Towards a HIPAA Compliant Agentic AI System in Healthcare
Subash Neupane, Sudip Mittal, Shahram Rahimi
TL;DR
The paper tackles the regulatory challenge of deploying autonomous agentic AI in healthcare under HIPAA. It proposes a HIPAA-compliant framework that combines Attribute-Based Access Control (ABAC), a hybrid PHI sanitization pipeline, and immutable audit trails to enforce data governance throughout AI-driven clinical workflows. Key contributions include the integration of ABAC with dynamic policy enforcement, a PHI redaction strategy combining rule-based and model-based techniques, and an auditable, retention-compliant logging system. The work demonstrates preliminary PHI detection/sanitization performance and policy enforcement efficiency on MIMIC-IV data, highlighting the potential for safer, compliant AI-assisted healthcare operations.
Abstract
Agentic AI systems powered by Large Language Models (LLMs) as their foundational reasoning engine, are transforming clinical workflows such as medical report generation and clinical summarization by autonomously analyzing sensitive healthcare data and executing decisions with minimal human oversight. However, their adoption demands strict compliance with regulatory frameworks such as Health Insurance Portability and Accountability Act (HIPAA), particularly when handling Protected Health Information (PHI). This work-in-progress paper introduces a HIPAA-compliant Agentic AI framework that enforces regulatory compliance through dynamic, context-aware policy enforcement. Our framework integrates three core mechanisms: (1) Attribute-Based Access Control (ABAC) for granular PHI governance, (2) a hybrid PHI sanitization pipeline combining regex patterns and BERT-based model to minimize leakage, and (3) immutable audit trails for compliance verification.