---
id: "prereq-regulatory-compliance"
type: "prerequisite"
source_timestamps: ["00:10:45", "00:11:01"]
tags: ["legal", "healthcare"]
related: ["concept-regulated-ai-gap", "concept-private-cloud-compute-limits"]
sources: ["s19-apple-trillion"]
sourceVaultSlug: "s19-apple-trillion"
originDay: 19
---
# Knowledge of Professional Regulatory Compliance

## What You Need to Know

The speaker assumes familiarity with the compliance frameworks that govern professional services:

- **HIPAA** (Health Insurance Portability and Accountability Act) — governs PHI (Protected Health Information) in U.S. healthcare; requires BAAs (Business Associate Agreements) with any vendor that touches PHI
- **Attorney-client privilege** — strict confidentiality of legal communications; shared with third-party services often *breaks* privilege
- **Fiduciary duty** — financial advisors, accountants, trustees owe undivided loyalty and confidentiality to clients
- **GDPR / data residency** — EU-style requirements that data not leave a specific jurisdiction
- **21 CFR Part 11** — FDA rules for electronic records in clinical settings
- **SOX / GLBA** — financial-sector confidentiality and audit-trail requirements

## Why It's Required

The entire [[concept-regulated-ai-gap]] argument depends on understanding *why* sending sensitive client data to a third-party public cloud server is not just risky but *categorically off-limits* for these professionals.

It also explains why even Apple's [[concept-private-cloud-compute-limits]] (PCC) — which is technically secure — fails the compliance bar: the issue is not technical confidentiality, it's **legal representation about chain of custody**.

Without this background, [[claim-mac-mini-clusters]] sounds like a quirky tech preference rather than the structural compliance-driven necessity it actually is.