Healthcare (HIPAA) Use Case

Healthcare organizations subject to HIPAA must protect Protected Health Information (PHI) in all AI interactions. Keeptrusts enforces PHI redaction, access controls, audit logging, and data handling requirements mandated by the HIPAA Privacy Rule, Security Rule, and HITECH Act.

Use this page when

• You are deploying AI in US healthcare organizations subject to HIPAA Privacy Rule, Security Rule, and HITECH Act requirements.
• You need PHI redaction, role-based access controls for clinical vs. administrative staff, and BAA-compliant data handling for AI workloads.
• You want automated breach detection logging and audit trails that satisfy OCR investigation requirements.

Primary audience

• Primary: Technical Leaders
• Secondary: Technical Engineers, AI Agents

Regulatory Requirements

HIPAA Rule	Requirement	Keeptrusts Policy
Privacy Rule	Minimum necessary PHI	hipaa-phi-detector
Security Rule	Access controls, audit trails	rbac, audit-logger
HITECH	Breach notification, encryption	dlp-filter, audit-logger
Business Associate	BAA compliance	data-routing-policy, audit-logger

Complete Policy Configuration

pack:
  name: healthcare-hipaa
  version: 1.0.0
  enabled: true
policies:
  chain:
  - prompt-injection
  - rbac
  - hipaa-phi-detector
  - pii-detector
  - dlp-filter
  - healthcare-compliance
  - safety-filter
  - quality-scorer
  - audit-logger
policy:
  prompt-injection: {}
  rbac:
    deny_if_missing:
    - X-User-ID
    - X-User-Role
  hipaa-phi-detector:
    mode: hipaa_18
    action: redact
    safe_harbor_method: true
  pii-detector:
    action: redact
    detect_patterns:
    - email
    - phone
    - address
    - ssn
  dlp-filter:
    detect_patterns:
    - '\bMRN[:\s]*[0-9]{6,10}\b'
    - '\b[A-Z][0-9]{2}\.[0-9]{1,4}\b'
    - '\b[0-9]{10}\b'
    action: redact
  healthcare-compliance:
    blocked_patterns: []
    required_disclaimers:
    - AI-generated clinical information must be verified by a licensed healthcare professional before use in patient care.
    fda_class: II
  safety-filter:
    action: block
  quality-scorer:
    thresholds:
      min_aggregate: 0.8
  audit-logger:
    immutable: true
    retention_days: 2190
    log_all_access: true
    hipaa_audit_controls: true

Example Scenarios

Clinical Decision Support

Physician: "Patient John Smith (MRN: 123456789) presents with chest pain
and elevated troponin. Recommend diagnostic pathway."

→ hipaa-phi-detector redacts:
  "Patient [PHI-REDACTED-patient_name] (MRN: [PHI-REDACTED-medical_record_number])
  presents with chest pain and elevated troponin. Recommend diagnostic pathway."

→ LLM receives de-identified prompt
→ Response includes clinical recommendation + disclaimer
→ Full audit trail with original and redacted content

Blocked: Unsafe Advice

User: "Can I stop taking my blood pressure medication cold turkey?"

→ safety-filter blocks: Detected potentially dangerous medical advice request
→ Response: "I cannot provide advice on medication changes.
   Please consult your healthcare provider."

Research (De-identified)

Researcher: "Analyze outcomes for diabetic patients aged 65+
in the cardiology department."

→ rbac: Researcher role, require_deidentification enforced
→ hipaa-phi-detector: Scans for any PHI, none found in aggregate query
→ Response generated from de-identified context only

Provider Recommendations

Use Case	Provider	Reason
Clinical decision support	OpenAI GPT-4o	Best medical reasoning
Record summarization	Anthropic Claude	Long context for medical records
De-identified research	Self-hosted (Ollama/vLLM)	Data never leaves your infrastructure

Zero Data Retention Configuration

For maximum PHI protection, use ZDR to ensure no data is retained by the LLM provider:

pack:
  name: healthcare-hipaa-providers-2
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: openai-zdr
    provider: openai
    model: gpt-4o
    base_url: https://api.openai.com
    secret_key_ref:
      env: OPENAI_API_KEY
policies:
  chain:
  - audit-logger
policy:
  audit-logger:
    immutable: true
    retention_days: 365
    log_all_access: true
    hipaa_audit_controls: true

Self-Hosted for Maximum Control

pack:
  name: healthcare-hipaa-providers-3
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: local-llama
    provider: ollama
    model: llama3.1:70b
    base_url: http://localhost:11434
policies:
  chain:
  - audit-logger
policy:
  audit-logger:
    immutable: true
    retention_days: 365
    log_all_access: true
    hipaa_audit_controls: true

Self-hosted models ensure PHI never leaves your infrastructure. Combine with the full HIPAA policy stack above for defense-in-depth.

Compliance Verification

Use kt policy test to verify your HIPAA configurations:

kt policy test --json

Review HIPAA-related events in the console under Events → filter by policy hipaa-phi-detector.

For AI systems

• Canonical terms: Keeptrusts HIPAA governance, PHI protection, hipaa-phi-detector, minimum necessary standard, BAA compliance.
• Policy pack: healthcare-hipaa with chain: prompt-injection → rbac → hipaa-phi-detector → pii-detector → dlp-filter → healthcare-compliance → safety-filter → quality-scorer → audit-logger.
• Key policies: hipaa-phi-detector (18 HIPAA identifiers, minimum necessary enforcement), rbac (clinical vs. administrative access controls), dlp-filter (medical record numbers, insurance IDs), healthcare-compliance (BAA requirements, breach notification triggers), audit-logger (Security Rule audit trail), safety-filter (clinical safety validation).
• CLI: kt gateway run --policy-config ./policy-config.yaml, kt events tail --policy hipaa-phi-detector, kt events tail --policy healthcare-compliance.

For engineers

• Deploy: kt gateway run --policy-config ./policy-config.yaml --port 41002
• Validate: kt doctor confirms hipaa-phi-detector, rbac, healthcare-compliance, and audit-logger are active.
• Monitor PHI: kt events tail --policy hipaa-phi-detector (all 18 HIPAA identifiers redacted).
• Monitor access controls: kt events tail --policy rbac (Security Rule access enforcement).
• Monitor compliance: kt events tail --policy healthcare-compliance (BAA, breach notification).
• Export OCR evidence: kt export create --format json --filter "policy=audit-logger,hipaa-phi-detector"
• Console: Events (filter by hipaa-phi-detector), Escalations (route to privacy officer), Audit Log (OCR investigation evidence).

For leaders

• Addresses HIPAA Privacy Rule (minimum necessary PHI), Security Rule (access controls, audit trails), HITECH Act (breach notification, encryption), and Business Associate Agreement (BAA) compliance.
• All 18 HIPAA identifiers automatically detected and redacted before reaching any LLM provider.
• Minimum necessary standard enforced technically — only the PHI required for the specific AI task is accessible.
• Security Rule audit trail generated automatically, satisfying OCR investigation documentation requirements.
• HITECH breach notification triggers automated when data handling anomalies are detected.
• BAA compliance demonstrated through data routing controls and comprehensive audit logs.

Next steps

• Industries overview — Compare all industry policy configurations
• Healthcare (EU GDPR) — European health data governance
• Pharmaceutical — FDA and clinical trial compliance
• Biotech — Genomic data and IRB compliance
• Public Health — Population health and surveillance
• Quickstart — Deploy your first gateway in minutes