PHI can't be shipped to a model API. The scribe, the audit, and the model all have to live in your tenancy.
Charts, notes, images, and the rest of a patient's PHI are precisely the data a health system cannot route to hosted model, transcription, or voice APIs — every vendor in that chain needs a BAA, and every outbound call is egress that won't survive the security review. PHI staying in your tenancy means self-hosting, but a do-it-yourself stack of a model server, a transcription project, an identity layer, and an audit pipeline is a dozen seams to maintain and no single record an OIG auditor or a malpractice review can trust. Visca runs the entire stack — open-weight models, identity, per-encounter access, and a tamper-evident record — as one ecosystem inside your perimeter.
Why the data can't leave
An agent integrated to the EHR through a service account can read every patient the clinician can. A leaked credential is a panel-wide PHI breach.
The EMR audit shows a clinician edited a note. It does not show that an AI drafted the content underneath. For malpractice and bias review, that distinction is everything.
Model versions, prompts, and safety filters drift independently. When a note is questioned six months later, the exact agent that produced it can't be reconstructed.
One ecosystem, not a stitched stack
Read this patient, for this visit, for this duration, with this consent on file. No standing access; nothing for a leaked token to read.
The clinical AI carries its own Sigil, separate from the clinician's. The trail says: AI drafted, clinician edited, clinician attested — cryptographic and EHR-exportable.
Each clinical AI is a Seal Bundle — prompts, models, safety filters, all content-hashed and signed. Reconstructable for malpractice review, regulatory inquiry, or model-bias audit.
What the AI saw, what it drafted, what the clinician changed, what was attested — all keyed by Sigil, chained, tamper-evident. A single query, not weeks of forensics.
What you get
Relevant frameworks
Visca Cloud has not yet completed formal certification against these frameworks; the stack is architected to meet them and audits are in progress. See the compliance roadmap.
In practice
During a visit, the scribe requests a per-encounter Capability Grant: read this patient's chart, for this visit, for forty-five minutes. It drafts the note under its own Sigil. The clinician edits and attests under theirs. Chronicle records the whole chain. Months later, when the note is questioned, the exact model, prompt, and safety filter are recoverable from the Seal Bundle, and the authorship trail is one query.
Account data, balances, and PII can't go to a hosted model. The whole stack has to run inside the bank.
Operational telemetry stays on-site, and software agents and robots run on one self-hosted ecosystem.
Classified and sensitive data never leaves the boundary — so the entire stack has to run inside it, air-gapped.
Pricing, sourcing, and customer data each stay inside their own walls — across a stack neither company could stitch alone.
Process recipes and plant telemetry stay on the floor — on one self-hosted ecosystem, not a stack stitched per vendor.
The whole stack. Self-hosted. One ecosystem.
Models, identity, tools, voice, payments, runtime, and audit — as one integrated ecosystem, self-hosted, sovereign, air-gapped. Nothing stitched from vendors. Nothing leaves your perimeter. Open at the core. No license rug-pulls, ever.