RAG current best practices

Does anyone recommend any best practice for HIPAA compliant LLM use case scenarios such as medical record analysis (typically oneRecord[DOT]com/FHIR network 300-400 page PDF documents). Unless I am mistaken only microsoft Azure OpenAI service offers BAA (Business Associate Agreements) as OpenAI does not provide this? We are currently looking at Astra DB / pinecone and weaviate as OpenAi native retrieval is very opaque and expensive.

I do not know the specifics of h i p a a compliance, but it sounds to me like your task is to build a rag system with access control for all documents. I do this now using weviate and the metadata properties available and it’s in embed objects.

1 Like

You can sign a BAA with OpenAI! Start here -


I’m not quite sure why you’re grouping Astra DB/Pinecone with OpenAI, as OpenAI specializes in large language models (LLMs), while Astra DB/Pinecone are primarily used for vector databases in semantic search. However, if your goal is to analyze hundreds of documents, choosing the right LLM is essential, though be aware that deploying these models natively can be quite costly. I recommend removing any sensitive patient data from your medical records to ensure HIPAA compliance before implementing a Retrieval-Augmented Generation (RAG) system for analysis. This approach is currently the best solution I can recommend.

Thanks for these details Henry. you comments are much appreciated.