurations and different terms apply to consumer-facing Gemini products. Anthropic's API does not currently offer a standard BAA to most customers. The details shift frequently, and that is exactly the problem. If your vendor cannot produce documentation showing a valid BAA chain from your data all the way to the model inference layer, you have an exposure.

What the Enforcement Record Tells Us

OCR has been increasingly focused on business associate failures. In 2023, OCR settled with Doctors' Management Services for $100,000 after a ransomware breach exposed PHI, with findings that included insufficient risk analysis of vendor relationships. The MedEvolve settlement in 2023 ($350,000) involved PHI exposed through a business associate's misconfigured server. These cases involved traditional IT vendors, not AI. But the legal framework applies identically. There is no AI exception in HIPAA.

The HHS Office for Civil Rights issued guidance in December 2023 specifically addressing the use of online tracking technologies by covered entities and business associates. While that guidance focused on web analytics and pixel tracking, the underlying principle is directly relevant: if a technology transmits PHI to a third party, HIPAA rules apply regardless of how novel the technology is. AI model inference is, from a regulatory standpoint, just another form of third-party data processing.

The Vendor Questions You Actually Need to Ask

If you are evaluating or already using an AI-powered medical coding tool, here is the diligence checklist that matters:

Where does model inference happen? On-premise, in a dedicated cloud tenant, or via a shared API? If it is a shared API, who operates it, and is there a BAA in place between your vendor and that operator?
Is PHI transmitted outside the vendor's environment at any point? This includes logging, telemetry, model fine-tuning pipelines, and error reporting. All of these can leak PHI into systems not covered by a BAA.
Does the vendor use customer data for model training? Under 45 CFR 164.502, use of PHI must be limited to the purposes specified in the BAA. If your clinical documentation is being used to improve a general-purpose model, that is almost certainly outside the scope of treatment, payment, or healthcare operations.
Can the vendor produce the full BAA chain? Not just their BAA with you, but their BAA with every subcontractor that touches PHI. Ask for it. If they hesitate, that tells you something.
What is the de-identification methodology, if they claim data is de-identified before processing? HIPAA recognizes two methods under 45 CFR 164.514: Expert Determination and Safe Harbor. Safe Harbor requires removal of 18 specific identifier types. If the vendor claims de-identification, ask which method they use and whether they have documentation. Clinical narratives are notoriously difficult to fully de-identify because of the density of contextual information that can re-identify patients.
What happens to data after inference? Is it cached? Logged? Stored for audit purposes? Retention and disposal obligations under your BAA need to cover these artifacts.
Has the vendor completed a SOC 2 Type II audit or HITRUST certification? Neither is required by HIPAA, but both signal operational maturity around data handling controls. Their absence in a vendor processing PHI at scale should raise questions.

The Architectural Problem Underneath

The deeper issue is architectural. Most AI coding tools were not designed with HIPAA compliance as a foundational constraint. They were designed to be accurate and fast, and compliance was layered on afterward. This creates fragile compliance postures where a single API routing change, a new logging feature, or a model provider policy update can break the BAA chain without anyone noticing.

Consider what happened when OpenAI updated its data usage policies in March 2023 to clarify that API inputs would not be used for training. Before that clarification, organizations using the API had a genuine ambiguity about whether submitted data was being retained and reused. Any covered entity that had been sending PHI through that API before the policy change had a period of unquantifiable risk. Architectural decisions made that risk invisible until the policy language changed.

This is the boundary you cannot see. It is not a firewall or a network perimeter. It is the point at which PHI leaves an environment where you have contractual and technical control and enters an environment where you do not. In traditional IT, that boundary is relatively well understood. In AI workflows built on layered APIs and third-party model providers, the boundary can shift without your knowledge.

How FirmAdapt Addresses This

FirmAdapt was built around the principle that compliance boundaries must be architectural, not contractual afterthoughts. For healthcare organizations deploying AI in workflows that touch PHI, FirmAdapt's platform ensures that data processing stays within BAA-covered environments, with full auditability of where data moves during inference, logging, and any downstream processing. The platform is designed so that changes in underlying model provider policies or API configurations do not silently break your compliance posture.

FirmAdapt maintains the BAA chain documentation, monitors subcontractor relationships, and provides the technical controls that let compliance teams verify, rather than assume, that PHI handling meets HIPAA requirements at every layer. If you are running AI coding tools or evaluating new ones, FirmAdapt can map the actual data flows against your regulatory obligations and flag gaps before OCR does.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free