Healthcare

Cross-SaaS PHI inventory for healthcare.
Without another BAA.

nanodlp is the data loss prevention tool that runs in your environment — never in ours. Your PHI never leaves your AWS account, your Azure tenant, or your data center. We're not a Business Associate; you don't sign a BAA with us. One less vendor in your annual privacy review.

Book a 30-min walkthrough → Read the architecture

The PHI inventory problem

Your hospital's PHI is in 30+ SaaS apps. Google Drive has discharge summaries. Slack has care coordination messages. GitHub has scripts that process patient IDs. Dropbox has shared radiology reports.

Existing DLP tools cover one vendor at a time. Microsoft Purview covers M365. Google DLP covers Drive. Neither covers Slack, Dropbox, or GitHub. You're running three separate tools, maintaining three separate rule sets, and still have gaps.

nanodlp covers all of them, in one binary, with one dashboard — and the PHI never leaves your environment.

What we detect for healthcare

Current detectors (v1.0):

  • US SSN (with proximity context to reduce false positives)
  • US phone numbers
  • Email addresses
  • Credit card numbers (BIN + Luhn validated)
  • Date of birth patterns (with context)
  • IP addresses

Shipping in v1.2 (Q3 2026):

  • Medical Record Number (MRN) — configurable format per EHR vendor
  • National Provider Identifier (NPI)
  • DEA registration number
  • ICD-10 code patterns
  • FHIR resource fragments
  • HL7 message patterns

How HITRUST evidence works in nanodlp

The Team and Enterprise tiers auto-generate a quarterly compliance report. The report includes:

  • Total documents scanned per connector
  • Detection counts by category and severity
  • Remediation actions taken (access revocations, alerts acknowledged)
  • Data plane version history (for change management evidence)
  • Scan coverage percentage per connector

The report is generated from metadata only. No PHI is included in the report — by construction, not by policy.

The no-BA story

Under HIPAA, a Business Associate is an entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. nanodlp does not do any of those things. The data plane runs in your environment. It reads your PHI locally, generates metadata findings, and discards the content. The metadata (detection counts, document IDs, severity) that reaches our control plane does not constitute PHI.

This is an architectural guarantee, not a contractual one. You can verify it by reading the source code and the FindingsBatch schema on our security page.

We will provide a legal opinion letter on request (Enterprise tier). But the architecture is the primary control.

✓ No BAA to sign, manage, or renew with us
✓ Not a HIPAA Business Associate (architectural, not contractual)
✓ Zero subprocessors handling your PHI
✓ Zero data-residency disclosures to your Privacy Officer
✓ Schrems II: no cross-border transfer of health data

Book a walkthrough

30 minutes with our healthcare lead. We'll show you the architecture, walk through a live scan of a test Drive folder, and answer your Privacy Officer's questions directly.

Book a 30-min walkthrough → [Calendly link — TODO]