Backport: feat (provider/gateway): add hipaaCompliant provider option (#14128)

vercel-ai-sdk[bot] · jerilynzheng · claude · web-flow · commit 5f439a1e35de · 2026-04-03T17:26:43.000-07:00
This is an automated backport of #13614 to the release-v6.0 branch. FYI @jerilynzheng Co-authored-by: Jerilyn Zheng <zheng.jerilyn@gmail.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/.changeset/hipaa-compliant-option.md b/.changeset/hipaa-compliant-option.md
@@ -0,0 +1,5 @@
+---
+'@ai-sdk/gateway': patch
+---
+
+feat (provider/gateway): add hipaaCompliant gateway provider option
diff --git a/content/providers/01-ai-sdk-providers/00-ai-gateway.mdx b/content/providers/01-ai-sdk-providers/00-ai-gateway.mdx
@@ -786,6 +786,9 @@ The following gateway provider options are available:
 
   Restricts routing requests to providers that have agreements with Vercel for AI Gateway to not use prompts for model training. If there are no providers available for the model that disallow prompt training, the request will fail. BYOK credentials are skipped when `disallowPromptTraining` is set to `true` to ensure that requests are only routed to providers that do not train on prompt data.
 
+- **hipaaCompliant** _boolean_
+
+  Restricts routing to models and tools from providers that have signed a BAA with Vercel for the use of AI Gateway (requires Vercel HIPAA BAA add on). BYOK credentials are skipped when `hipaaCompliant` is set to `true` to ensure that requests are only routed to providers that support HIPAA compliance.
 
 - **providerTimeouts** _object_
 
@@ -876,6 +879,25 @@ const { text } = await generateText({
 });
 ```
 
+#### HIPAA Compliance Example
+
+Set `hipaaCompliant` to true to route requests only to models or tools by providers that have signed a BAA with Vercel for the use of AI Gateway. If the model or tool does not have a HIPAA-compliant provider, the request will fail. When `hipaaCompliant` is `false` or not specified, there is no enforcement of restricting routing. BYOK credentials are skipped when `hipaaCompliant` is set to `true` to ensure that requests are only routed to providers that support HIPAA compliance.
+
+```ts
+import type { GatewayProviderOptions } from '@ai-sdk/gateway';
+import { generateText } from 'ai';
+
+const { text } = await generateText({
+  model: 'anthropic/claude-sonnet-4.6',
+  prompt: 'Analyze this patient data...',
+  providerOptions: {
+    gateway: {
+      hipaaCompliant: true,
+    } satisfies GatewayProviderOptions,
+  },
+});
+```
+
 ### Provider-Specific Options
 
 When using provider-specific options through AI Gateway, use the actual provider name (e.g. `anthropic`, `openai`, not `gateway`) as the key:
diff --git a/examples/ai-functions/src/stream-text/gateway-provider-options-hipaa-compliant.ts b/examples/ai-functions/src/stream-text/gateway-provider-options-hipaa-compliant.ts
@@ -0,0 +1,27 @@
+import type { GatewayProviderOptions } from '@ai-sdk/gateway';
+import { streamText } from 'ai';
+import { run } from '../lib/run';
+
+run(async () => {
+  const result = streamText({
+    model: 'openai/gpt-oss-120b',
+    prompt: 'Tell me the history of the tenrec in a few sentences.',
+    providerOptions: {
+      gateway: {
+        hipaaCompliant: true,
+      } satisfies GatewayProviderOptions,
+    },
+  });
+
+  for await (const textPart of result.textStream) {
+    process.stdout.write(textPart);
+  }
+
+  console.log();
+  console.log('Token usage:', await result.usage);
+  console.log('Finish reason:', await result.finishReason);
+  console.log(
+    'Provider metadata:',
+    JSON.stringify(await result.providerMetadata, null, 2),
+  );
+});
diff --git a/packages/gateway/src/gateway-language-model.test.ts b/packages/gateway/src/gateway-language-model.test.ts
@@ -1575,5 +1575,46 @@ describe('GatewayLanguageModel', () => {
         gateway: { disallowPromptTraining: true },
       });
     });
+
+    it('should pass hipaaCompliant option', async () => {
+      prepareJsonResponse({
+        content: { type: 'text', text: 'Test response' },
+      });
+
+      await createTestModel().doGenerate({
+        prompt: TEST_PROMPT,
+        providerOptions: {
+          gateway: {
+            hipaaCompliant: true,
+          },
+        },
+      });
+
+      const requestBody = await server.calls[0].requestBodyJson;
+      expect(requestBody.providerOptions).toEqual({
+        gateway: { hipaaCompliant: true },
+      });
+    });
+
+    it('should pass both zeroDataRetention and hipaaCompliant options', async () => {
+      prepareJsonResponse({
+        content: { type: 'text', text: 'Test response' },
+      });
+
+      await createTestModel().doGenerate({
+        prompt: TEST_PROMPT,
+        providerOptions: {
+          gateway: {
+            zeroDataRetention: true,
+            hipaaCompliant: true,
+          },
+        },
+      });
+
+      const requestBody = await server.calls[0].requestBodyJson;
+      expect(requestBody.providerOptions).toEqual({
+        gateway: { zeroDataRetention: true, hipaaCompliant: true },
+      });
+    });
   });
 });
diff --git a/packages/gateway/src/gateway-provider-options.ts b/packages/gateway/src/gateway-provider-options.ts
@@ -65,6 +65,12 @@ const gatewayProviderOptions = lazySchema(() =>
        * to not use prompts for model training will be used.
        */
       disallowPromptTraining: z.boolean().optional(),
+      /**
+       * Whether to filter by only providers that are HIPAA compliant with
+       * Vercel AI Gateway. When enabled, only providers that have agreements
+       * with Vercel AI Gateway for HIPAA compliance will be used.
+       */
+      hipaaCompliant: z.boolean().optional(),
       /**
        * Per-provider timeouts for BYOK credentials in milliseconds.
        * Controls how long to wait for a provider to start responding

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@ai-sdk/gateway': patch
 +---
++
 +feat (provider/gateway): add hipaaCompliant gateway provider option