Zero PHI Egress Healthcare AI

Q: How does CodaFend handle software updates without cloud connectivity?

Software updates — including CMS model version updates, ICD-10-CM mapping changes, and platform improvements — are delivered as versioned packages that can be applied on-premise. For air-gapped environments, updates can be transferred via secure media. No PHI is involved in the update process, and updates never require sending data outside your infrastructure.

Why PHI Egress Matters

Most AI-powered healthcare tools process data by sending it to cloud endpoints. Medical records are uploaded, transmitted to external servers, processed by third-party models, and results are returned over the network. Every step in that chain creates PHI exposure.

The regulatory landscape around Protected Health Information is clear: HIPAA requires covered entities and their business associates to safeguard PHI against unauthorized disclosure. When PHI leaves your network for processing by an external service, you take on third-party processor risk, data-in-transit exposure, and the compliance burden of verifying that every downstream system meets your security requirements.

For healthcare organizations handling RADV audits, chart reviews, and risk adjustment validation, the records being processed contain some of the most sensitive patient data in the system—clinical notes, diagnoses, treatment histories, and lab results. Sending this data to cloud-based AI services introduces risk that many compliance teams are unwilling to accept.

RafCite™ by CodaFend eliminates this risk entirely. It processes all medical records on-premise, within your infrastructure, with zero PHI leaving your network at any point during operation.

How CodaFend Achieves Zero PHI Egress

Zero PHI egress is not a configuration option—it is the fundamental architecture of RafCite. The system is designed from the ground up to operate entirely within your network boundary:

1

On-Premise Processing All medical record ingestion, parsing, HCC validation, MEAT evidence extraction, and output generation run on hardware you control. No PHI processing step occurs outside your infrastructure.

2

No External APIs RafCite does not call cloud AI endpoints, third-party NLP services, or external model APIs during processing. The AI models and all supporting components run locally within your deployment.

3

Containerized Architecture RafCite deploys as containerized components that run on standard server infrastructure. This provides deployment consistency, isolation, and portability across different on-premise environments.

4

Network Isolation The system can operate in fully air-gapped environments with no outbound network connectivity required for PHI processing. Data paths are confined to your internal network at every stage.

Architecture Overview

RafCite’s deployment architecture is designed so that Protected Health Information never needs to leave the customer’s network boundary:

Deployment target — Dedicated on-premise servers or private cloud infrastructure under your administrative control
Container runtime — Standard container orchestration (Docker/Podman) on Linux-based server hardware
AI model execution — All language models and extraction components run locally within the containerized environment
Data storage — Input records, processing artifacts, and output evidence packets are stored on your local storage infrastructure
GPU acceleration — Optional GPU support for production throughput; CPU-only operation is supported for evaluation and lower-volume use
Update delivery — Software and model updates are delivered as versioned packages applied on-premise; air-gapped transfer is supported

No PHI in the update path. Software updates—including CMS model version updates and platform improvements—are delivered independently of any patient data. Updates never require sending PHI outside your network.

Compliance Benefits

On-premise deployment with zero PHI egress simplifies compliance in several measurable ways:

BAA readiness — CodaFend executes a Business Associate Agreement as part of standard onboarding. Because no PHI leaves your infrastructure, the BAA scope is straightforward.
Audit trail — Every processing step is logged within your environment. Compliance teams can review the complete chain of custody for each medical record without requesting logs from a third-party provider.
Data residency — All PHI remains on infrastructure you control, in the physical location you choose. There are no cross-region data transfers or multi-tenant storage concerns.
No third-party processor risk — You do not need to assess, monitor, or audit an external AI vendor’s PHI handling practices, because no PHI reaches them.
Simplified breach analysis — If a security event occurs, the investigation scope is limited to your own infrastructure. There is no need to coordinate breach analysis with an external data processor.

Security by architecture, not by policy. Zero PHI egress is enforced by system design. There is no configuration setting that enables external data transmission, and no operational mode that sends PHI outside your network.

Cloud vs. On-Premise for PHI Processing

Many healthcare AI tools default to cloud-based processing because it simplifies deployment for the vendor. For PHI-sensitive workflows, this creates trade-offs that organizations should evaluate carefully:

Factor	Cloud-Based AI	On-Premise (RafCite)
PHI data path	Transmitted to external servers	Stays within your network
Third-party risk	Vendor PHI handling must be audited	No external processor involved
Data residency	Vendor-controlled infrastructure	Your infrastructure, your location
Breach scope	Includes vendor systems	Limited to your environment
Network dependency	Internet connectivity required	Air-gapped operation supported
Pricing model	Per-chart or usage-based	Annual platform license

For a detailed comparison, see our guide on cloud HCC software vs. on-premise deployment. For more about our on-premise deployment approach, visit on-premise healthcare AI.

Frequently Asked Questions

What infrastructure is required to deploy RafCite on-premise?

RafCite deploys as containerized components on standard server hardware running Linux. A GPU is recommended for production throughput but is not required for deployment or evaluation. The system runs on dedicated on-premise servers or within a private cloud environment that you control—the key requirement is that no PHI data path exits your network boundary.

Does RafCite require any outbound network connectivity?

No. RafCite processes all medical records and produces all output entirely within your network. There are no external API calls, no cloud model endpoints, and no telemetry that includes patient data. The system can operate in fully air-gapped environments. Optional outbound connectivity is used only for software update checks, never for PHI processing.

How does CodaFend handle software updates without cloud connectivity?

Software updates—including CMS model version updates, ICD-10-CM mapping changes, and platform improvements—are delivered as versioned packages that can be applied on-premise. For air-gapped environments, updates can be transferred via secure media. No PHI is involved in the update process, and updates never require sending data outside your infrastructure.

Is a GPU required to run RafCite?

A GPU is recommended for production-scale throughput but is not required. RafCite can run on CPU-only hardware for evaluation, testing, and lower-volume processing. GPU acceleration significantly reduces per-chart processing time when handling large review populations.