Jul 13, 2026 Healthcare AI Compliance 15 min read

Open-Source LLMs in Healthcare: What Works in HIPAA-Compliant Deployments

By Arjun Jaggi  ·  Enterprise AI Strategy

Healthcare organizations want the capability of frontier AI models without sending patient data to a third-party API. Open-source LLMs make that possible. But "open-source" is a category, not a recommendation. Some open-weight models perform measurably better on clinical tasks. Some licensing terms are incompatible with commercial healthcare deployments. And the architecture required to satisfy HIPAA with an on-premise open-source LLM is more specific than most engineering teams realize before they start building.

This post answers the questions that healthcare technology leaders are actually asking: which open-source models are most capable on clinical tasks, what their licenses actually permit, how to structure the deployment to satisfy HIPAA's Security Rule, and what the honest tradeoffs are compared to commercial cloud APIs with BAA coverage. It is written for CIOs, CMIOs, and the AI engineering leads who report to them.

The underlying argument is straightforward. A well-selected open-weight model, deployed on-premise with appropriate architecture, can deliver clinical AI capability that is both HIPAA-compliant and cost-effective at scale. The organizations that have gotten this right share a common pattern: they picked the model second, after they built the data boundary first.

18
HIPAA identifiers that must be detected and managed before any patient data enters an LLM inference pipeline
6 yr
minimum HIPAA audit log retention per 45 CFR §164.530(j): from creation date or date last in effect, whichever is later
45 CFR §164
Security Rule subpart that governs technical, administrative, and physical safeguards for electronic PHI

Model Options: What Is Actually Available

The open-weight model ecosystem for healthcare applications has three meaningful tiers: general-purpose foundation models with commercial licenses, domain-adapted models fine-tuned on biomedical or clinical text, and task-specific models trained for narrow clinical NLP tasks. Each tier involves different capability-compliance tradeoffs.

General-Purpose Foundation Models

Meta's Llama family is the most widely deployed foundation model in regulated industries. The Llama 2 architecture and training methodology are documented in Touvron et al. (arXiv:2307.09288, 2023). Llama 2 was trained on approximately 2 trillion tokens from publicly available sources, with deliberate exclusion of common personal information datasets. The model card documents data sources in sufficient detail to support regulatory due diligence. The Llama 2 Community License permits commercial use for most organizations but includes a restriction on use by entities with more than 700 million monthly active users, a threshold that no healthcare organization will approach. Subsequent Llama releases retain similar licensing structures.

Mistral 7B (Jiang et al., arXiv:2310.06825, 2023) introduced grouped-query attention and sliding window attention mechanisms that deliver strong performance on reasoning benchmarks at 7 billion parameters, a size that fits comfortably on a single A100 40GB GPU. Mistral AI releases models under the Apache 2.0 license, which permits commercial use without restriction and without requiring disclosure of derivative works. For healthcare organizations with constrained GPU budgets, Mistral 7B and its instruction-tuned variants offer a practical entry point to on-premise inference.

Domain-Adapted Biomedical Models

BioMistral (Labrak et al., arXiv:2402.10373, 2024) adapts Mistral 7B through continued pretraining on PubMed Central Open Access articles and supplementary medical licensing examination data. The authors evaluate BioMistral on ten biomedical NLP benchmarks and report measurable improvement over the Mistral 7B base on clinical NLP tasks including medical question answering and named entity recognition. BioMistral is released under the Apache 2.0 license and is available at a size that supports single-GPU deployment.

Clinical Camel (Toma et al., arXiv:2305.12200, 2023) is a fine-tuned Llama-based model trained on a curated dataset of clinical case discussions and medical dialogue derived from publicly available sources. Clinical Camel targets the conversational clinical reasoning tasks that are relevant to clinical decision support and patient intake automation. The paper documents evaluation on United States Medical Licensing Examination question formats, providing a standardized benchmark for comparison.

MedAlpaca (Han et al., arXiv:2304.08247, 2023) combines instruction fine-tuning on medical flashcard data, clinical notes, and medical dialogue datasets. MedAlpaca's evaluation methodology and benchmark results are documented in the paper and provide another point of comparison for healthcare-specific capability assessment.

Llama 3 family
8B · 70B · 405B parameters

Best general-purpose foundation for healthcare deployments. Strong reasoning, permissive commercial license, well-documented pretraining data exclusions.

BioMistral-7B
7B parameters, Apache 2.0

Continued pretraining on PubMed Central. Measurable improvement on clinical NLP benchmarks vs. base Mistral. Single-GPU deployable.

Clinical Camel
Llama-based · 13B parameters

Fine-tuned on clinical dialogue and case discussions. Evaluated on USMLE-format questions. Good fit for clinical decision support piloting.

Mistral 7B
7B parameters, Apache 2.0

Strong baseline for administrative healthcare AI (scheduling, coding, documentation). Apache 2.0 license permits all commercial use without restriction.

What HIPAA Actually Requires of Your Inference Pipeline

HIPAA's Security Rule under 45 CFR Part 164 applies to electronic Protected Health Information: individually identifiable health information transmitted or maintained in electronic form. An LLM inference pipeline that receives patient data, processes it, and returns a clinical output is a system that handles electronic PHI. Every component of that pipeline is subject to the Security Rule's safeguards.

The Administrative Safeguards (45 CFR §164.308) require, among other things, a Security Risk Analysis covering all ePHI-handling systems, including AI systems. The Security Risk Analysis is not a one-time exercise. It must be reviewed and updated in response to environmental or operational changes, including the deployment of new AI capabilities. Healthcare organizations that have deployed cloud AI tools without updating their Security Risk Analysis to reflect those tools are in a common state of non-compliance that most organizations discover during their first AI-focused audit.

The Technical Safeguards (45 CFR §164.312) require access controls, audit controls, integrity controls, and transmission security. For an on-premise LLM pipeline, these translate to: role-based access to the inference endpoint, audit logging of every query with sufficient metadata to identify the user and the data accessed, encryption of model outputs in transit and at rest, and technical controls that prevent unauthorized modification of ePHI during processing. None of these requirements are novel in themselves; the challenge is that AI inference pipelines add a new layer of data processing that must be explicitly mapped to existing controls.

The Physical Safeguards (45 CFR §164.310) require facility access controls and workstation security. For GPU infrastructure hosting an LLM, this means the server room must have controlled physical access with documented access logs, and the GPU servers themselves must be in a physically secured environment. This is standard data center practice, but organizations that use co-location facilities rather than owned data centers must verify that their co-location contract explicitly covers these HIPAA physical safeguard requirements.

"HIPAA's Security Rule does not care whether your AI is open-source or proprietary. It cares whether your controls over electronic PHI are adequate, documented, and operating effectively."

The Architecture That Satisfies HIPAA

A HIPAA-compliant on-premise LLM architecture for healthcare has four mandatory components that go beyond a standard inference deployment: a PHI detection and classification layer at the application boundary, an encrypted audit log with write-once access controls, a network boundary that prevents model inference traffic from reaching the public internet, and an identity management integration that ties every inference request to an authenticated user identity.

PHI Detection at the Application Boundary

Before any query reaches the LLM inference runtime, it must pass through a PHI detection step. This step identifies the presence of HIPAA's 18 identifiers: names, geographic subdivisions smaller than a state, dates more specific than year, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full-face photographs, and other unique identifying numbers or codes.

PHI detection can be implemented using a combination of rule-based pattern matching (regex patterns for SSN, MRN, phone, email, date formats) and a lightweight NER model for names and locations. Microsoft Presidio (open-source, Apache 2.0) provides a production-ready PHI detection framework that covers all 18 HIPAA identifiers and can be deployed in the same private network as the inference runtime. The detection step logs that PHI was present in the request without logging the PHI itself. This distinction matters for audit log management: the audit log should record that a PHI-containing query was processed by user X at time T, not the contents of the PHI.

The Inference Audit Log

Every inference request involving PHI must generate an audit log entry. The minimum required fields for a HIPAA-compliant inference audit log are: a unique request identifier, the authenticated user identifier of the requesting user, the timestamp of the request and response, the model version used, the data classification label of the input (PHI present or PHI absent), and the application context (which clinical workflow triggered the request). The audit log must not be deletable by any operational user, including administrators. This requires write-once storage with object lock policies, or an equivalent immutability control. Log entries must be encrypted using a key managed outside the inference system itself.

Network Boundary

The inference runtime must operate in a private network subnet with no outbound internet access. This is a stronger requirement than most enterprise software deployments, which typically permit outbound HTTPS for software updates and telemetry. For a HIPAA-compliant inference deployment, the model weights must be downloaded and verified through a separate, audited provisioning process and stored locally. The inference runtime must be configured to disable any telemetry, usage reporting, or model update mechanisms that would create outbound network connections. The network boundary is verifiable: egress firewall rules should log all outbound connection attempts, and any unauthorized outbound connection should trigger an immediate security alert.

HIPAA-COMPLIANT LLM INFERENCE PIPELINE EHR / App Auth'd user session PHI Detector 18 identifiers Presidio / regex Audit Logger Write-once store Encrypted · 6yr retain LLM Runtime vLLM · No egress Private subnet Response Encrypted in transit TLS 1.3 minimum log metadata (not PHI content) Model Weights Local storage · Versioned HIPAA-CONTROLLED BOUNDARY · NO OUTBOUND INTERNET §164.312(b) Audit §164.312(e) Transmission
HIPAA-compliant on-premise LLM pipeline: PHI detection, audit logging, and network isolation are non-optional architecture elements

Evaluating Models Before You Deploy

Model evaluation for healthcare deployments must happen before PHI enters the inference pipeline. The evaluation process has two distinct phases: capability evaluation on de-identified or synthetic data, and compliance review of the model's license, data card, and intended use documentation.

For capability evaluation, the relevant benchmarks depend on your target clinical tasks. For medical question answering, the USMLE Step 1-3 question formats used in papers such as Clinical Camel (Toma et al., arXiv:2305.12200) provide a standardized comparison point. For clinical NLP tasks including named entity recognition, relation extraction, and clinical note summarization, the BioNLP shared task datasets and the i2b2 challenge datasets provide established evaluation sets. For ICD-10 coding accuracy, the MIMIC-III discharge summaries (de-identified, available through PhysioNet with data use agreement) provide a clinical text benchmark that reflects real deployment conditions.

The MEDFIT-LLM evaluation framework (Rao, Jaggi, Naidu, IEEE RMKMATE 2025, DOI: 10.1109/RMKMATE64574.2025.11042816) addresses evaluation of open-source LLMs in healthcare contexts, including criteria relevant to HIPAA's requirement that covered entities assess reasonably anticipated threats to ePHI. A structured pre-deployment evaluation using this or a comparable framework creates defensible documentation that due diligence was performed before PHI was introduced into the inference pipeline.

For compliance review, examine three documents for each model you consider: the model card, the license terms, and the pretraining data documentation. The model card should document the intended use, limitations, and known failure modes. The license must permit your specific commercial use case and must not impose data sharing or disclosure requirements that conflict with your HIPAA obligations. Pretraining data documentation should provide sufficient detail for you to assess whether the pretraining corpus included data that you would not want associated with your deployment.

"Run your capability evaluation on synthetic data. Run your compliance review on the model card. Only after both pass do you introduce real patient data."

Use Cases That Work Today

Not every clinical use case is equally suited to open-source LLM deployment. The use cases that are working in pilot deployments today share three characteristics: the task is well-defined, the output can be verified by a qualified clinician before it affects patient care, and the PHI surface is bounded and auditable.

Clinical documentation assistance is the leading use case. Structured note generation from voice transcription or free-text summaries, ICD-10 and CPT code suggestion from clinical notes, and automated prior authorization letter drafting from structured patient data all fit this profile. The LLM generates a draft; a qualified clinician reviews and approves before the output enters the record or the billing workflow. The quality bar is high enough that the model's output is useful but low enough that human review catches errors before they cause harm.

Medical literature summarization is a second strong use case for on-premise LLMs. Summarizing PubMed abstracts, synthesizing treatment guidelines for a specific condition, and generating differential diagnosis literature summaries all process public scientific text, not patient PHI. These tasks can run on a smaller model, require less GPU infrastructure, and have a substantially simpler compliance posture because no ePHI is involved.

Administrative automation, including scheduling message drafting, referral letter templates, patient intake form processing, and eligibility verification query formulation, represents a third category. Many of these tasks can be restructured to use de-identified or synthetic inputs. Appointment reminder messages do not require PHI in the prompt; a template-based approach with patient identifiers inserted after LLM generation keeps the LLM processing PHI-free while delivering the administrative benefit.

What does not work reliably today: real-time clinical decision support in acute care settings where LLM latency and hallucination risks are not compatible with patient safety requirements, autonomous prescription or order generation without a verified human review step, and diagnostic imaging interpretation without a specialized vision model fine-tuned on annotated clinical imaging data.

The BAA Question: Open-Source vs. Commercial APIs

Healthcare organizations frequently ask whether they should deploy an open-source model on-premise or use a commercial cloud API with a BAA. The honest answer is that it depends on your use case, your data volume, and your existing infrastructure.

Commercial cloud APIs with BAAs are appropriate when your PHI volume is low, your use case is bounded and well-tested, and you do not have the GPU infrastructure to run a capable model on-premise. The BAA shifts liability for PHI handling to the cloud provider for their portion of the processing, which simplifies your compliance posture for low-volume deployments. The limitations are that you are constrained to the models and model versions covered by the BAA, you cannot fine-tune on your own clinical data without additional contractual terms, and your per-query cost at scale can substantially exceed the cost of an on-premise deployment.

On-premise open-source deployment is appropriate when your PHI volume is high, when you need to fine-tune on proprietary clinical data, when your data residency requirements are strict, or when the total cost of ownership over three years favors owned infrastructure over API spend. The MEDFIT-LLM framework (Rao, Jaggi, Naidu, IEEE RMKMATE 2025) is specifically designed for evaluating open-source models in these contexts. The tradeoff is that you own the entire compliance burden: the controls, the audit, the incident response, and the risk analysis are your responsibility rather than the API provider's.

The inference cost optimization literature is also relevant here. FrugalGPT (Chen, Zaharia, Zou, arXiv:2310.11409, 2023) demonstrates that cascading inference across models of different capability levels reduces cost substantially for mixed-complexity query workloads. This cascading pattern applies to on-premise deployments: running a small model for administrative tasks and a larger model for complex clinical reasoning keeps GPU utilization efficient without overprovisioning for the largest possible task.

What to Ask Before You Start

Planning a healthcare AI deployment?

Whether you are evaluating open-source models for on-premise deployment or assessing a cloud AI vendor's BAA terms, getting the compliance architecture right before the first patient query is cheaper than fixing it after. I offer working sessions on healthcare AI architecture, model evaluation frameworks, and HIPAA compliance design.

Book a Working Session

References

  1. U.S. Department of Health and Human Services. HIPAA Security Rule. 45 CFR Part 164. hhs.gov
  2. Touvron, H. et al. Llama 2: Open Foundation and Fine-Tuned Chat Models. arXiv:2307.09288. 2023. arxiv.org/abs/2307.09288
  3. Jiang, A. et al. Mistral 7B. arXiv:2310.06825. 2023. arxiv.org/abs/2310.06825
  4. Labrak, Y. et al. BioMistral: A Collection of Open-Source Pretrained Large Language Models for Medical Domains. arXiv:2402.10373. 2024. arxiv.org/abs/2402.10373
  5. Toma, A. et al. Clinical Camel: An Open Expert-Level Medical Language Model with Dialogue-Based Knowledge Encoding. arXiv:2305.12200. 2023. arxiv.org/abs/2305.12200
  6. Han, T. et al. MedAlpaca: An Open-Source Collection of Medical Conversational AI Models and Training Data. arXiv:2304.08247. 2023. arxiv.org/abs/2304.08247
  7. Rao, A.K.G., Jaggi, A., Naidu, S. MEDFIT-LLM: A Framework for Evaluating LLMs in Medical Fitness Contexts. IEEE RMKMATE 2025. DOI: 10.1109/RMKMATE64574.2025.11042816.
  8. Chen, L., Zaharia, M., Zou, J. FrugalGPT: How to Use Large Language Models While Reducing Cost and Improving Performance. arXiv:2310.11409. 2023. arxiv.org/abs/2310.11409
  9. Kwon, W. et al. Efficient Memory Management for Large Language Model Serving with PagedAttention. SOSP 2023. arXiv:2309.06180. arxiv.org/abs/2309.06180
  10. Johnson, A. et al. MIMIC-III, a freely accessible critical care database. Scientific Data 3, 160035 (2016). DOI: 10.1038/sdata.2016.35.
  11. Microsoft. Presidio: Data Protection and De-identification SDK. GitHub. github.com/microsoft/presidio