What HIPAA requires
from your LLM app.
LLMs create three new PHI exposure surfaces that traditional HIPAA controls don't cover: PHI injected into prompts, PHI echoed in model outputs, and PHI captured in telemetry spans. Peekr enforces rules on all three — in your Python process, with no proxy.
Three surfaces where LLMs touch PHI
HIPAA's Security Rule covers any system that creates, receives, maintains, or transmits electronic PHI. LLM applications touch PHI in ways that most compliance frameworks don't address.
User messages or tool outputs inject names, DOBs, or SSNs into the model context before the API call.
Required control
Block prohibited inputs before the model sees them.
# prohibited_input rule fires before the API call
pattern: "\b\d{3}-\d{2}-\d{4}\b" # SSN in prompt
action: "block" # GuardrailError raisedThe LLM echoes patient data, states a diagnosis as fact, or generates text containing SSN or DOB from its training context.
Required control
Block or redact prohibited outputs before they reach your caller.
# prohibited_output rule fires after the API call
pattern: "you (have|are diagnosed with)" # diagnosis as fact
action: "block" # response never leaves processObservability SDKs capture the full prompt and completion by default. Without redaction, PHI flows into your trace store.
Required control
Redact PHI from spans before they are exported.
# PIIRedact strips PHI in-place on the span
# SSN, DOB, phone, email, credit card — redacted
# before the span leaves your process
peekr.guard.PIIRedact()Four controls in the Peekr HIPAA pack
Enabled with a single compliance=["HIPAA"] argument. All four run synchronously inside your process — no PHI leaves your infrastructure.
PHI input blocking
Patterns matched against the full prompt before the model sees it. If SSN, phone, DOB, or email appear in the user message or tool output, the call is blocked and a violation is logged.
Prohibited output blocking
Patterns matched against model responses before they reach your caller. Diagnosis-as-fact language and prescription suggestions are blocked. Missing required care-referral disclaimers are flagged.
PHI redaction in spans
PIIRedact runs on every span before export, stripping SSN, DOB, phone, and email from the prompt and completion fields stored in your trace backend.
Tamper-evident audit log
Every violation — blocked input, blocked output, or redaction — is written to an append-only audit log on the span before any error propagates. Your compliance officer has a record even if the caller catches the exception.
Enable HIPAA compliance in 2 lines
Pass compliance=["HIPAA"] to peekr.instrument(). PHI input blocking, output blocking, span redaction, and audit logging are all active immediately — no additional configuration.
import peekr
from peekr.guard import GuardrailError
peekr.instrument(
exporter=peekr.HTTPExporter(
endpoint="https://peekr.starkspherelabs.com",
api_key="pk_live_...",
),
compliance=["HIPAA"], # ← all 4 controls active
guardrails=[
peekr.guard.PIIRedact(), # scrub PHI from spans
],
)
# HIPAA pack runs on every LLM call automatically.
# GuardrailError carries the rule name + regulatory citation.
try:
resp = client.chat.completions.create(...)
except GuardrailError as e:
# e.guardrail_name: "HIPAA.prohibited_output"
# e.citation: "45 CFR §164.514(b)"
log.warn(f"[HIPAA] {e}")Common questions
Does Peekr make my LLM app HIPAA-compliant?
Peekr is a technical control — it enforces the PHI-specific rules your LLM generates and logs. Full HIPAA compliance also requires a BAA, access controls, encryption at rest, and workforce training. We're the LLM output layer, not a certification.
Does PHI travel to Peekr's servers?
No. The compliance rules are loaded from Peekr Cloud at startup and enforced locally in your process. Only PII-redacted span metadata (after PIIRedact runs) is exported. No raw PHI leaves your infrastructure.
Which HIPAA regulations does the pack cover?
The pack targets HIPAA Security Rule §164.312 (technical safeguards) and Privacy Rule §164.514(b) (PHI de-identification). Specifically: PHI in outputs (SSN, DOB, phone, email), diagnosis-as-fact language, prescription mentions, and missing care-referral disclaimers.
What if I need custom HIPAA rules for my product?
The dashboard has a Custom Rules editor where you add regex patterns, blocked terms, or required disclosures specific to your clinical workflow — no code deploy needed. Rules are fetched at the next SDK startup.
Go deeper
HIPAA rule reference
Every regex pattern and action in the HIPAA pack — with the regulatory citation for each rule.
HIPAA for AI agents
The 4 controls every multi-step healthcare agent needs — PHI detection, audit logs, and agent-specific risks.
All 17 compliance packs
FDCPA, FINRA, GDPR, UAE PDPL, EU AI Act, and more — enforced the same way on every LLM call.
Enforce HIPAA on every LLM call — free
10,000 spans/month free. All HIPAA controls included. No proxy, no credit card, no PHI leaves your stack.