HIPAA Compliance Pack

HIPAA compliance for AI agents —
enforced on every LLM call.

Healthcare AI has a PHI problem. LLMs echo diagnosis data, invent prescriptions, and skip care disclaimers. Peekr enforces HIPAA rules in-process before responses reach patients — no proxy, no architecture change.

Enable HIPAA pack free →See all compliance packs

Why HIPAA on LLM outputs is hard

PHI leaks through context

You pass a patient record as context. The LLM echoes the SSN, DOB, or phone number in its reply. Standard output filtering misses it because it reads like natural text.

LLMs hallucinate diagnoses

"Based on your symptoms, you likely have Type 2 Diabetes." No licensed provider signed off on that. HIPAA's minimum necessary standard and scope-of-practice rules are both violated.

No proxy fits healthcare

Routing PHI through a third-party proxy to enforce compliance creates a new HIPAA exposure. You need in-process enforcement — inside your own infrastructure.

What Peekr enforces

The HIPAA pack runs as a guardrail inside your agent process. Every LLM response is checked before it returns to the caller. Violations are blocked (or warned) and stored in an immutable audit log.

Category	What it catches	Action
PHI leakage	SSN, date of birth, phone, or email in LLM output	Block + redact before storage
Diagnosis as fact	"You have [condition]" or "you are diagnosed with"	Block — requires licensed provider
Prescription mention	Specific drug + dosage instructions for a named patient	Block — prescriptions require physician
Missing disclaimer	Health response without care referral disclaimer	Warn — add disclosure

2 lines to enforce HIPAA

Add compliance=["HIPAA"] to your existing peekr.instrument() call. Rules are fetched from Peekr Cloud and enforced locally — no data leaves your process.

import peekr

peekr.instrument(
    exporter=peekr.HTTPExporter(
        endpoint="https://peekr.starkspherelabs.com",
        api_key="pk_live_...",
    ),
    compliance=["HIPAA"],   # ← add this line
)

# Every LLM call is now HIPAA-checked.
# PHI is redacted from traces. Diagnoses are blocked.
# Violations go into an audit log your compliance officer can read.

Works with OpenAI, Anthropic, Google Gemini, Amazon Bedrock, LangChain, and CrewAI — auto-instrumented, no code changes per call.

Audit-ready violation logs

Every violation is stored as a tamper-evident record in Peekr Cloud: which rule fired, which text triggered it, which model produced it, and when. Your compliance officer can filter by regulation, export to PDF, and hand it directly to an auditor.

Per-violation detail

Pack, rule name, matched text, span ID, timestamp, tenant.

Team access

Compliance officer gets read-only dashboard access, no code required.

7-day rolling window

Default retention. Enterprise gets configurable retention + export.

Immutable records

Violations can't be deleted by the app — only by explicit data retention policy.

Related guide

Building HIPAA-Compliant AI Agents

Architecture patterns, agent-specific risks, and the 4 controls every healthcare LLM pipeline needs.

Read the guide →

Common questions

Does using Peekr make me HIPAA-compliant?

Peekr enforces the patterns — PHI redaction, prohibited outputs, required disclaimers — but compliance also depends on your BAA, data handling, and system design. We're a technical control, not a certification. We sign BAAs for Enterprise customers.

Does PHI leave my infrastructure when using Peekr?

No. The compliance rules are fetched from Peekr Cloud and enforced locally inside your agent process. If a violation is found, only the rule name and a truncated match (not the full PHI) is stored in the audit log.

What happens when a violation fires?

By default: the response is blocked and a GuardrailError is raised before it returns to your caller. You can set action='warn' to record the violation without blocking — useful while tuning rules before going live.

Can I add custom HIPAA rules beyond the built-in pack?

Yes. The dashboard has a Custom Rules editor where you can add regex patterns, blocked terms, and required disclosures specific to your product — no code deploy needed.

Which HIPAA rules does the pack cover?

The pack targets the most common LLM-specific violations: PHI in outputs (SSN, DOB, phone, email), diagnosis-as-fact, prescription mentions, and missing care referral disclaimers. It does not cover data-at-rest encryption, access controls, or network security — those are infrastructure-level controls outside LLM output.

Start enforcing HIPAA on your LLM today

Free tier includes the HIPAA pack — 10,000 spans/month, no credit card.

Enable HIPAA pack free →Talk to us about your use case

Need FDCPA, FINRA, GDPR, or EU AI Act? See all 10+ compliance packs →

All compliance packs →

HIPAA, FDCPA, FINRA, GDPR, EU AI Act, and 5 more

LLM observability →

Cost per query, hallucination scoring, trace analysis

HIPAA setup guide →

Step-by-step Python tutorial with code examples

HIPAA compliance for AI agents —enforced on every LLM call.