Towards a HIPAA Compliant Agentic AI System in Healthcare

Subash Neupane Sudip Mittal Shahram Rahimi

Mississippi State University Mississippi State University University of Alabama
Starkville, Mississippi, USA Starkville, Mississippi, USA Tuscaloosa, Alabama, USA
[email protected] [email protected] [email protected]
Abstract
Agentic AI systems powered by Large Language Models (LLMs) as EHR, Diagnosis,
their foundational reasoning engine, are transforming clinical work- X-Ray, prompt response Careplan,
Billing, Hospital
arXiv:2504.17669v2 [cs.MA] 6 May 2025

flows such as medical report generation and clinical summarization

by autonomously analyzing sensitive healthcare data and executing [...] HI PAA Compl i ant Summary, Q/A,
Agent i c Fr amewor k [...]
decisions with minimal human oversight. However, their adoption
demands strict compliance with regulatory frameworks such as
Health Insurance Portability and Accountability Act (HIPAA), par-
Figure 1: A graphical overview of the HIPAA-compliant Agen-
ticularly when handling Protected Health Information (PHI). This
tic framework. [...] (used for brevity) indicates that there are
work-in-progress paper introduces a HIPAA-compliant Agentic AI
more data modalities and downstream tasks.
framework that enforces regulatory compliance through dynamic,
context-aware policy enforcement. Our framework integrates three
core mechanisms: (1) Attribute-Based Access Control (ABAC) for
individual. An example containing multiple PHI elements (name,
granular PHI governance, (2) a hybrid PHI sanitization pipeline
birth date, medical record number, diagnosis, treatment information,
combining regex patterns and BERT-based model to minimize leak-
visit date, and insurance identifier) that would require protection
age, and (3) immutable audit trails for compliance verification.
under HIPAA is shown in Fig. 2.
CCS Concepts Patient Name: Barry Berkman DOB: 01/15/1965 Medical Record Number:
• Security and privacy → Data anonymization and saniti- MRN-12345678 Diagnosis: Type 2 Diabetes Medication: Metformin 500mg
twice daily Last Visit: 03/02/2025 Insurance ID: ABC123456789
zation; Access control; • Social and professional topics →
Privacy policies; • Computing methodologies → Natural lan-
Figure 2: An example of PHI identifiers that requires protec-
guage processing.
tion based on HIPAA Safe Harbor rule § 164.514(b)(2).
Keywords
HIPAA, Privacy Policy, Agentic AI, Access Control, ABAC, LLM HIPAA regulations require healthcare providers to implement
technical, physical, and administrative safeguards to restrict access
to PHI and ensure that only authorized users can interact with
1 Introduction patient data. A critical component of these safeguards is access
Agentic AI system is an emerging paradigm in Artificial Intelligence control, which governs who can view, modify, or transmit sensitive
(AI) where autonomous systems pursue complex goals with mini- information. However, in the context of Electronic Health Records
mal human intervention [1]. The integration of these systems pow- (EHR), where clinical notes (e.g. diagnoses, treatment plans, medi-
ered by Large Language Models (LLMs) into healthcare workflows cal histories) are often stored as unstructured free text traditional
represents a paradigm shift in clinical decision making and adminis- access control mechanisms struggle to enforce granular protec-
trative efficiency [2]. Unlike passive LLMs, Agentic AI systems can tions. Unstructured data inherently contains sensitive identifiers
dynamically interact with Electronic Health Records (EHRs), syn- (e.g. names, addresses) and complex clinical narratives, creating vul-
thesize multimodal patient data, and execute context-aware tasks nerabilities that static access policies cannot fully mitigate. These
such as generating clinical documentation, summarizing medical risks are amplified with the integration of Agentic AI systems pow-
literature, or offering real-time diagnostic recommendations [2–4]. ered by LLMs in healthcare workflow. Without dynamic safeguards,
However, the autonomous nature of these systems introduces LLM driven workflows risk inadvertently exposing PHI, memoriz-
critical risks to the security of Protected Health Information (PHI) ing sensitive details during training, or bypassing rigid access rules,
as mandated by the Health Insurance Portability and Accountability violating HIPAA’s Minimum Necessary Standard (§ 164.502(b)).
Act (HIPAA) [5]. PHI is defined by the U.S. Department of Health The current literature predominantly explores Agentic AI sys-
and Human Services (HHS) in the HIPAA Privacy Rule (45 CFR tems for specific downstream tasks, such as identifying cognitive
§ 160.103) as “Individually identifiable health information” that is concerns in clinical notes [6], generating medical reports [2], and
transmitted or maintained in any form or medium (electronic, paper, delivering clinical services [7]. Nevertheless, these systems demon-
or oral) by a covered entity or its business associates, and relates strate significant limitations in achieving comprehensive HIPAA
to past, present, or future physical or mental health or condition of regulatory compliance, thus constraining their potential for wide-
an individual, provision of health care to an individual, and past, spread clinical deployment. To address regulatory and compliance
present, or future payment for the provision of health care to the gaps in previous works, this work-in-progress paper introduces a
 Neupane et al.

novel HIPAA compliant Agentic AI framework that provides techni- Security Rule (45 CFR § 164.302–318, Subpart C): The secu-
cal safegurad to protect PHI. Fig. 1 provides a high-level overview of rity rule establishes mandatory protections for electronic Protected
our framework for several downstream tasks such as diagnosis pre- Health Information (ePHI), requiring covered entities to imple-
diction, care plans, clinical summary generation, radiology report ment a comprehensive framework across three core safeguard cate-
generation, and question and answer. Our framework implements gories. Administrative Safeguards focus on organizational policies,
HIPAA mandates through three core mechanisms: Attribute-Based including Risk Analysis Requirements (§ 164.308(a)), workforce
Access Control (ABAC) (§ 164.312(a)(1)), which dynamically re- security training (§ 164.308(a)(5)), and access control protocols (§
stricts data access based on user roles, resource sensitivity, and 164.308(a)(4)). Physical Safeguards address facility-level protections,
environmental context; layered PHI sanitization (§ 164.514(b)(2)), mandating controlled facility access (§ 164.310(a)) and device/me-
applying dual redaction stages (pre- and post-inference) to minimize dia disposal security (§ 164.310(d)). Technical Safeguards enforce
PHI exposure; and immutable audit trails (§ 164.312(b)), which log digital security through encryption standards (§ audit controls (§
all access events and policy decisions for compliance verification. 164.312(b)), and user identity verification mechanisms (§ 164.312(d)).
The major contributions of this paper are: Together, these layered requirements ensure ePHI remains confi-
• An Agentic AI framework integrating ABAC, sanitization, dential, integral, and available only to authorized personnel.
and audit agents to enforce HIPAA compliance in healthcare Breach Notification Rule (45 CFR § 164.400–414, Subpart D):
workflows. This rule requires covered entities to notify affected individuals,
• A hybrid PHI sanitization pipeline that combines regex HHS, and, in some cases, the media following a breach of unsecured
patterns and BERT-based model to mitigate PHI leakage PHI. A breach is defined as unauthorized access, acquisition, or
meeting HIPAA Safe Harbor and Expert Determination de- disclosure that compromises privacy (§ 164.402). Notifications must
identification rule. occur within 60 days of discovery (§ 164.404).
• Preliminary evaluation demonstrating the accuracy of PHI
detection and the efficiency of the system.
2.2 Agentic AI Systems in Healthcare
2 Background
Agentic AI systems have transformative potential for healthcare
In this section, we provide background on HIPAA, explore Agentic delivery by enabling iterative, role-specialized workflows that im-
AI systems in healthcare, and discuss the Access Controls. prove diagnostic precision and operational efficiency [6]. Agentic
AI systems deploy modular agents to execute discrete tasks such
2.1 Health Insurance Portability and as clinical summary generation or care plan interpretation with
Accountability Act (HIPAA) minimal human intervention. For example, an administrative agent
HIPAA, enacted in 1996, is a landmark federal law in the United could autonomously generate EHR updates, reducing documenta-
States designed to protect PHI, ensure continuity of health insur- tion burdens linked to physician burnout , while a patient facing
ance coverage, and modernize healthcare data exchange. The reg- agent synthesizes care plans into layperson friendly summaries, mit-
ulatory framework of HIPAA, codified in Title 45 of the Code of igating risks of misinterpretation [4]. Frameworks like MedInsight
Federal Regulations (CFR), imposes stringent requirements on cov- [3] exemplify agentic principles, where context-retrieval agents aug-
ered entities (e.g. healthcare providers, insurers) and their business ment medical Q&A systems with patient specific medical histories
associates to protect patient privacy and secure health data. Its and authoritative knowledge, empowering patients and caregivers
provisions are particularly critical in an era of EHR and advanced through personalized, targeted, and contextual medical recommen-
technologies, such as Artificial Intelligence (AI) and LLM, which dations. However, while current Agentic AI systems in healthcare
process vast amounts of sensitive health data. excel in few downstream tasks such as cognitive concern detection
[6], medical report generation [2], or automated clinical services
2.1.1 Core Components of HIPAA. HIPAA mandates comprise mul- [7] they lack robust mechanisms to ensure end-to-end HIPAA com-
tiple regulatory rules, each governing distinct facets of PHI man- pliance.
agement and oversight.
Privacy Rule (45 CFR § 160 and 164, Subpart E) : The privacy
rule establishes standards for the use and disclosure of PHI, defined
as individually identifiable health information transmitted or main- 2.3 Attribute-Based Access Control (ABAC)
tained in any form (45 CFR § 160.103). The key provisions include (i) ABAC is a dynamic authorization framework that grants or restricts
Minimum Necessary Standard which means covered entities must access to resources based on attributes associated with subjects
limit the access, use, or disclosure of PHI to the minimum necessary (users or agents), resources (data or services), actions (operations
to achieve the intended purpose (45 CFR § 164.502 (b)). (ii) Patient performed), and environmental conditions (for example, time, loca-
Rights- individuals retain the right to access (§ 164.524), request tion) [8]. Unlike Role-Based Access Control (RBAC), which relies
amendments (§ 164.526) and obtain an accounting of disclosures (§ on static role assignments, ABAC evaluates contextual attributes
164.528) of their PHI. (iii) Authorization Requirements which entails in real time, enabling granular, policy-driven decisions. This flexi-
written patient consent is mandatory for non-routine disclosures bility makes ABAC particularly suited for complex systems such
unrelated to treatment, payment or healthcare operations (45 CFR as Agentic AI workflows in healthcare, where access requirements
§ 164.508). vary dynamically across tasks and stakeholders.
Towards a HIPAA Compliant Agentic AI System in Healthcare

Ac c es s Cont r ol

Cl i ent LLM API or

prompt Pol i c y On- Pr emi s
Clinician/ request Enf or c ement Sani t i z at i on
Model
Admin/ Patients Agent Agent

sanitized
authorization request prompt
+ redaction raw
EHR response

Pol i c y
deny Dec i s i on allow Mi ddel ewar e
Agent Agent

deny raw
response

feedback
Audi t Pos t - I nf er enc e Downs t r eam
Log Redac t i on
Agent Tas k
Agent
sanitized response

Figure 3: Architecture of the HIPAA-compliant Agentic AI Framework for Clinical Workflows. The system integrates dynamic
Attribute-Based Access Control (ABAC), hybrid PHI sanitization, and immutable audit trails to enforce compliance across
autonomous data interactions in healthcare settings.
3 HIPAA Compliant Agentic AI Framework are enforced as part of policy decisions such as:
The overarching goal of our framework is to ensure continuous, !
Û
policy-driven HIPAA compliance for Agentic AI systems operat- 𝜙𝑖 (𝐴𝑠 , 𝐴𝑜 , 𝑎, 𝐸) =⇒ Authorize(𝑠, 𝑜, 𝑎) ∧ Enforce(O) (2)
ing within clinical workflows such as medical report generation. 𝑖
This section details the framework’s components, which enforce where O = {Log(𝑠, 𝑜, 𝑡), Sanitize(𝑜)}.
compliance through context-aware policy specification, dynamic Policies are codified in an XACML-like syntax that maps di-
access control, hybrid PHI sanitization, and immutable audit trails, rectly to the formal model. For example, the rule for a cardiologist
all designed to govern the autonomous decision-making inherent to described above translates to Listing 1.
Agentic AI. Figure 3 illustrates the high-level architecture, empha-
sizing how these mechanisms interact to secure sensitive healthcare < Policy >
data across all stages of Agentic AI systems. < Target >
< SubjectAttributes >
3.1 Access Control < Attribute Name = " role " Value = " cardiologist " /
>
The core of our methodology leverages ABAC to dynamically gov-
</ SubjectAttributes >
ern access to PHI in Agentic AI systems. Unlike traditional role-
< ResourceAttributes >
based models, ABAC evaluates subject attributes (e.g., user roles),
< Attribute Name = " data_type " Value = " cardiac " /
resource attributes (e.g., data sensitivity), action types (e.g., read-
>
/write), and environmental attributes (e.g., time, network security)
</ ResourceAttributes >
to enforce least-privilege access. Policies are defined using first-
< Action > Read </ Action >
order logic and enforced through a distributed architecture of policy
</ Target >
agents.
< Condition >
Let:
< EnvironmentAttribute Name = " time " Value = " 8 <=t
• 𝑆 = {𝑠 1 , . . . , 𝑠𝑛 }: Subjects with 𝐴𝑠 = {role, department, clearance} <=18 " / >
• 𝑂 = {𝑜 1 , . . . , 𝑜𝑚 }: Objects with 𝐴𝑜 = {type, sensitivity, owner} </ Condition >
• 𝐴 = {𝑎 1 , . . . , 𝑎𝑝 }: Actions < Obligations >
• 𝐸 = {𝑒 1 , . . . , 𝑒𝑘 }: Environmental attributes
< Obligation > log_access </ Obligation >
Authorization is granted iff: < Obligation > sanitize_phi </ Obligation >
Û </ Obligations >
Authorize(𝑠, 𝑜, 𝑎) ⇐⇒ 𝜙𝑖 (𝐴𝑠 , 𝐴𝑜 , 𝑎, 𝐸), (1) </ Policy >
𝑖
Listing 1: ABAC Policy for Cardiac Data Access
where 𝜙𝑖 are predicates combining attributes. For example, let 𝜙 1
be defined as: role(𝑠) = cardiologist ∧ sensitivity(𝑜) ≤ 2 ∧ (𝑎 = The sanitization agent enforces PHI de-identification and redac-
read) ∧ time(𝑒) ∈ [8, 18]. Obligations (e.g., logging, sanitization) tion as part of obligations, ensuring HIPAA’s Minimum Necessary
 Neupane et al.

and De-Identification rules. We utilize a hybrid approach combin- < Policy PolicyId = " MW - Revoke " >
ing rule-based regex patterns and a BERT-based model pipeline to < Condition >
detect and redact PHI. Regular expressions target structured identi- < AttributeMatch AttributeId = " consent_status "
fiers (e.g., Social Security Numbers: \d{3}–\d{2}–\d{4}, Medical Value = " revoked " / >
Record Numbers: [A-Z]\d{6}) with deterministic pattern match- </ Condition >
ing, ensuring efficient removal of standardized PHI formats. For < Obligations >
unstructured text, a BERT model fine-tuned in clinical corpora < Obligation > TERMINATE_SESSION </ Obligation >
(e.g., MIMIC-IV discharge notes) [9] identifies contextual PHI, such < Obligation > DELETE_CACHED_PHI </ Obligation >
as patient names, diagnoses or provider details, which lack rigid </ Obligations >
syntactic patterns. This approach complies with HIPAA’s expert </ Policy >
determination 45 CFR § 164.514(b)(1) for PHI redaction. For exam- Listing 2: Consent Revocation Policy
ple, the input “John Smith, 55, diagnosed with NSCLC in 2022” is
sanitized to ”[PatientName], [Age], diagnosed with [Condition] in Conversation Context Analysis: We prevent incremental dis-
[Year]” by masking regex-matched ages/years and BERT-recognized closure of PHI by tracking cumulative risk across a user session.
entities. For this, we calculate risk scores based on factors such as PHI Sensi-
The Policy Decision Agent (PDA) is responsible for evaluating tivity and Access frequency. Each type of PHI (e.g., SSN, diagnosis)
access requests against predefined security and privacy policies. is assigned a sensitivity level (1 = low, 5 = high), and how often PHI
Acting as a decision-making engine, the PDP analyzes contextual is accessed in the current session. The risk score is calculated as:
attributes such as user roles, resource types, actions, and environ- risk_score = (
Í
sensitivity of PHI ) × (number of PHI accesses)
mental conditions to determine whether access should be granted
or denied. A high-level overview of the PDP algorithm is shown in A cardiologist might be allowed a higher risk threshold (e.g., 20)
Algorithm 1. than a billing clerk (e.g., 10) before access is blocked.
Algorithm 1 Policy Decision Agent
3.3 Post-Inference Redaction Agent
1: function EvaluateReqest(𝑠, 𝑜, 𝑎, 𝐸) This agent re-sanitizes Agentic AI outputs to address residual PHI
2: Load policies for (𝐴𝑠 , 𝐴𝑜 , 𝐴𝑎 , 𝐸) leakage. Similarly to the sanitization agent discussed earlier (see
3: for each policy ∈ policies do Section 3.1) it uses both HIPAA’s Safe Harbor and Expert determina-
4: if MatchAttributes(𝐴𝑠 , 𝐴𝑜 , 𝐴𝑎 , 𝐸) then tion de-identification techniques. We use PDA generated obligations
5: return (ALLOW, O) ⊲ With obligations for attribute-driven redaction. Table 1 presents an overview of the
6: end if redaction obligation.
7: end for
Table 1: An overview of attribute driven redaction.
8: return DENY
Obligation Redaction Action
9: end function
REDACT_ALL Replace all PHI with [REDACTED]
REDACT_DEMO Remove demographics (names, DOB)
3.2 Middleware Agent MASK_CODES Replace ICD-10 codes with category tags
LLMs in Agentic systems operating as on-premises models or third-
party APIs require continuous attribute-based governance. For API Following post-inference redaction, the redacted response is dis-
calls a Business Associate Agreement (BAA) is mandatory under seminated through two paths to balance usability and compliance.
HIPAA. In such case, BAA compliance must be included as envi- First, the sanitized output is delivered to the end-user, ensuring only
ronment attribute such that: HIPAA-compliant data is released per the Minimum Necessary Stan-
dard (§ 164.502(b)). Concurrently, both raw and sanitized responses
Authorize(𝑠, 𝑜, 𝑎) ⇐⇒ 𝜙𝑖 (𝐴𝑠 , 𝐴𝑜 , 𝐴𝑎 , 𝐸) ∧ BAA𝑣𝑎𝑙𝑖𝑑 (API𝑝 ) (3)
are archived in the Audit Agent’s cryptographically secured ledger
where, 𝐵𝐴𝐴𝑣𝑎𝑙𝑖𝑑 is a boolean check confirming an active BAA (see 3.4), creating an immutable, tamper-evident audit trail. This
with the third-party API provider and 𝐴𝑃𝐼𝑝 is an attribute identify- dual-path approach enforces accountability while fulfilling HIPAA’s
ing the external service (e.g., "AWS", "Azure OpenAI"). 6-year retention mandate (45 CFR § 164.316), ensuring retrospective
The middleware agent intercepts all requests/responses to/from compliance verification without obstructing real-time clinical or
the LLM, enforcing dynamic policy evaluation through three core administrative workflows.
mechanisms such as session attribute tracking, stateful policy reeval-
uation, and conversation context analysis. 3.4 Audit Agent
Session Attribute Tracking: It maintains a real-time session The audit agent implements dual logging architecture based on the
state through three critical attributes: National Institute of Standards and Technology (NIST) 800-66r2
• user_role (e.g., “nephrologist”, “billing_specialist”) [10] such as interaction logs and decision logs. The former records
• consent_status (active/revoked) sanitized user queries, policy decisions, and redaction actions. Both
• phi_access_count (number of PHI elements accessed) raw LLM outputs and sanitized versions are stored for forensic
Stateful Policy Reevaluation: Triggers PDA reauthorization investigations. The latter is an immutable ledger of access deci-
when session attributes change. An example of consent revocation sions (allow/deny) secured via cryptographic hashing to prevent
during session is presented in Listing 2. tampering.
Towards a HIPAA Compliant Agentic AI System in Healthcare

4 Preliminary Results access requests across multiple roles (e.g., cardiologist, billing clerk)
and data sensitivity levels. Key performance metrics included ABAC
4.1 Dataset
Policy Matching Accuracy, Decision Latency, and Risk Threshold
We utilize Medical Information Mart for Intensive Care (MIMIC-IV) Enforcement. The PDA demonstrated 99.1% accuracy in dynamically
dataset [9], a publicly available Electronic Health Record (EHR) granting/denying access based on contextual attributes including
repository from Beth Israel Deaconess Medical Center, accessible user roles and temporal constraints. The system maintained an
via PhysioNet. This dataset comprises more than 109,000 Emer- average decision time of 12.3ms (SD = 2.1 ms), satisfying real-time
gency Department (ED) visits, each record including emergency requirements for clinical workflow integration. Sessions exceeding
stay diagnosis codes ICD-9 or ICD-10, chief complaints, at least role-specific risk thresholds (cardiologist: 20, billing clerk: 10) were
one radiology report, and discharge summary. A summary of data terminated with 100% reliability, preventing potential PHI over-
statistics is presented in Table. 2. We utilize discharge summary exposure. Furthermore, consent revocation events (as implemented
Table 2: Dataset Statistics in Listing 2) resulted in instantaneous session termination and
Item Samples Training Validation Testing deletion of cached PHI data, demonstrating effective compliance
Admissions 109,168 68,785 14,719 10,962 with HIPAA’s Right to Revoke provision (§ 164.508(b)(5)).
Discharge Summaries 109,168 68,785 14,719 10,962
Radiology Reports 409,359 259,304 54,650 40,608 5 Discussion, Futurework & Conclusion
ED Stays & Chief Complaints 109,403 68,936 14,751 10,985
ED Diagnoses 218,376 138,112 29,086 21,764 Our HIPAA-compliant Agentic AI framework addresses the critical
challenge of securing autonomous workflows in healthcare by inte-
as our dataset to evaluate the effectiveness of the PHI sanitization grating three core mechanisms: (1) dynamic Attribute-Based Access
technique described in Section 3.1. These summaries come with Control (ABAC) to enforce granular, context-aware permissions
prior de-identification and anynomization as shown in Fig. 4 where over unstructured EHR data, (2) a hybrid PHI sanitization pipeline
the PHI entities have been replaced and redacted with dashes. We combining regex and BERT-based model to minimize leakage in
first augment the redacted PHI with synthetic PHI using 0-shot free-text narratives, and (3) immutable audit trails to ensure account-
inference using LLAMA 3.2. The augmented data are then validated ability under HIPAA’s retention mandates. While our synthetic PHI
with our sanitization and post-inference redaction agent. evaluation followed HIPAA Safe Harbor and Expert Determination
guidelines, real-world deployment may reveal edge cases in free-
Name: —- Unit No: —- Sex: F DOB: —- Admission Date: — text documentation patterns. Preliminary results demonstrate the
Discharge Date —- the effectiveness of our framework. By embedding HIPAA’s Min-
Service: Medicine, Allergies: Percocet imum Necessary Standard (§ 164.502(b)) into every stage of data
Chief Complaint: Abdominal fullness and discomfort.
History of Present Illness: —- with HIV (on HAART), COPD, and interaction, our framework advances the responsible deployment
cirrhosis complicated by ascites and hepatic encephalopathy [...] of Agentic AI systems in clinical settings. Future work will extend
Imaging:—- CXR- No acute cardiopulmonary abnormality.—-RUQ US 1.
Extremely coarse and nodular [...]
these safeguards to multi-modal data (e.g., imaging, genomics) and
adversarial scenarios, ensuring scalability as healthcare workflows
Figure 4: An example of unstructured discharge summary. — increasingly adopt Agentic AI systems.
represent anynomized PHI entities and [...] is used for brevity
of textual contents. Acknowledgment
This work was supported by the Predictive Analytics and Tech-
nology Integration (PATENT) Laboratory at the Department of
4.2 Evaluation Computer Science and Engineering, Mississippi State University.
We present our preliminary findings on three key dimensions in-
cluding PHI sanitization accuracy, policy enforcement efficiency, References
and risk mitigation. Table 3 presents an overview of PHI sanitization [1] Yonadav Shavit, Sandhini Agarwal, Miles Brundage, Steven Adler, Cullen O’Keefe,
accuracy. Our hybrid approach demonstrated superior performance, Rosie Campbell, Teddy Lee, Pamela Mishkin, Tyna Eloundou, Alan Hickey, et al.
Practices for governing agentic ai systems. Research Paper, OpenAI, 2023.
particularly in handling unstructured clinical narratives. The BERT [2] Malavikha Sudarshan, Sophie Shih, Estella Yee, Alina Yang, John Zou, Cathy
model achieved 96.5% recall for contextual PHI (e.g., diagnoses), Chen, Quan Zhou, Leon Chen, Chinmay Singhal, and George Shih. Agentic
while regex maintained 100% precision for structured identifiers. llm workflows for generating patient-friendly medical reports. arXiv preprint
arXiv:2408.01112, 2024.
Table 3: PHI Redaction Performance Comparison (N=500 [3] Subash Neupane, Shaswata Mitra, Sudip Mittal, Manas Gaur, Noorbakhsh Amiri
Golilarz, Shahram Rahimi, and Amin Amirlatifi. Medinsight: A multi-source con-
notes, 2,350 PHI instances) text augmentation framework for generating patient-centric medical responses
using large language models. ACM Trans. Comput. Healthcare, December 2024.
Metric Regex-Only BERT-Only Hybrid [4] Subash Neupane, Himanshu Tripathi, Shaswata Mitra, Sean Bozorgzad, Sudip
Mittal, Shahram Rahimi, and Amin Amirlatifi. Clinicsum: Utilizing language
Precision 98.2% 92.1% 99.4% models for generating clinical summaries from patient-doctor conversations. In
Recall 67.3% 89.8% 97.6% 2024 IEEE International Conference on Big Data (BigData), pages 5050–5059, 2024.
F1-Score 79.8% 90.9% 98.4% [5] Accountability Act. Health insurance portability and accountability act of 1996.
Public law, 104:191, 1996.
Residual PHI 32 24 3 [6] Jiazi Tian, Liqin Wang, Pedram Fard, Valdery Moura Junior, Deborah Blacker,
Jennifer S Haas, Chirag Patel, Shawn N Murphy, Lidia MVR Moura, and Hossein
The policy enforcement efficiency was evaluated by evaluating Estiri. An agentic ai workflow for detecting cognitive concerns in real-world
the decisions made by PDA. For this, we we evaluated 200 simulated data. arXiv preprint arXiv:2502.01789, 2025.
 Neupane et al.

[7] Sandeep Reddy and Aaron Snoswell. Enabling responsible ai agents in healthcare: [9] Alistair EW Johnson, Lucas Bulgarelli, Lu Shen, Alvin Gayles, Ayad Shammout,
A comprehensive framework for clinical integration, triage, and personalized Steven Horng, Tom J Pollard, Sicheng Hao, Benjamin Moody, Brian Gow, et al.
service delivery. 2025. Mimic-iv, a freely accessible electronic health record dataset. Scientific data,
[8] Vincent C Hu, D Richard Kuhn, David F Ferraiolo, and Jeffrey Voas. Attribute- 10(1):1, 2023.
based access control. Computer, 48(2):85–88, 2015. [10] A Cybersecurity Resource Guide. Implementing the health insurance portability
and accountability act (hipaa) security rule. Cybersecurity Resource, 2024.