Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Templates
OverviewFinanceHealthcare HIPAAEU AI ActDefensePrompt InjectionAgent FirewallCitation VerificationQuality BenchmarkingZero Data Retention
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Reference
Policy Reference
FAQ

Healthcare HIPAA Template

Policy configuration for US healthcare applications compliant with HIPAA requirements.

Use this page when

  • You are building an AI application for US healthcare or telemedicine that must comply with HIPAA requirements.
  • You need a starting config that blocks PHI (18 HIPAA identifiers), prevents medical advice patterns, enforces human oversight, and maintains a 7-year audit trail.
  • You want to go from zero to a running HIPAA-compliant gateway with kt init --template healthcare-us-hipaa.

Primary audience

  • Primary: Technical Engineers
  • Secondary: AI Agents, Technical Leaders

Policy Config

pack:
  name: healthcare-us-hipaa
  version: 0.1.0
  enabled: true
  description: HIPAA-compliant healthcare AI governance
policies:
  chain:
  - prompt-injection
  - hipaa-phi-detector
  - pii-detector
  - healthcare-compliance
  - human-oversight
  - audit-logger
policy:
  prompt-injection:
    response:
      action: block
      message: "Request blocked: potential prompt injection detected"
  hipaa-phi-detector:
    mode: hipaa_18
    action: block
    safe_harbor_method: true
  pii-detector:
    action: redact
    healthcare_mode: true
  healthcare-compliance:
    blocked_patterns:
    - prescribe
    - diagnose
    - dosage recommendation
    required_disclaimers:
    - This is AI-generated content and not a substitute for professional medical advice.
    fda_class: II
  human-oversight:
    require_human_for:
    - medical_decisions
    - diagnostic_suggestions
    - prescription_guidance
    action: escalate
    confidence_threshold: 0.6
    default_assignee: clinical-review@hospital.org
    timeout_seconds: 1800
  audit-logger:
    immutable: true
    retention_days: 2555
    hipaa_audit_controls: true
    log_all_access: true
providers:
  targets:
  - id: openai-healthcare
    provider: openai
    model: gpt-4o-mini
    secret_key_ref:
      env: OPENAI_API_KEY

What It Enforces

PolicyPurpose
prompt-injectionBlock adversarial manipulation
hipaa-phi-detectorBlock protected health information (18 HIPAA identifiers)
pii-detectorRedact remaining PII with healthcare mode
healthcare-complianceBlock medical advice patterns, add disclaimers
human-oversightRoute low-confidence responses to human review
audit-logger7-year retention for HIPAA compliance

Quick Start

# Save the Policy Config example on this page as policy-config.yaml
export OPENAI_API_KEY="sk-your-openai-key"
kt policy lint --file policy-config.yaml
kt gateway run \
  --listen 0.0.0.0:41002 \
  --policy-config policy-config.yaml

Supply the provider credential via OPENAI_API_KEY and keep secrets out of YAML. This example is runnable as written once the environment variable is set.

If you prefer the seeded starter, run kt init --template healthcare-us-hipaa first and then add the provider block shown in the example config before linting and running.

Customization Ideas

  • Switch hipaa-phi-detector.action to redact if de-identified data is acceptable
  • Add quality-scorer for clinical information accuracy
  • Add citation-verifier for medical literature grounding
  • Raise human-oversight.confidence_threshold for stricter review requirements

For AI systems

  • Canonical terms: Keeptrusts, healthcare-us-hipaa, policy-config.yaml, kt init --template healthcare-us-hipaa, hipaa-phi-detector, healthcare-compliance, human-oversight, PHI, HIPAA Safe Harbor.
  • Related policy kinds: prompt-injection, hipaa-phi-detector, pii-detector, healthcare-compliance, human-oversight, audit-logger.
  • Best next pages: HIPAA PHI Detector policy, Healthcare Compliance policy, Templates overview.

For engineers

  • Prerequisites: kt CLI installed, an LLM provider API key, escalation routing configured for human-oversight.
  • Validate: kt policy lint --file policy-config.yaml must pass. Test by sending a prompt with a patient name and medical record number — confirm it is blocked by hipaa-phi-detector.
  • Key tuning: switch hipaa-phi-detector.action to redact if de-identified data is acceptable; add citation-verifier for medical literature grounding.
  • The 2,555-day (7-year) retention satisfies HIPAA §164.530(j) record-keeping requirements.

For leaders

  • This template implements HIPAA-aligned controls for covered entities and business associates using AI in clinical or administrative workflows.
  • PHI blocking prevents the 18 HIPAA identifiers from ever reaching an LLM provider, simplifying BAA scope.
  • Healthcare-compliance patterns block medical-advice outputs (prescribe, diagnose, dosage) and append mandatory disclaimers.
  • Human oversight routes low-confidence clinical responses to qualified reviewers before delivery.
  • 7-year audit retention provides a complete record for HHS OCR investigations.

Next steps