A HIPAA-Compliant Architecture for Agentic Clinical AI Systems
Himanshu Tripathi (The University of Alabama), Subash Neupane (Meharry Medical College), Sudip Mittal (The University of Alabama), Shahram Rahimi (University of Alabama), Vibhuti Gupta (University of Texas Medical Branch)
Security & Privacy
Abstract
Agentic AI systems powered by Large Language Models (LLMs) are transforming clinical workflows, yet their autonomous handling of Protected Health Information (PHI) creates critical HIPAA compliance vulnerabilities that existing frameworks fail to address. This pa- per introduces a HIPAA-compliant Agentic AI framework enforcing regulatory compliance through three core mechanisms: Attribute- Based Access Control for dynamic PHI governance, a hybrid regex and BERT-based sanitization pipeline delivering defense-in-depth redaction across pre and post-inference stages, and immutable audit trails for compliance verification. We evaluate end-to-end system effectiveness on MIMIC-IV discharge summaries across 107,800 runs, measuring policy-consistent PHI exposure, residual leakage, and clinical utility under multiple authorization settings and ablations. The results show that layered governance substantially reduces PHI exposure while preserving utility for authorized roles, and remains resilient under prompt-injection stress tests.
