HIPAA and AI Agents: PHI, Minimum Necessary, and Approval Gates

HIPAA was written in 1996. AI agents weren't part of the threat model. But the obligations translate directly: any AI agent that accesses, uses, or discloses Protected Health Information (PHI) is subject to the same rules as any other HIPAA-covered entity or business associate.

That means the clinical documentation AI, the patient communication bot, the diagnostic support tool, the prior authorization agent — all of them need HIPAA controls built in at the infrastructure level, not just the application level.

The Three Requirements That Trip Up AI Teams

Minimum Necessary Standard (§164.502(b))

A covered entity may only use or disclose the minimum amount of PHI necessary to accomplish the intended purpose. For an AI agent, this means:

• The agent should not request more patient fields than it needs for the task
• Each action should be scoped to the specific PHI required
• The agent should not store or log PHI beyond what's needed for the operation

In practice: if your clinical documentation agent needs a patient's diagnosis to draft a discharge summary, it should request diagnosis — not full_medical_record. The manifest's capability declarations enforce this. An agent declared with ["data:read"] that requests a PHI field outside its documented scope gets denied at the gateway before the data is ever fetched.

Business Associate Agreements

Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a Business Associate and must sign a BAA. This includes your AI infrastructure provider. Cloud-hosted AI governance platforms that see PHI as it passes through the policy check need BAAs.

UAPK Gateway can be self-hosted — the PHI never leaves your environment. For organizations where data residency is non-negotiable (VA, hospital systems with strict procurement requirements), this matters.

Audit Controls (§164.312(b))

You must implement hardware, software, and/or procedural mechanisms to record and examine activity in systems that contain or use PHI. HIPAA doesn't specify what "sufficient" audit logging means — but OCR enforcement actions have repeatedly cited inadequate logging as an aggravating factor.

The standard that has emerged in enforcement: you should be able to reconstruct what happened to any specific PHI record. Who accessed it, when, why, what was the outcome.

The UAPK Manifest for a HIPAA-Covered Agent

A healthcare AI agent's manifest needs to be explicit about PHI handling:

{
  "constraints": {
    "require_human_approval": ["data:write", "phi:disclose"],
    "audit_retention_days": 2555
  },
  "policy": {
    "jurisdiction_allowlist": ["US"],
    "counterparty_allowlist": ["ehr-vendor-with-baa.example", "lab-partner-with-baa.example"],
    "require_capability_token": true
  }
}

Breaking this down:

• require_human_approval on data:write and phi:disclose — no PHI modification or disclosure without a human approver
• audit_retention_days: 2555 — HIPAA requires 6 years from creation or last effective date; 2555 days is 7 years to be safe
• jurisdiction_allowlist: ["US"] — prevents the agent from sending PHI to non-US counterparties (international data transfers of PHI have their own requirements)
• counterparty_allowlist — only counterparties with BAAs can receive PHI; the gateway denies requests to non-listed recipients before the data moves

The 60-Day Breach Notification Clock

HIPAA requires notifying affected individuals within 60 days of discovering a breach. For a large breach (500+ individuals in a state), you must also notify HHS and prominent media outlets in that state — within 60 days.

For an AI agent breach scenario — the agent accessed PHI it shouldn't have, or disclosed it to an unauthorized party — your ability to meet the 60-day deadline depends entirely on your audit log. You need to know:

• Which records were accessed
• Which individuals' PHI was involved
• What the agent did with it
• Whether it was transmitted to a third party

Without a complete audit log, you can't answer these questions. And without answers, you can't file an accurate breach notification — which itself is a HIPAA violation.

UAPK's audit export produces an evidence bundle that answers all of these questions, scoped to any time range or agent ID, exportable in minutes.

HITECH and Increased Penalties

The HITECH Act increased HIPAA penalties to a tiered structure based on culpability. The top tier — willful neglect not corrected — carries penalties up to $1.9 million per violation category per year. "Willful neglect" has been interpreted to include deploying AI systems without documented controls.

If you deployed a clinical AI agent without HIPAA-compliant audit logging and something went wrong, the absence of logs doesn't protect you — it's evidence of willful neglect.

Checklist for HIPAA-Compliant AI Agents

• BAA executed with any infrastructure vendor that processes PHI
• require_human_approval on all PHI write/disclose actions
• audit_retention_days ≥ 2190 (6 years)
• jurisdiction_allowlist scoped to US (plus any jurisdictions with bilateral agreements)
• counterparty_allowlist limited to BAA-covered entities
• Capability declarations scoped to minimum necessary PHI fields
• Incident response plan tested against: "the AI agent accessed the wrong patient's record. What do we do in the next 60 days?"