PHI can't be shipped to a model API. The scribe, the model, and the record all run in your tenancy — on a stack that maintains itself.
Charts, notes, images, and the rest of a patient's PHI are precisely the data a health system cannot route to hosted model, transcription, or voice APIs — every vendor in that chain needs a BAA, and every outbound call is egress that won't survive the security review. Keeping PHI in your tenancy means self-hosting, but a do-it-yourself stack of a model server, a transcription project, an identity layer, and an audit pipeline is a dozen seams and an ops burden no clinical IT team signed up for. Visca runs the whole stack — identity, credentials, runtime, and audit — inside your perimeter, with its own operators keeping it current. Proven on ourselves first: a clinical AI product built on this stack is approved and in pilot at Stanford.
Why the data can't leave
An agent integrated to the EHR through a service account can read every patient the clinician can. A leaked credential is a panel-wide PHI breach.
The EMR audit shows a clinician edited a note. It does not show that an AI drafted the content underneath. For malpractice and bias review, that distinction is everything.
Self-hosting the model server, the transcription pipeline, and the audit chain means someone patches them, rotates their credentials, and answers their incidents. Hospital IT is already stretched; a second infrastructure estate is a non-starter.
One stack, not a stitched one
The clinical AI acts under its own identity, separate from the clinician's. The trail says: AI drafted, clinician edited, clinician attested — verifiable and exportable to the EHR.
Read this patient, for this visit, for this duration, with this consent on file. No standing panel-wide access; nothing for a leaked token to read.
The model, the prompts, and the outputs execute inside your perimeter. No outbound call to clear, no new BAA per vendor, no egress finding to remediate.
What the AI saw, what it drafted, what the clinician changed, what was attested — one chained, tamper-evident record. A single query, not weeks of forensics.
The stack's own operators deploy, upgrade, patch, rotate credentials, and answer incidents — inside the tenancy, under the same identity and audit, on the same record.
What you get
Relevant frameworks
Visca Cloud has not yet completed formal certification against these frameworks; the stack is architected to meet them and audits are in progress. See the compliance roadmap.
In practice
During a visit, the scribe requests a per-encounter credential: read this patient's chart, for this visit, for forty-five minutes. It drafts the note under its own identity; the clinician edits and attests under theirs; both land on one record. Months later, when the note is questioned, the authorship trail — and the patch history of the stack that produced it — is one query, not weeks of forensics.
Account data, balances, and PII can't leave the bank. The stack that handles them runs inside it — and answers the examiner.
Telemetry, layouts, and shipment data stay on-site. Software agents and robots run on one in-perimeter stack, under one record.
Classified and sensitive data never leaves the boundary. The whole stack runs inside it — air-gapped, and able to maintain itself there.
Pricing, sourcing, and customer data stay inside each company's walls — while their agents still work across the boundary.
Process recipes and plant telemetry stay on the floor — on one in-perimeter stack, not a console per vendor.
The Autonomy Stack for regulated industries
Identity, credentials, runtime, and audit — shipped as part of your product, run inside your customer's walls, operated by agents under the same ledger as everything else. Nothing leaves the perimeter. Nothing is off the record.