How to Secure AI Agents in Healthcare Applications

AI agents in healthcare access protected health information (PHI), interact with electronic health record (EHR) systems, and generate clinical summaries — any unauthorized access or disclosure can violate HIPAA and endanger patient trust. SafeClaw by Authensor enforces deny-by-default policies on every action your healthcare AI agent attempts, ensuring PHI is accessed only when authorized, clinical data never leaves your perimeter, and every action is recorded in a hash-chained audit trail that satisfies HIPAA audit requirements. Policy evaluation completes in sub-milliseconds, adding no latency to clinical workflows.

Quick Start

npx @authensor/safeclaw

Creates a .safeclaw/ directory with deny-all defaults. Your healthcare agent has zero access to patient data or clinical systems until you define explicit allow rules.

HIPAA Compliance Through Policy

HIPAA requires the minimum necessary standard — agents should only access the PHI they need for a specific task. SafeClaw enforces this at the action level:

# .safeclaw/policies/healthcare-agent.yaml
rules:
  - id: allow-read-appointment-schedule
    action: database.query
    effect: allow
    conditions:
      query:
        pattern: "SELECT patient_id, appointment_time, provider_id, status FROM appointments*"
    reason: "Agent can read appointment metadata for scheduling"

- id: block-clinical-notes-read
    action: database.query
    effect: deny
    conditions:
      query:
        pattern: "FROM {clinical_notes,diagnoses,prescriptions,lab_results}"
    reason: "Clinical data requires elevated authorization"

- id: block-bulk-patient-queries
    action: database.query
    effect: deny
    conditions:
      query:
        pattern: "SELECTFROM patients"
        not_pattern: "WHERE patient_idLIMIT 1*"
    reason: "Only single-patient lookups with explicit ID are allowed"

Patient Data Protection

Prevent PHI from leaving your controlled environment:

rules:
  - id: block-external-network
    action: network.request
    effect: deny
    conditions:
      destination:
        not_pattern: "{.hospital.internal,.ehr-vendor.com}"
    reason: "PHI cannot be transmitted outside approved endpoints"

- id: block-phi-in-responses
    action: response.send
    effect: deny
    conditions:
      content:
        matches: "(\\b\\d{3}-\\d{2}-\\d{4}\\b|MRN:\\s\\d+|DOB:\\s\\d{2}/\\d{2}/\\d{4})"
    reason: "Block responses containing SSN, MRN, or DOB patterns"

- id: block-file-export
    action: file.write
    effect: deny
    conditions:
      path:
        pattern: "{/tmp/,~/Downloads/,/export/}"
    reason: "PHI cannot be written to export or temp directories"

EHR Interaction Gating

Gate what your agent can do within the EHR system:

rules:
  - id: allow-read-patient-summary
    action: api.call
    effect: allow
    conditions:
      endpoint:
        pattern: "/fhir/Patient//summary*"
      method: "GET"
    reason: "Agent can read patient summaries via FHIR"

- id: block-fhir-writes
    action: api.call
    effect: deny
    conditions:
      endpoint:
        pattern: "/fhir/"
      method: "{POST,PUT,PATCH,DELETE}"
    reason: "Agent cannot modify clinical records"

- id: block-medication-orders
    action: api.call
    effect: deny
    conditions:
      endpoint:
        pattern: "/orders/medications"
    reason: "Medication orders require clinician authorization"

Action Logging for HIPAA Audits

SafeClaw's hash-chained audit trail provides the immutable access log HIPAA requires:

# .safeclaw/config.yaml
audit:
  enabled: true
  hashChain: true
  retention: "6y"  # HIPAA requires 6-year retention
  fields:
    - timestamp
    - action
    - effect
    - agentId
    - userId       # The clinician who initiated the agent
    - patientId    # Track which patient's data was accessed
    - policyRuleId
    - reason

Every access attempt — successful or denied — is logged with cryptographic integrity. This satisfies the HIPAA Security Rule's audit control requirements (§164.312(b)) and provides evidence for breach investigations.

Why SafeClaw

• 446 tests covering healthcare-specific policy patterns and edge cases
• Deny-by-default — zero PHI access until explicitly and narrowly permitted
• Sub-millisecond evaluation — no impact on clinical workflow responsiveness
• Hash-chained audit trail — tamper-proof logging that satisfies HIPAA audit requirements
• Works with Claude AND OpenAI — consistent PHI protections regardless of LLM provider

Cross-References

• HIPAA Agent Safeguards
• Healthcare Agent Controls
• How to Audit AI Agent Actions
• Defense in Depth for Agents