Question 1

If by human error, PHI is ever accidentally ingested into the system, how can you guarantee it will be contained?

Accepted Answer

Guava's proprietary PHI gate sanitizes all inputs before data leaves hospital premises. Any flagged text containing potential identifiers is immediately quarantined locally on the hospital's infrastructure and never transmitted to external systems. This architectural design ensures that even in the event of human error, PHI cannot escape the secure perimeter. For detailed technical specifications of our PHI gate implementation, please contact security@guavamedical.ai.

Question 2

How can Guava generate a Letter of Medical Necessity (LOMN) without patient data or PHI?

Accepted Answer

Guava's AI agents draft custom, payer-specific LOMN templates using only de-identified medical policy criteria. The system analyzes payer requirements and generates compliant documentation scaffolds. Hospital staff then fill in patient identifiers directly within their EHR system—no patient information ever leaves the hospital. This workflow maintains compliance while automating the time-intensive policy review and document structuring process.

Question 3

Is Guava integrated with any EHRs or does it only operate externally?

Accepted Answer

Guava runs entirely outside the EHR, eliminating all integration risk while maintaining interoperability through structured exports. This architectural choice removes the need for complex, expensive EHR integrations and their associated security vulnerabilities. Health systems export de-identified data as needed, and Guava processes it in isolation without ever connecting to or accessing the EHR directly.

Question 4

What compliance standards does Guava meet?

Accepted Answer

Guava maintains SOC 2 Type II mapped controls across all five trust principles (security, availability, processing integrity, confidentiality, and privacy). The platform operates under HIPAA Safe Harbor de-identification standards (45 CFR §164.514(b)), employs AES-256 encryption for data at rest and TLS 1.3 for data in transit, and implements a zero-PHI architecture that eliminates Protected Health Information from all processing pipelines.

Question 5

Does Guava need PHI at all? Do we need to sign a BAA to use Guava?

Accepted Answer

No. Guava functions with a comprehensive zero-PHI architecture, so no Business Associate Agreement (BAA) is required to automate your entire specialty drug billing workflow. The platform never processes, stores, or transmits Protected Health Information, operating exclusively on de-identified data that falls outside HIPAA's regulatory scope.

Question 6

If I wanted PHI or EHR integrated into Guava at any level, would your platform be able to handle these integrations?

Accepted Answer

Guava was architected from the ground up for seamless integration into enterprise health systems—this zero-PHI approach was intentionally the more difficult engineering path to ensure maximum security and compliance. If your organization requires PHI access or direct EHR integrations for custom workflows, our platform can accommodate these requirements with appropriate security controls and BAA execution. Please reach out to our enterprise sales team at enterprise@guavamedical.ai to discuss your specific integration needs.

FUNCTION	PURPOSE	LOCATION
Identity & Access Management	User authentication under hospital SSO	On premise; within hospital boundaries
Network Security	Ensures all Guava connections originate and terminate within controlled boundaries	On premise; within hospital boundaries
PHI Regex Gate	Ensures any accidental input is containerized locally based on HIPAA Safe Harbor regex	On premise; within hospital boundaries
NLP De-Identification	MedSpaCy local NLP model for on-premise final check in case of incidental input	On premise; within hospital boundaries

NAME	PURPOSE	LOCATION	WEBSITE
GCS	Cloud infrastructure and hosting services	United States	https://cloud.google.com/
Vercel	Frontend hosting and development	United States	https://vercel.com/
Anthropic	AI language model services	United States	https://anthropic.com/
Cartesia	Speech-to-text and voice synthesis	United States	https://cartesia.ai/
Pinecone	Vector database and search	United States	https://www.pinecone.io/
Neon	Serverless PostgreSQL database	United States	https://neon.com/
OpenAI	AI language model services	United States	https://openai.com/
Slack	Team communication and notifications	United States	https://slack.com/
Deepgram	Speech-to-text and audio processing	United States	https://deepgram.com/
Supabase	Serverless PostgreSQL database	United States	https://supabase.com/
LiveKit	Real-time AI voice agents	United States	https://livekit.io/

Guava was built for enterprise healthcare systems, from the ground up.

Guava Subprocessors

Your Data

Our Data