How HIPAA Mode Works in FactoryOS
FactoryOS has one switch in Settings labeled HIPAA Mode. Flipping it on doesn't add a feature — it changes the posture of the entire system. The software stops running in performance mode and starts running in compliance mode, and a set of individual settings get pushed to their tightest values and locked there until the switch is flipped back.
The switch matters because most "compliance modes" in software are checklists an admin has to maintain by hand. This one is a single decision that the rest of the system honors automatically.
Compliance Mode or Performance Mode
Every system trades off two things at the margins — how fast and convenient it can be, against how locked-down and traceable. Performance mode keeps the convenience side weighted: lighter logging, optional second-factor authentication, more freedom for admins to adjust settings. Compliance mode flips that weighting — more logging, mandatory 2FA, fewer optional escape hatches.
HIPAA Mode is the binary that picks which side FactoryOS sits on. It isn't a fine-grained control; it's a top-level posture switch. When it's on, the system is in compliance mode for everyone, on every surface, end to end.
What the Switch Enforces
When HIPAA Mode is on, a set of settings get forced to their compliant values and locked from being changed:
- Logging tightens. The system records more of what happens — who accessed what, when, from where — so an auditor can reconstruct events after the fact. - Two-factor authentication becomes mandatory. Anyone who hadn't enrolled gets walked through enrollment the next time they sign in. - Session and access controls tighten. Unattended sessions end faster, and access to protected categories of data is held to the [roles that genuinely need it](how-factoryos-decides-who-sees-what). - Other compliance defaults get pushed into place across the rest of the settings, each in its own tab.
These are settings that exist in FactoryOS normally. The difference under HIPAA Mode is that they aren't optional anymore. An admin who tries to loosen one finds it greyed out, with a note saying HIPAA Mode is enforcing it.
External APIs Get Locked Down
When HIPAA Mode is on, external LLM endpoints are disabled. FactoryOS is built local-first, but it also offers the option to call out to cloud-hosted models when an organization wants the additional capability — and the trade-offs that govern that choice are the subject of when to use local AI vs frontier models. Compliance mode removes that choice for the duration that the switch is on.
Every model call routes to local models on the box. Any workflow or agent step that was wired to call a cloud API gets blocked from doing so until the switch is flipped back. That keeps protected data inside the building, where the compliance posture can actually be enforced.
This is the section where "compliance mode" stops being an abstract phrase. Performance mode might let an operator pick the most capable model on the market, even if that model lives in someone else's data center. Compliance mode says no — protected workloads run on the box, full stop.
Friction Is the Feature
The switch is hard to flip on purpose. Turning it on is a deliberate decision with consequences across the system; turning it off carries the same weight. The action isn't a casual toggle — flipping the switch in either direction is treated as a significant administrative event, recorded as such, and takes effect everywhere at once.
That friction exists because a HIPAA posture is something organizations don't want to wander into or out of by accident. A single admin misclicking a toggle should not, by itself, change the system's compliance footing mid-workday. The switch is intentionally weightier than every other setting because of what depends on it.
Off Is Not a Rollback
Flipping HIPAA Mode off doesn't undo anything. The settings that were forced into compliance values while the switch was on stay at those values — the lock is released, but the values themselves don't revert. Two-factor authentication doesn't switch back to optional automatically; logging doesn't dial down; access controls don't loosen.
What turning it off changes is who can change those settings. With the switch on, the relevant toggles are frozen for everyone. With it off, the system admin can adjust them individually — raise a session timeout, exempt a role from 2FA, re-enable an external API — if there's a reason to.
That asymmetry is worth understanding before flipping the switch off the first time. The expectation that "off" means "back to where we were" is wrong. Off means the locks are open, not that the locks rewind.
Who Owns the Switch
HIPAA Mode is system-admin territory. Flipping it on or off is the kind of decision that should go through whoever in the organization owns compliance — a privacy officer, a CISO, or outside counsel for clinics and firms without dedicated staff. The action belongs to a person who can sign their name to the choice.
In practice, most organizations that need a HIPAA posture turn the switch on once during setup and leave it on. The toggling that comes later is usually about onboarding a new audited workload, or about a deliberate transition from a pilot environment to a production one. The switch isn't a substitute for the rest of [what HIPAA compliance actually requires](why-hipaa-compliance-is-an-architecture-problem) — policies, training, business associate agreements — but it does close the software side of the gap in one motion.