CYPHR COBALT / Data Governance
COBALT operates at the intersection of private equity information requirements and healthcare regulatory obligations. Here is exactly how data is handled, isolated, and protected at both the fund and portfolio company level.
Structural Isolation
The COBALT architecture enforces a strict boundary between fund-level infrastructure and portfolio company deployments. This is not a configuration option — it is structural. No portfolio company can access another company's data. Fund-level analytics are constructed exclusively from anonymized, aggregated cross-portfolio patterns.
Aether Cross-Portfolio Intelligence
"Aether's cross-portfolio capabilities are built on anonymization and aggregation — not direct data sharing. Pattern recognition, compliance benchmarking, and operational intelligence emerge from pooled signals with all identifying information removed at the source layer before any cross-portfolio computation occurs."
Healthcare-Specific Compliance
Private equity ownership does not modify a healthcare entity's HIPAA obligations. Each portfolio company remains a covered entity or business associate subject to the full scope of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. COBALT operates in compliance with these obligations at the individual company level.
HIPAA / 01
CYPHR executes a BAA with each portfolio company independently at the point of deployment activation. The BAA defines the scope of permitted PHI access, permitted uses, and obligations in the event of a breach. BAAs are company-specific and are not aggregated at the fund level.
HIPAA / 02
PHI accessed within BLUE deployments is handled under minimum-necessary standards. Role-specific sub-agents are scoped to access only the PHI required to perform their designated function. Access logs are maintained per the HIPAA Security Rule's audit control requirements.
HIPAA / 03
BLUE deployments maintain enhanced audit trails per HIPAA Security Rule §164.312(b). All PHI access events — including query type, data category, role, and timestamp — are logged. Audit logs are immutable and available for compliance review, OCR inquiry response, and internal governance reporting.
HIPAA / 04
Technical safeguard compliance includes: access controls with unique user identification, automatic logoff, encryption of ePHI in transit and at rest, and integrity controls preventing unauthorized alteration. Safeguard configurations are documented and available for compliance validation.
HIPAA / 05
At healthcare entity acquisition, HIPAA obligations transfer to new ownership on the transaction date. COBALT's DD sprint capacity and change of ownership infrastructure are designed to identify legacy compliance gaps, establish new BAA relationships, and ensure HIPAA program continuity through the ownership transition period.
HIPAA / 06
BLUE deployments maintain documented breach response workflows per HIPAA Breach Notification Rule requirements. Notification timelines (60-day covered entity, 60-day business associate reporting), affected individual identification, and risk assessment documentation are supported within the BLUE 01 Healthcare Compliance Officer role.
BAA Execution Protocol
Each portfolio company engagement requires an executed Business Associate Agreement prior to any PHI-scope deployment. BAA execution occurs during onboarding, before BLUE sub-agents with PHI access are activated. The fund-level GP relationship does not constitute a BAA for portfolio company purposes — individual agreements are required for each entity.
Multi-Entity Governance
As a fund acquires additional portfolio companies, each new entity receives a fresh, isolated BLUE deployment with its own governance framework. The fund-level infrastructure scales horizontally — each new portco activation adds to the cross-portfolio intelligence layer without modifying existing company environments.
Stage 01 / Acquisition
When a new portfolio company is activated under COBALT, a complete BLUE deployment is provisioned for that entity in an isolated data environment.
Isolated namespace created
Company-specific BAA executed
HIPAA program baseline established
9-role BLUE deployment activated
Change of ownership workflows initiated
Stage 02 / Hold Period
During the hold period, each portfolio company's BLUE deployment operates under its own governance framework while contributing anonymized signals to fund-level intelligence.
Compliance monitoring active
Revenue cycle management ongoing
Audit trails continuously maintained
Payer contract performance tracked
Anonymized benchmarks fed to GP layer
Stage 03 / Exit
At exit preparation, the company's BLUE deployment generates documentation packages supporting buyer due diligence and enabling clean separation from the fund's COBALT environment.
Compliance history documentation export
Clean HIPAA program attestation
Audit log package for buyer DD
BAA relationship transfer process
Data environment clean separation
Core Governance Framework
These commitments apply uniformly to every COBALT engagement — fund level and portfolio company level — without exception. They define the floor of our governance standard, not the ceiling.
COMMITMENT 01
Portfolio company data environments are isolated by architecture, not by access control policy. No configuration change can create lateral data access between portfolio companies. The fund-level environment receives only anonymized aggregates.
COMMITMENT 02
Each portfolio company deployment maintains its own HIPAA compliance program. BAAs are executed per entity. PHI handling, audit trail generation, and breach notification readiness are maintained independently for each company throughout the hold period.
COMMITMENT 03
Sub-agents are scoped to access only the PHI required for their specific function. Compliance agents do not access billing records outside their mandate. Revenue cycle agents do not access clinical documentation outside their scope. Access is limited by role design.
COMMITMENT 04
All PHI access events, sub-agent queries, and governance actions generate immutable, timestamped audit log entries. Logs cannot be altered or deleted by operational users. Log retention meets or exceeds HIPAA Security Rule requirements and is available for compliance review at any time.
COMMITMENT 05
All ePHI is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 or equivalent standards. Encryption applies to all data categories across all portfolio company deployments without exception. Key management follows documented procedures.
COMMITMENT 06
From day one of deployment, each portfolio company's BLUE environment maintains governance documentation structured for buyer due diligence. Compliance history, audit trail exports, HIPAA program attestations, and BAA records are continuously maintained and available for exit-ready packaging.
These are absolute commitments — not subject to configuration, client request, or operational convenience.
Cross-Portco Identifiable Data Sharing
We will never share identifiable patient, operational, or financial data from one portfolio company to another, to the fund level, or to any third party outside the BAA scope for that entity.
Training on Client Data
We will never use portfolio company data — including PHI, revenue cycle records, or compliance documentation — to train, fine-tune, or improve any AI model outside the scope of that company's deployment.
PHI Access Outside BAA Scope
We will never access, query, process, or transmit PHI for purposes outside the scope defined in the executed Business Associate Agreement for each portfolio company. BAA scope is binding and non-negotiable.
Weakening Isolation for Convenience
We will never reduce or modify the structural isolation between portfolio company environments to enable fund-level features, operational efficiencies, or product capabilities. Isolation architecture is fixed.
Ready to Deploy
We're prepared to discuss our governance architecture, BAA terms, and technical safeguard documentation with your legal and compliance teams prior to engagement.
The governance framework described on this page represents CYPHR's operational standards and architectural commitments as of the current date. Healthcare regulatory requirements, including those under HIPAA, are subject to change. CYPHR's governance documentation should be reviewed alongside applicable regulatory requirements by qualified legal and compliance counsel prior to deployment. This page does not constitute legal advice and does not establish an attorney-client relationship.