
PHI never reaches
the model in the raw.
One PHI leak to a third-party model is a reportable breach. AegisPlane finds protected health information in each request and redacts it before it leaves, then restores it on the way back. Every access is logged for your audit.
No code changes. Live on your traffic in a day.
One control sits in front of every model your teams already call, checking each request against the standards your auditors recognize.
What is HIPAA?
In healthcare, one careless prompt can expose a patient. HIPAA sets the U.S. standard for protecting health information. Its Privacy Rule governs how protected health information (PHI) is used and disclosed. Its Security Rule requires technical safeguards for electronic PHI.
- Protects PHI, any health information that can identify an individual.
- The Security Rule requires encryption, access control, and audit controls for ePHI.
- The Privacy Rule limits use and disclosure to the minimum necessary.
- Applies to covered entities and their business associates, including vendors.
What HIPAA requires
The Privacy and Security Rules govern every use of PHI. AegisPlane applies them at the AI boundary.
Minimum necessary
Use and disclose only the PHI a task needs. Identifiers beyond that are redacted before the request leaves.
Technical safeguards
The Security Rule requires access control, encryption, and audit controls for electronic PHI. Each is enforced at the gateway.
Audit controls
Access to PHI must be recorded. Every access and policy decision is logged with its safeguard reference.
Business associate duties
Vendors that handle PHI carry obligations too. Redaction keeps raw PHI out of third-party models.
One request, checked in real time
Here is one interaction. AegisPlane classifies the request, checks it against the framework, blocks what it must, and logs the decision as evidence. It happens in milliseconds, on live traffic.
Business value
- Strengthens health-data protection at runtime.
- Lowers risk in clinical and patient-support use cases.
- Supports HIPAA audit preparedness.
How AegisPlane protects PHI in the AI Control Plane
AegisPlane treats healthcare AI traffic as regulated data flow. In the AI Control Plane (AICP), PHI is de-identified before it reaches any external model and every access is recorded.
Turn it on in config
Enable the HIPAA pack and the healthcare PII rulepack as versioned config, compiled into a signed bundle, no application code changes.
Checked at the gateway
Each request is evaluated against Security Rule safeguards and the minimum-necessary principle by the OPA policy engine before it leaves your perimeter.
PHI redacted, then rehydrated
Presidio-based redaction strips identifiers such as MRN, name, and date of birth before the provider call, and rehydrates the response within the same request scope.
Logged as evidence
Every access and policy decision is recorded with its safeguard reference to support your HIPAA audit trail.
Frequently asked questions
It provides technical safeguards and evidence that support compliance, PHI redaction, access logging, and policy enforcement. Compliance itself depends on your full administrative and organizational controls.
Detected identifiers are redacted before the request leaves for a provider and rehydrated on return, so raw PHI is not exposed to the external model.
Business associate arrangements are handled as part of a commercial engagement, raise it with the team during your demo.
Identifiers like patient names, medical record numbers, dates of birth, and other health-linked data, detected with Presidio-based recognizers plus custom patterns.
Redaction is scoped to identifiers and rehydrated on return, so the clinical content the model needs is preserved while the identifiers are protected.
Why now
Continuous checks and evidence, not a stale annual assessment
One PHI leak to a model is a reportable breach. Put the control in front now. Every selected framework is checked on live AI traffic and the decision is logged as evidence, so audit prep stops being a fire drill. No code changes.
