⚠️ This overlay is a framework operationalization, not legal advice. HIPAA + HITECH are complex regulations with state-law overlays (e.g., California CMIA, Texas HB 300). Your HIPAA Privacy Officer and General Counsel must validate scope and obligations for your company.
1. When this overlay applies
Apply this overlay per-agent (not necessarily program-wide) if any of the following is true for the agent:
- The agent processes, transmits, stores, or otherwise comes into contact with Protected Health Information (PHI) as defined under HIPAA
- The agent's output influences treatment, payment, or healthcare operations for an identifiable individual
- The agent operates within a covered entity's PHI-handling workflow (even tangentially — e.g., scheduling, billing, prior authorization)
- The company is a business associate of a covered entity, and the agent is part of the service provided
- The agent transmits data to or receives data from a covered entity over an electronic interface
Key definition reminders:
- PHI is any individually identifiable health information held or transmitted by a covered entity or business associate, in any form (electronic, paper, oral).
- De-identified data (per Safe Harbor or Expert Determination) is not PHI and is out of scope for HIPAA.
- Limited Data Sets (specific identifiers stripped) are still PHI but allowable for research / public health under a Data Use Agreement.
2. Regulatory references
| Citation | Subject | Applies to |
|---|---|---|
| 45 CFR §164.502 | Uses and disclosures of PHI — general | All PHI handling |
| 45 CFR §164.504(e) | Business Associate Agreements (BAA) requirements | When using a business associate |
| 45 CFR §164.514 | De-identification (Safe Harbor + Expert Determination) | When working with non-PHI data |
| 45 CFR §164.530 | Privacy Officer designation; workforce training | Program-level |
| 45 CFR §164.308 | Administrative safeguards | Security Rule |
| 45 CFR §164.310 | Physical safeguards | Security Rule |
| 45 CFR §164.312 | Technical safeguards (access controls, audit, integrity, transmission security) | Security Rule |
| 45 CFR §164.400–414 | Breach Notification Rule (HITECH) | All breaches of unsecured PHI |
| 45 CFR §164.522 | Right to request restrictions; right to confidential communications | Patient rights |
| 45 CFR §164.524 | Right of access to PHI | Patient rights |
| 45 CFR §164.526 | Right to amendment | Patient rights |
| 45 CFR §164.528 | Accounting of disclosures | Patient rights |
3. Minimum Necessary Standard (load-bearing for AI agents)
45 CFR §164.502(b): use, disclosure, or request of PHI must be limited to the minimum amount of PHI required to accomplish the intended purpose.
For AI agents, this translates to:
- The agent must access only the specific PHI fields required for its task — not entire patient records
- Prompt + context engineering must filter PHI to only what's needed before sending to any LLM
- Output should not include PHI beyond what the receiving human or system needs
- Logs and audit trails must redact PHI where the field is not necessary for log purposes
Practical implications: the Agent Card §5 (Inputs / data sources) must be explicit about which PHI fields the agent accesses and why minimum-necessary holds.
4. Additions to each core template
templates/01-risk-appetite.md (Risk Appetite Statement)
Add to Section 4 (Data classifications AI may access):
PHI: AI may access PHI only when (1) the agent is operating under a valid BAA with all sub-processors, (2) minimum-necessary scoping is enforced at the Agent Card level, (3) the agent's tier is automatically Medium or High, (4) HIPAA Privacy Officer has signed the Agent Card. PHI is never used as training data for any commercial LLM unless the LLM provider has signed a BAA AND opt-in is explicit.
Add to Section 5 (Jurisdictions in scope):
HIPAA applies. [Company] is a [covered entity / business associate]. State-specific overlays may also apply (e.g., California CMIA, Texas HB 300). Track these separately.
Add to Section 7 (Autonomy):
No agent processing PHI is approved for Stage 3 autonomous operation under this risk appetite. Stage 2 (validated) is the maximum, with mandatory HITL on any patient-affecting output.
templates/02-intake-form.md (Intake Form)
Add to Section 6 (Data the agent will see):
PHI check:
- Does the agent see PHI? [Yes / No / Unsure — escalate to Privacy Officer before proceeding]
- If Yes, which categories: [Demographics / Diagnoses / Medications / Lab results / Provider notes / Imaging / Billing / Other (specify)]
- Is the PHI de-identified before agent processing? [Yes — under §164.514 / No]
- Minimum-necessary analysis attached? [Yes — link / Not yet]
If PHI = Yes, automatic Medium tier minimum. If PHI + decisions affecting treatment = automatic High tier.
templates/03-agent-card.md (Agent Card)
Add new section after §13:
### §15 — HIPAA compliance map
| Requirement | Evidence in this Agent Card |
|---|---|
| Minimum-necessary scoping (§164.502(b)) | §5 explicitly lists which PHI fields agent accesses + minimum-necessary justification |
| Access controls (§164.312(a)) | §8 identity + least-privilege scoping; agent identity in IdP with PHI-access role explicitly granted |
| Audit controls (§164.312(b)) | §11 observability — every PHI access logged with user/agent identity + timestamp + accessed PHI category |
| Integrity (§164.312(c)) | §10 failure modes documented; output validation prevents PHI alteration |
| Transmission security (§164.312(e)) | §6 — all PHI transmission over TLS; LLM provider under BAA |
| Workforce training (§164.530(b)) | Champion + on-call have completed HIPAA training; named in §8 + runbook §7 |
| Privacy Officer review | Privacy Officer signature in §sign-off |
### §16 — BAA chain
| Sub-processor | BAA in place? | BAA effective date | Scope |
|---|---|---|---|
| [LLM provider, e.g., Anthropic for healthcare tier] | [Yes — date / No — DO NOT USE FOR PHI] | | [Specific to AI use] |
| [Observability provider] | [Yes / No — DO NOT USE FOR PHI logs] | | |
| [Vector store provider] | [Yes / No] | | |
templates/04-responsible-ai-checklist.md (RAI Checklist)
For HIPAA-scope agents, items 2 (Privacy / PII) and 9 (Audit retention) have stricter thresholds:
- Item 2: PHI redaction in logs is mandatory (not best-effort). Deletion path must comply with §164.526 (right to amendment) where applicable.
- Item 9: Minimum 6 years retention from creation date or last effective date (§164.530(j)). Some states require longer.
Add new item 11:
| 11 | HIPAA Privacy Officer reviewed and signed | [✅ / ❌] | [Signature evidence] |
templates/05-threat-model.md (Threat Model)
Section 6 (DLP plan) becomes mandatory and must specifically address PHI exfiltration paths. Section 7 must confirm transmission security per §164.312(e).
templates/10-post-mortem.md (Post-Mortem)
Section 9 (Regulatory considerations): the HIPAA Breach Notification Rule must be explicitly considered for every incident involving unauthorized acquisition, access, use, or disclosure of PHI.
Breach Notification timing:
- Notify affected individuals: without unreasonable delay, no later than 60 calendar days after discovery
- Notify HHS: same 60 days for breaches affecting < 500 individuals; without unreasonable delay (max 60 days) for breaches affecting ≥ 500 individuals
- Media notification: required for breaches affecting ≥ 500 individuals in a state/jurisdiction
- Business associates: notify the covered entity (which then notifies individuals)
Section 9 must explicitly document the determination of whether a breach occurred and, if so, the notification timeline.
templates/12-vendor-ai-questionnaire.md (Vendor Questionnaire)
Add a 7th question for any vendor that may process PHI:
### Q7 (HIPAA). Will you sign a Business Associate Agreement (BAA) for this engagement? Which sub-processors will you flow that BAA down to? What is your incident-response timeline for PHI breaches?
templates/13-vendor-contract-clauses.md (Vendor Contract Clauses)
For any vendor processing PHI, append a full BAA (separate document, not just a clause). The BAA must include:
- Permitted uses and disclosures of PHI
- Safeguards (administrative, physical, technical)
- Sub-processor flow-down
- Breach notification timing (no later than 60 days)
- Termination + return/destruction of PHI
- Patient rights flow-through (access, amendment, accounting of disclosures)
5. New evidence artifacts required
When this overlay applies, the program must additionally maintain:
- Business Associate Agreement (BAA) chain — signed BAAs with every sub-processor that touches PHI (LLM provider, observability, vector store, etc.). Tracked in registry per-agent.
- Minimum-necessary analysis — per-agent document showing which PHI fields are accessed and why each is necessary. Required for Agent Card §5.
- Workforce training records — HIPAA training completion for everyone who touches the agent's outputs (Builder, Champion, on-call, pilot users).
- Audit log of PHI access — separate or filterable from general audit logs; retained ≥ 6 years.
- Breach assessment + notification records (if any incident) — formal determination per §164.402.
- Patient rights handling — process for §164.524 (access), §164.526 (amendment), §164.528 (accounting of disclosures) requests that may touch the agent's records.
6. New approver roles
When this overlay applies:
| Decision | Add to approver list |
|---|---|
| Risk appetite (template 01) | HIPAA Privacy Officer signs |
| Any agent processing PHI (M8 approval) | HIPAA Privacy Officer mandatory |
| Vendor onboarding (template 12 + 13) | Privacy Officer + General Counsel must sign BAA before any PHI flow |
| Breach assessment | Privacy Officer + General Counsel + Executive Sponsor |
| Notification decisions (per §164.404) | Privacy Officer + General Counsel + Compliance Officer |
7. Per-agent decision tree
For each new agent, walk this tree at triage (M7):
1. Will the agent process, transmit, store, or come into contact with PHI?
├── YES → continue
└── NO → HIPAA overlay does NOT apply to this agent (but reconfirm at scope changes)
2. Is the PHI de-identified before the agent processes it (per §164.514)?
├── YES → out of HIPAA scope; document the de-identification method
└── NO → continue (PHI status)
3. Are there BAAs in place with every sub-processor (LLM, observability, vector store) that will touch PHI?
├── YES → continue
└── NO → BLOCK until BAAs signed. Do not allow any PHI flow.
4. Has minimum-necessary scoping been documented in Agent Card §5?
├── YES → continue
└── NO → BLOCK until done.
5. Does the agent influence treatment, payment, or operations decisions for an identifiable individual?
├── YES → Automatic High tier. HIPAA Privacy Officer mandatory.
└── NO → Medium tier minimum. HIPAA Privacy Officer still signs.
6. Stage 3 (autonomous operation) requested?
├── YES → REJECT — risk appetite prohibits Stage 3 for PHI-handling agents
└── NO → continue
8. Common pitfalls
| Pitfall | Reality |
|---|---|
| "We use OpenAI/Anthropic which has a BAA" | Only specific tiers / configurations have BAAs. Confirm in writing for your tier and use case. |
| "Our agent only sees names, not full medical records" | Names alone + healthcare context = PHI. Names + provider visits = PHI. |
| "We de-identify the data" | True de-identification requires Safe Harbor (18 specific identifiers stripped) or Expert Determination. Casual masking is not de-identification. |
| "Internal use, no breach risk" | HIPAA applies to internal use. Unauthorized internal access (even by an employee) can be a breach. |
| "We'll add the BAA later" | Without a BAA, ANY PHI flow to that sub-processor is a violation from the first call. |
| "Logs don't contain PHI because we redact" | Redaction must be reliable, tested, and the log retention must still meet 6-year minimum. |
| "60-day breach notification is plenty of time" | "Without unreasonable delay" — start the assessment immediately. State laws may impose shorter clocks (some 30 days). |
| "Minimum necessary is just a guideline" | It's a regulatory requirement. Agent Card §5 must demonstrate compliance. |
9. References
- Primary statutes: 45 CFR Parts 160 and 164
- HHS HIPAA page: hhs.gov/hipaa
- HHS Breach Notification: hhs.gov/hipaa/for-professionals/breach-notification
- HHS BAA sample language: hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions
- OCR (Office for Civil Rights) enforcement portal: hhs.gov/hipaa/for-individuals/complaints
- AHIMA + HIMSS guidance on AI in healthcare (industry, supplemental)
framework.md§10.2 (3 risk drivers — PHI is a stronger trigger than generic PII)