Authorize healthcare agent actions before PHI moves.
EHR and FHIR credentials say the agent can reach the system. They do not decide whether this specific agent may read a chart, submit prior auth, send PHI, change a care workflow, or write billing data. Veto checks the action before it executes.
What is runtime authorization for healthcare AI agents?
Runtime authorization for healthcare AI agents is a policy check before an agent reads PHI, queries Epic/Cerner/FHIR/EHR data, updates care-management workflows, submits prior auth, touches billing or claims, or surfaces a clinical recommendation. Veto can enforce minimum-necessary access policies, control evidence, and human review where risk requires it.
What compliance, clinical, and security teams need evidence for
HIPAA access control
Which agent accessed which PHI field, for which purpose, under which policy, and with which authenticated user context.
Minimum necessary
Scheduling agents should not read diagnoses; billing agents should not read psychotherapy notes; care agents need scoped FHIR/EHR access.
Clinical human oversight
Clinical recommendations, care-plan modifications, high-risk prior auth, and patient-impacting actions route to licensed human review.
BAA and audit readiness
Decision records, policy versions, approvals, and denied PHI access attempts become reviewable evidence for HIPAA and vendor-risk processes.
Protect the first PHI-bearing tool call.
Healthcare buyers do not need an abstract governance story first. They need to know what happens before the agent touches patient data or a payer workflow. Start with the call that can expose PHI, submit prior auth, change a claim, or send a patient-facing message.
Actor, purpose, patient, fields, consent state, and minimum-necessary scope checked before data leaves the tool.
Payer, clinical context, PHI category, threshold, and reviewer path recorded before submission or status change.
External communications can be redacted, denied, or routed for human review before the message is sent.
HIPAA Security Rule technical safeguards (45 CFR 164.312)
The Security Rule defines technical safeguards for ePHI. HIPAA requirements, OCR guidance, and proposed updates all point in the same operational direction: stronger access control, audit controls, integrity controls, authentication, and transmission security for agent actions that touch PHI.
Access Control: 164.312(a)(1)
Agents must have unique identifiers and access rights scoped to minimum necessary data. RBAC or ABAC policies restrict each agent role to specific PHI fields and operations. MFA and session termination are common control expectations for sensitive ePHI access. They reduce stale agent contexts accumulating excess PHI.
Audit Controls: 164.312(b)
AI interactions with PHI need audit controls: agent identity, timestamp, action type, data accessed, session ID, and authorization outcome. Logs must be retained for the required period, with many organizations standardizing on longer windows and reviewable through decision records with verification metadata where configured.
Integrity Controls: 164.312(c)(1)
Prevent unauthorized PHI modification. For AI agents: input validation to block prompt injection attacks, output verification for clinical decision support, and record integrity checks from request to decision record.
Authentication: 164.312(d)
Each agent session must be authenticated with a verifiable identity. Agent credentials are scoped per deployment, not shared across instances. Session tokens expire, forcing re-authentication and preventing credential reuse.
Transmission Security: 164.312(e)(1)
Encryption choices belong in the organization's HIPAA risk analysis and security architecture. Veto's in-process evaluation means PHI does not need to leave your infrastructure for authorization decisions.
PHI access control and redaction policies
Define declarative policies that enforce the minimum necessary standard. Each agent role receives only the PHI fields required for its specific function. Sensitive categories (psychotherapy notes, substance abuse records, HIV status) require additional patient consent under 42 CFR Part 2 and state-specific laws.
name: healthcare-phi-protection
description: HIPAA-aligned PHI access control for AI agents
rules:
# Minimum necessary enforcement by agent role
- name: clinical-assistant-scope
tools: ["ehr_read", "patient_lookup"]
condition: "context.agent_role == 'clinical_assistant'"
action: allow
constraints:
fields: ["demographics", "allergies", "current_medications", "diagnosis"]
requires_patient_id: true
audit:
log_arguments: true
retention_days: 2190 # HIPAA documentation baseline: 6 years; state record rules may require longer
- name: scheduling-agent-scope
tools: ["ehr_read", "patient_lookup"]
condition: "context.agent_role == 'scheduling_agent'"
action: allow
constraints:
fields: ["name", "phone", "preferred_times"]
exclude_fields: ["diagnosis", "medications", "ssn", "mrn"]
audit:
log_arguments: true
retention_days: 2190
- name: billing-agent-scope
tools: ["ehr_read", "patient_lookup"]
condition: "context.agent_role == 'billing_agent'"
action: allow
constraints:
fields: ["name", "dob", "insurance_info", "account_number"]
exclude_fields: ["diagnosis", "medications", "clinical_notes"]
# Block clinical notes for non-clinical agents
- name: block-clinical-notes
tools: ["ehr_read"]
condition: >
'clinical_notes' in args.fields or
'psychiatric_notes' in args.fields
action: deny
response:
error: "Clinical notes require clinical staff authorization"
# Sensitive data segmentation: 42 CFR Part 2
- name: substance-abuse-consent
tools: ["ehr_read", "patient_lookup"]
condition: "'substance_abuse' in args.fields"
action: require_approval
constraints:
patient_consent_verified: true
consent_type: "42_cfr_part_2"
response:
message: "Substance abuse records require 42 CFR Part 2 consent"
- name: psychotherapy-notes-consent
tools: ["ehr_read"]
condition: "'psychotherapy_notes' in args.fields"
action: require_approval
constraints:
patient_consent_verified: true
approver_role: "treating_clinician"
response:
message: "Psychotherapy notes require explicit patient consent"
# PHI redaction in outbound communications
- name: patient-message-phi-check
tools: ["send_patient_message", "send_referral"]
action: allow
constraints:
no_phi_in_message: true
verified_patient_identity: true
# Controlled substance prescriptions
- name: controlled-substance-review
tools: ["prescribe_medication"]
condition: "args.schedule in ['II', 'III', 'IV']"
action: require_approval
constraints:
approver_role: "pharmacist"
alert_on_deny: true
response:
message: "Controlled substance prescription requires pharmacist review"
# Research data: de-identification enforcement
- name: research-deidentified-only
tools: ["query_research_dataset"]
action: allow
constraints:
dataset_type: "de_identified"
approved_irb_protocol: true
audit:
log_query: true
researcher_id: requiredSensitive data segmentation
Federal and state law require additional protections beyond standard HIPAA for specific PHI categories. AI agents must check segmentation flags and verify consent before accessing these records.
Psychotherapy Notes
Requires explicit patient consent per HIPAA. Enhanced access logging. Separate authorization from general mental health records. Cannot be disclosed for treatment, payment, or operations without specific authorization.
Substance Abuse Records
42 CFR Part 2 imposes restrictions stricter than standard HIPAA. Specific consent form requirements. Re-disclosure prohibited without additional patient authorization. AI agents must enforce these boundaries per-request.
HIV/AIDS Information
State-specific consent requirements. Many states require separate written authorization for disclosure. Policies must be jurisdiction-aware and enforce the strictest applicable standard.
Reproductive Health
Post-Dobbs state-specific restrictions. Enhanced privacy protections in some jurisdictions. Geographic context-aware policy enforcement required to comply with varying state laws.
HIPAA evidence mapping
| HIPAA Requirement | Veto Implementation |
|---|---|
| Access Control: 164.312(a)(1) | RBAC and ABAC per agent role, unique agent identifiers, per-call authorization, MFA-compatible human access |
| Audit Controls: 164.312(b) | decision records with export paths, configurable retention, and export paths |
| Integrity: 164.312(c)(1) | Input validation, prompt-injection controls, and record integrity checks |
| Authentication: 164.312(d) | Per-session agent credentials, token expiration, no shared credentials across instances |
| Transmission Security: 164.312(e)(1) | TLS 1.2+ enforced, in-process evaluation (PHI does not need to leave your infrastructure) |
| Minimum Necessary: 164.502(b) | Purpose-specific data scopes, field-level restrictions, date precision controls |
| Accounting of Disclosures: 164.528 | Exportable decision records, patient disclosure request support, structured compliance reports |
| Training: 164.530(b) | Policy-as-code documentation, version-controlled evidence for compliance training records |
Build vs buy for healthcare AI
| Capability | DIY | Veto |
|---|---|---|
| ABAC with minimum necessary enforcement | ||
| Sensitive data segmentation (42 CFR Part 2) | ||
| PHI redaction for agent prompts/responses | ||
| decision records with export paths | ||
| configurable decision-record retention | ||
| BAA review documentation | Create yourself | Available on enterprise path |
| Path to HIPAA evidence review | Custom build | Workflow-scoped |
Related use cases
Frequently asked questions
How do healthcare AI guardrails support HIPAA evidence review?
What is the minimum necessary standard for AI agents?
How does sensitive data segmentation work?
What retention periods are supported for healthcare decision records?
How should teams track HIPAA rule changes for AI agents?
HIPAA evidence mapping for AI agents. Enforced at runtime, not by policy docs alone.