Start free

Products

Observability

Trace every LLM call. Cost, latency, hallucination.

Guardrails

HIPAA, FDCPA, FINRA, GDPR — enforced in-process.

Prompts

Version-controlled prompts with A/B testing and rollback.

Resources

Live demoBlogDocsGitHub
Sign inStart free →
← All posts
complianceJune 1, 2026·4 min read

HIPAA Compliance for AI Agents in Python — A Practical Guide

How to build HIPAA-compliant AI agents in Python: what the Privacy Rule requires, which patterns to block, and how to enforce them automatically on every LLM call.

HIPAAAI complianceLLM guardrailsPythonhealthcare AI

If you're building an AI agent that touches protected health information (PHI) — patient records, diagnosis conversations, medication queries — you're operating under HIPAA. This isn't optional, and "the LLM said it, not us" is not a legal defense.

Here's what HIPAA actually requires from your AI stack, and how to enforce it automatically.

What HIPAA Cares About

The HIPAA Privacy Rule (45 CFR Part 164) governs how PHI is used, disclosed, and protected. For AI agents, the critical pieces are:

  • Minimum necessary disclosure — don't surface PHI beyond what the query actually needs
  • No PHI in outputs to unauthorized parties — an AI that prints an SSN, MRN, or diagnosis in a chatbot response creates a reportable breach
  • No diagnostic claims presented as fact — "You have diabetes" from an AI is both medically dangerous and a HIPAA violation if the AI isn't a covered entity providing treatment
  • Required disclaimers — responses dealing with health information must clarify that this is not a diagnosis and that the user should consult a licensed provider

The Patterns to Block

From the regulation text, these output patterns are problematic:

# These should never appear in an LLM response from your health AI agent:

"you have [condition]"           # AI stating diagnosis as fact
"diagnoses you with"             # Same
"clinically proven to treat"     # FDA 21 CFR claim without clearance
"prescribe [dose] mg"            # AI prescribing medication
"your MRN is 123456"            # PHI in output
"SSN: 123-45-6789"              # PHI in output

And required disclosures that must appear:

"This is not a diagnosis or medical advice."
"Consult a licensed healthcare provider."

Enforcing This with Peekr

Peekr's HIPAA compliance pack covers all of this automatically. Add it to instrument() once, and every LLM call is checked:

import peekr

peekr.instrument(
    exporter=peekr.HTTPExporter(
        endpoint="https://peekr.starkspherelabs.com",
        api_key="pk_live_…",
    ),
    compliance=["HIPAA"],  # fetches current HIPAA patterns from Peekr Cloud
)

The HIPAA pack includes:

Rule type Pattern Citation
prohibited_output AI stating diagnosis as fact FDA 21 CFR
prohibited_output SSN or MRN in output HIPAA Privacy Rule
prohibited_output Prescription language FDA / HIPAA
required_disclosure "This is not medical advice" FDA/HIPAA
required_disclosure "Consult a licensed provider" FDA/HIPAA

When a violation is detected, GuardrailError is raised and the violation is logged on the span for audit purposes — the response never reaches the user, and your compliance team gets a full record.

What PIIRedact Handles on Top

Even with HIPAA pack rules, you may want to scrub PHI from your trace data — so your observability logs don't themselves constitute a PHI disclosure. That's what PIIRedact is for:

import peekr

peekr.instrument(
    compliance=["HIPAA"],
    guardrails=[
        peekr.guard.PIIRedact(
            categories=("ssn", "credit_card", "email", "phone")
        ),
    ],
)

PIIRedact runs before any storage exporter — your traces never contain raw SSNs, email addresses, or phone numbers.

Managing Rules from the Dashboard

If your compliance team needs to update rules without a code deployment (they will), Peekr Cloud lets you define custom rules from the dashboard:

  1. Go to Settings → Compliance in your project
  2. Toggle the HIPAA pack on
  3. Add custom rules specific to your use case — e.g., block your hospital system's internal patient ID format

Rules update on the next SDK startup. No PR, no deploy.

The Honest Answer on HIPAA and AI

No software tool makes you HIPAA compliant by itself. HIPAA compliance requires a Business Associate Agreement (BAA) with every vendor that processes PHI, documented policies, workforce training, and more. What Peekr's HIPAA pack does is enforce the technical controls — blocking prohibited output patterns and ensuring required disclosures appear — that are part of the technical safeguards requirement.

For a covered entity building AI, you still need: a BAA with your AI provider (OpenAI, Anthropic, etc.), access controls, audit logging, and incident response procedures. Peekr handles the audit logging and pattern enforcement piece of that stack.

Key Takeaways

  1. HIPAA applies to your AI agent if it processes PHI, regardless of who generates the text
  2. Block prohibited patterns (diagnosis-as-fact, PHI in outputs, prescription language) at the SDK layer
  3. Ensure required disclosures appear in every relevant response
  4. Scrub PHI from your observability traces using PIIRedact
  5. Use the dashboard to let your compliance team manage rules without code changes

The HIPAA compliance pack in Peekr Cloud covers all of this. Start with the free tier — compliance packs are on Pro.

Add compliance guardrails in two lines of code.

Free tier — 10k spans/month. No credit card required.

Get started free →Learn more

Related posts

compliance

UAE PDPL AI Compliance: A Developer's Guide (2025)

June 2, 2026 · 7 min

compliance

Dubai DHA AI Compliance for Healthcare: What Developers Need to Know (2025)

June 2, 2026 · 7 min