Blueprint 02

HIPAA-Compliant AI Pipeline

Process Protected Health Information safely through AI models with de-identification, BAA-compliant LLM access, private endpoints, and end-to-end audit trails — keeping patients safe and regulators satisfied.

5 min readPHI De-identificationBAA CompliancePrivate EndpointsAudit Trail

1. Overview

Hospitals and health insurers sit on mountains of data — clinical notes, lab results, imaging reports, prescription histories — that AI could transform into better patient outcomes. Imagine an AI that reads thousands of discharge summaries to flag patients at risk of readmission, or one that extracts structured data from handwritten doctor's notes. The potential is enormous. But healthcare data is governed by HIPAA (the Health Insurance Portability and Accountability Act), which means you cannot just send patient records to an LLM API and hope for the best.

A HIPAA-compliant AI pipeline ensures that Protected Health Information (PHI) — names, dates of birth, medical record numbers, Social Security numbers — is stripped out before data ever leaves your secure environment. The AI model works with de-identified text: it sees "Patient X, age 67, admitted for chest pain" instead of "John Smith, DOB 03/15/1959, MRN 12345." After the model produces its output, a separate re-identification service maps the results back to real patients, but only for authorized users within the secure environment. The key insight is that the AI model never needs to see real patient identifiers to do useful clinical work.

This isn't just about avoiding fines — though HIPAA penalties can reach $2 million or more per violation category, per year. It's about maintaining patient trust. People share their most intimate health details with their doctors. If that data leaks because someone piped it through a public API without safeguards, the damage to trust is irreparable. Every healthcare AI project needs this architecture as its foundation, not as an afterthought bolted on later.

If you architect this wrong, you're one data breach away from front-page news, regulatory action, and class-action lawsuits. The good news is that all major cloud providers now offer BAA-compliant AI services, private network endpoints, and healthcare-specific APIs. The architecture isn't theoretical — it's well-proven. You just need to wire the pieces together correctly and never take shortcuts with patient data.

2. Architecture Diagram

Diagram 1

Architecture diagram — HIPAA-Compliant AI Pipeline: PHI de-identification, BAA-compliant processing, and secure re-identification

3. Component Breakdown

ComponentDescription
🔓 PHI De-identification EngineDetects and removes 18 HIPAA identifier types from clinical text. Uses NER models tuned for medical data. Stores a reversible mapping table in an encrypted, access-controlled datastore for authorized re-identification.
📜 BAA-Compliant LLMAn LLM service where the provider has signed a Business Associate Agreement, legally committing to HIPAA-compliant data handling. Accessed via private endpoints — no data traverses the public internet.
🔒 Secure VPC / Private EndpointsAll data stays within a private network. VPC Service Controls (GCP), PrivateLink (AWS), or Private Endpoints (Azure) ensure LLM API calls never leave the cloud provider's backbone network.
📑 Audit Trail & Access LoggingEvery data access, model call, and re-identification event is logged immutably. Logs include who, what, when, and why. Required for HIPAA breach investigations and annual compliance audits.
🔄 Re-identification ServiceMaps de-identified AI outputs back to real patient records. Access is strictly controlled — only authorized roles (treating clinicians, authorized researchers) can trigger re-identification.
🚫 Data Loss Prevention (DLP)Secondary scanning layer that verifies no PHI slips through de-identification. Catches edge cases like PHI embedded in free-text fields, image metadata, or structured data that wasn't flagged.

4. Decision Points & Trade-offs

AdvantageLimitation
Strong patient privacy protectionDe-identified text may reduce model accuracy
BAA-compliant providers available on all major cloudsLimited model selection compared to unrestricted APIs
On-prem processing option for highest sensitivity dataOn-prem lacks cloud scalability and managed services
Full audit trail for compliance and investigationsAudit log storage costs grow significantly at scale
Automated de-identification is fast and consistentNER-based de-identification is not 100% perfect — needs QA

Expert Mode vs. Safe Harbor: HIPAA defines two de-identification methods: Safe Harbor (remove all 18 identifier types) and Expert Determination (statistical proof of low re-identification risk). Safe Harbor is simpler but removes more context. Expert Determination preserves more clinical value but requires a qualified statistician.

Minimum Necessary Rule: HIPAA's minimum necessary standard means you should only send the data the AI model actually needs — not the entire patient record. Architect pipelines that extract relevant sections before passing to the LLM.

5. Cloud Mapping

ComponentGCPAWSAzure
De-identificationHealthcare NLP API / DLPAmazon Comprehend MedicalAzure Health Data Services
BAA LLMVertex AI (BAA available)Amazon Bedrock (BAA)Azure OpenAI (BAA)
Private NetworkVPC Service ControlsVPC + PrivateLinkPrivate Endpoints + VNet
Audit LoggingCloud Audit LogsCloudTrailAzure Activity Log
Key ManagementCloud KMS (CMEK)KMS (CMK)Azure Key Vault
Healthcare StorageCloud Healthcare APIHealthLakeAzure Health Data Services

6. Anti-Patterns

  1. Sending raw PHI to a public LLM API endpoint. This is the most common and most dangerous mistake. Even if the provider promises not to store data, you've already violated HIPAA by transmitting PHI without a BAA and without de-identification.
  2. Using a model provider without a signed BAA. A BAA is a legal contract that makes the provider a "business associate" under HIPAA, legally accountable for protecting PHI. Without it, you bear 100% of the liability.
  3. De-identifying data but logging the original PHI in application logs. Your de-identification pipeline is useless if the raw text is sitting in a CloudWatch log group with broad access. Audit your entire data flow, including logs and error messages.
  4. Assuming tokenization alone satisfies HIPAA de-identification rules. Replacing names with tokens is a start, but HIPAA requires removing all 18 identifier types including dates, geographic data, and biometric identifiers. Simple tokenization misses most of these.
  5. No re-identification controls — anyone with access can reverse the mapping. If the de-identification mapping table is accessible to all developers, you've effectively not de-identified anything. Lock it down with strict role-based access and audit logging.

7. Architect's Checklist

  • Business Associate Agreement signed with every vendor that touches PHI
  • PHI de-identification tested against all 18 HIPAA identifier types with validation dataset
  • VPC / private endpoints configured — no PHI traverses the public internet
  • Encryption at rest (AES-256) and in transit (TLS 1.2+) for all data stores and API calls
  • Role-based access controls with minimum necessary principle enforced
  • Immutable audit logging for every data access, model call, and re-identification event
  • DLP scanning layer validates de-identification output before LLM ingestion
  • Breach notification plan documented and tested (72-hour HHS notification requirement)
  • Annual HIPAA risk assessment scheduled and documented
  • Staff training on PHI handling completed and recorded for all team members
  • Data retention and disposal policy defined per HIPAA requirements
  • Re-identification mapping table encrypted with separate key management and restricted access

Related patterns

GenAI ArchitectureEval & GuardrailsGenAI ArchitectureDocument Processing