HIPAA Compliance for AI Agents
Verified@1kalin
npx machina-cli add skill @1kalin/afrexai-hipaa-compliance --openclawHIPAA Compliance for AI Agents
Generate HIPAA compliance checklists, risk assessments, and audit frameworks for healthcare organizations deploying AI agents.
What This Skill Does
When activated, produce any of these deliverables based on user request:
1. Pre-Deployment Compliance Gate
- BAA requirements checklist for AI vendors
- PHI data flow mapping template
- Minimum Necessary standard application guide
- Risk assessment framework (45 CFR 164.308(a)(1))
2. Technical Safeguards (45 CFR 164.312)
Access Controls:
- Unique service account IDs for AI agents
- Emergency access procedures for system failures
- 15-minute auto-logoff configuration
- Role-based minimum necessary permissions
Audit Controls:
- PHI access logging (timestamp, user, action, data)
- 6-year retention compliance
- Anomaly detection on access patterns
- AI decision audit trails
Transmission Security:
- TLS 1.3 enforcement
- E2E encryption for patient comms
- Certificate pinning for API connections
- No PHI in URLs, query strings, or logs
3. AI-Specific Risk Matrix
| Risk | Impact | Mitigation |
|---|---|---|
| Prompt injection → PHI leak | Critical | Input sanitization, output filtering, sandboxing |
| Model training on PHI | High | BAA prohibition, single-tenant deployment |
| Hallucinated medical info | Critical | Human-in-loop, confidence thresholds |
| Shadow AI with PHI | High | Approved tool registry, DLP rules |
4. Breach Response Timeline
- 0-1 hrs: Contain (disable agent, preserve logs)
- 1-24 hrs: Assess scope of PHI exposure
- 24-48 hrs: Document root cause, affected individuals
- Within 60 days: Notify HHS + individuals + media (if 500+)
- 30-90 days: Remediate, patch, retrain
5. Compliance by Use Case
Rate each AI deployment:
- Patient scheduling → Medium risk
- Billing/coding → High risk
- Clinical decision support → Critical risk
- Patient communication → High risk
- Medical records summarization → Critical risk
6. Penalty Reference
| Tier | Per Violation | Annual Cap |
|---|---|---|
| Unknowing | $141 - $71,162 | $2,134,831 |
| Reasonable cause | $1,424 - $71,162 | $2,134,831 |
| Willful neglect (corrected) | $14,232 - $71,162 | $2,134,831 |
| Willful neglect (not corrected) | $71,162 | $2,134,831 |
Average healthcare breach cost: $10.93M (IBM/Ponemon 2025).
Output Format
- Markdown checklist with status columns
- Risk matrix with impact/likelihood scoring
- Timeline tables for breach response
- Department-specific compliance cards
Resources
- Healthcare AI Context Pack — $47 — Full patient journey automation, revenue cycle, EHR integration patterns
- AI Revenue Leak Calculator — Find where manual processes cost you money
- AI Agent Setup Wizard — Configure compliant AI agents in 5 minutes
Overview
Generates HIPAA compliance artifacts for healthcare AI agents, including pre-deployment gates, technical safeguards, risk matrices, and breach timelines. It maps PHI data flows, minimum necessary standards, and audit trails to help organizations meet regulatory requirements.
How This Skill Works
When activated, the skill outputs deliverables requested by the user: a Pre-Deployment Compliance Gate (BAA checklist, PHI data flow template, Minimum Necessary guide, risk framework), Technical Safeguards (Access Controls, Audit Controls, Transmission Security), an AI-Specific Risk Matrix, a Breach Response Timeline, and Compliance by Use Case. Outputs are provided as templates, checklists, and tables ready for customization and deployment.
When to Use It
- Before deploying AI agents in healthcare settings
- During PHI data flow mapping and access control planning
- During vendor risk assessments and BAA preparation
- When configuring technical safeguards (logging, encryption, access controls)
- When planning breach response, regulatory reporting, and audit trails
Quick Start
- Step 1: Activate HIPAA Compliance for AI Agents in your deployment
- Step 2: Generate Pre-Deployment Gate, Technical Safeguards, and Risk Matrix templates
- Step 3: Review outputs, tailor controls to your environment, and publish the playbook
Best Practices
- Use a BAA checklist for every AI vendor
- Map PHI data flows and enforce minimum necessary access
- Enforce TLS 1.3, E2E encryption, and avoid PHI in URLs and logs
- Implement role-based access and 15-minute auto-logoff
- Maintain PHI access logs for 6 years and enable AI decision audit trails
Example Use Cases
- Healthcare provider conducts AI vendor risk assessment using the BAA and risk framework
- PHI data flow map created for an AI patient triage bot
- Breach response timeline activated after a suspected PHI exposure
- Anomaly detection on AI access patterns to prevent unauthorized PHI access
- AI decision audit trails used to demonstrate compliance during an internal audit
