The Baseline
HIPAA requires safeguards for PHI. AI agents that see, store, or generate from PHI require BAAs with all sub-processors. Salesforce Einstein Trust Layer covers some of this; external LLMs need specific BAAs.
A Business Associate Agreement is required with every entity that creates, receives, maintains, or transmits PHI on the covered entity’s behalf. Salesforce signs BAAs for Health Cloud, Data Cloud, and Einstein with the Trust Layer enabled. Anthropic offers HIPAA-eligible BAAs on Claude in Bedrock and Vertex AI; OpenAI signs BAAs on Azure OpenAI and via direct enterprise agreements; Google Vertex AI signs BAAs for Gemini in HIPAA-aligned projects. The HHS proposed Security Rule update (early 2025) explicitly calls out AI systems for risk-analysis inclusion.
Configuration
Trust Layer PII masking set to PHI-specific patterns. Audit logging on every prompt/response. Retention aligned with HIPAA record retention requirements. Regional processing to stay within US data residency.
Trust Layer settings to verify. Dynamic grounding scoped to records the user can access (FLS enforced). PII detection patterns extended to include MRN, account number, member ID, and procedure codes — the default ML detector catches names and SSNs but misses healthcare-specific identifiers. Toxicity scoring on. Zero-retention with the LLM provider confirmed in writing. Audit feed wired to Splunk, Sentinel, or Salesforce Shield Event Monitoring with 6-year retention to match HIPAA’s documentation requirement.
De-Identification
Where possible, de-identify before sending to LLM. Safe-harbor method (18 identifiers removed) strips most risk. When de-identification isn’t possible, ensure the full BAA chain and audit trail.
Safe Harbor de-identification (45 CFR 164.514(b)(2)) requires removal of all 18 enumerated identifiers and no actual knowledge that re-identification is possible. The Expert Determination method (164.514(b)(1)) allows a statistical expert to certify low re-identification risk — useful when temporal data must be preserved. For agentic workflows, de-identify ingest data before vector embedding wherever the agent doesn’t need the identifier; re-attach identifiers only at the final response layer using a token-mapping table held inside the covered entity’s environment.
Agent Design
Human-in-loop for clinical decisions always. Agents assist; clinicians decide. Agent drafts can be summaries, suggestions, reminders — not diagnoses or treatment plans. Document the human oversight.
The FDA’s 2024 final guidance on Clinical Decision Support clarifies which AI outputs constitute regulated medical devices. Summaries, scheduling, prior-auth drafting, and patient outreach typically stay non-device. Anything offering specific diagnostic or treatment recommendations crosses into device territory and requires 510(k) or De Novo clearance. Document oversight in the patient record: which AI-generated content was reviewed, by whom, with what edits.
Common Failure Modes
PHI leaking into prompt logs that aren’t covered by the LLM’s BAA scope. Voice agents recording conversations to non-BAA transcription services. Vector databases storing embeddings of PHI without equivalent safeguards as primary stores. Test environments populated with real PHI to “see how it works” — itself a breach.
What to Do This Week
Confirm a current BAA on file with every LLM, vector DB, and observability vendor in your Health Cloud AI stack, and route the list to your Privacy Officer.
