A HIPAA-Compliant Architecture for Agentic Clinical AI Systems

A framework for HIPAA-compliant agentic clinical AI that enforces PHI governance through attribute-based access control, a hybrid regex-and-BERT redaction pipeline applied at both pre- and post-inference stages, and immutable audit trails. It addresses compliance vulnerabilities that existing LLM frameworks leave unresolved when agents autonomously handle protected health information.

Abstract

Agentic AI systems powered by Large Language Models (LLMs) are transforming clinical workflows, yet their autonomous handling of Protected Health Information (PHI) creates critical HIPAA compliance vulnerabilities that existing frameworks fail to address. This paper introduces a HIPAA-compliant Agentic AI framework enforcing regulatory compliance through three core mechanisms: Attribute- Based Access Control for dynamic PHI governance, a hybrid regex and BERT-based sanitization pipeline delivering defense-in-depth redaction across pre and post-inference stages, and immutable audit trails for compliance verification. We evaluate end-to-end system effectiveness on MIMIC-IV discharge summaries across 107,800 runs, measuring policy-consistent PHI exposure, residual leakage, and clinical utility under multiple authorization settings and ablations. The results show that layered governance substantially reduces PHI exposure while preserving utility for authorized roles, and remains resilient under prompt-injection stress tests.