Deploying AI agents in healthcare requires compliance with the Health Insurance Portability and Accountability Act (HIPAA). This checklist covers the 14 governance controls that healthcare organizations must implement before autonomous agents process protected health information (PHI).
Access Controls (Controls 1-3)
1. Minimum Necessary Access
AI agents must be configured to access only the minimum PHI necessary for their assigned task. Governance policy: define per-agent data access scopes. Block agent requests for data categories outside their defined scope.
2. Role-Based Agent Permissions
Different agent types require different PHI access levels. A scheduling agent needs patient name and appointment data. A clinical decision support agent may need diagnosis codes and lab results. Governance policy: implement agent role definitions with explicit PHI category permissions.
3. Authentication and Authorization
Every agent session must be authenticated and authorized before accessing PHI. Governance policy: require API key authentication with per-key scoping. Implement session-level authorization that validates agent permissions before each PHI access.
Audit and Accountability (Controls 4-6)
4. Comprehensive Audit Trails
Every agent access to PHI must be logged with the identity of the agent, the data accessed, the timestamp, and the purpose. Governance requirement: cryptographic audit trails with SHA-256 signing and immutable storage.
5. Audit Trail Retention
HIPAA requires a minimum 6-year retention period for audit records. Governance requirement: configure trace retention to 7 years (providing a 1-year buffer). Implement automated retention management with deletion locks.
6. Audit Trail Review
Regular review of agent PHI access patterns. Governance requirement: automated anomaly detection on access patterns. Weekly compliance review of flagged sessions. Quarterly comprehensive audit review.
Data Protection (Controls 7-10)
7. Encryption at Rest
All PHI stored by the governance layer — including audit trails and agent session data — must be encrypted at rest. Governance requirement: AES-256 encryption for all stored data. Customer-managed encryption keys (CMEK) for Enterprise tier.
8. Encryption in Transit
All communication between agents, the governance proxy, and LLM providers must be encrypted. Governance requirement: TLS 1.3 for all network communication. Certificate pinning for LLM provider connections.
9. PHI Detection and Redaction
AI agents must not include PHI in outputs that are not authorized to contain it. Governance requirement: real-time PII/PHI detection on all agent outputs. Automatic redaction of PHI in unauthorized contexts. Block mode for customer-facing outputs.
10. Data Residency
PHI must be stored in approved geographic regions. Governance requirement: configure data residency to approved regions. Ensure all trace data, policy evaluations, and session records remain within the defined data boundary.
Data protection controls (7-10) must be verified before any agent processes PHI. Encryption gaps create HIPAA liability that extends to every executive in the organization.
Human Oversight and Response (Controls 11-14)
11. Human Intervention Capability
Authorized personnel must be able to intervene in agent sessions processing PHI. Governance requirement: Pause & Pivot capability enabled for all healthcare agents. Intervention authority mapped to clinical and compliance roles.
12. Breach Response
Procedures for responding to potential PHI exposure by AI agents. Governance requirement: automated detection of potential PHI exposure events. Immediate agent session suspension on detection. Notification to privacy officer within 1 hour.
13. Business Associate Agreement
The governance platform provider must execute a BAA if it processes PHI. Governance requirement: confirm BAA availability and execution before deployment. Ensure BAA covers all PHI processing by the governance layer.
14. Compliance Export Capability
Audit trails must be exportable in formats suitable for HIPAA compliance reviews and breach investigations. Governance requirement: on-demand compliance export in standard formats. Filterable by agent, patient, date range, and access type. Cryptographic integrity verification on exports.
Implement controls in this order — access controls first (1-3), data protection next (7-10), audit and accountability (4-6), and human oversight last (11-14). This ensures fundamental protections are in place before agents begin processing PHI.
Implementation Priority
Implement controls in this order: access controls first (controls 1-3), data protection next (controls 7-10), audit and accountability (controls 4-6), and human oversight last (controls 11-14). This sequence ensures that the most fundamental protections are in place before agents begin processing PHI.