The Compliance Gap
A healthcare startup I worked with last year tried to build an agent that could summarize patient notes. Seemed straightforward: feed it a chart, get back a summary, reduce clinician workload.
Three months in, their compliance officer asked the obvious question: "What data did the agent access? Can we prove it? What models processed the data? Where did that processing happen?"
They couldn't answer any of it. The agent called an LLM API. The LLM was a black box. Patient data went in, a response came out, and there was no audit trail in between.
That's the gap. Most agent frameworks are built for developers, not for regulated industries. Healthcare needs guarantees about data access, tool permissions, and model routing. HIPAA demands them. Your standard orchestration platform doesn't provide them.
Let me explain what the actual requirements are, why existing tools fail, and how to fix it.
HIPAA for Agents: The Specific Rules
HIPAA has four pillars that directly apply to AI agents.
Audit Trails. Every access to Protected Health Information (PHI) must be logged. Who accessed it. When. Why. What was retrieved. What modifications were made. You need to be able to answer these questions months later in a format that holds up in an audit.
Agents don't log by default. An agent might call ten different tools in a workflow—a database query here, an API call there. Each tool interaction counts as a potential PHI access. You need to capture all of it.
Access Control. Minimum necessary standard. An agent should only access the data it needs to complete its task. A scheduling agent doesn't need read access to lab results. A billing agent doesn't need access to psychiatric records.
Most agent frameworks let you bolt on a database connection and call it a day. There's no built-in way to restrict tool access by role or task. You have to implement that yourself, and people skip it.
Business Associate Agreements. If your agent sends data to an external API (any LLM inference service, any cloud provider), your BAA covers it. Not all providers have BAAs. If an agent can accidentally route data to unapproved providers, you're in breach before you know it.
Data Flow Transparency. You need to know the path your data takes. Patient data should not flow to consumer LLM APIs. Sensitive data should not be logged or fine-tuned on. Your governance model needs to enforce this.
Why Standard Frameworks Fail
I've looked at LangGraph, CrewAI, AutoGen, and others through a HIPAA lens. They all have the same problem: they assume privacy and security are handled somewhere else.
LangGraph has no built-in audit logging for tool calls. You can add it yourself, but it's not integrated. CrewAI has no tool-level access control. An agent can call any tool available to it. AutoGen doesn't support BAA-compliant LLM routing.
They work great for internal tools where compliance doesn't matter. For healthcare, they're incomplete.
Orloj's Approach
Orloj was built with governance as a core feature, not an afterthought. Here's how it addresses each requirement.
AgentPolicy defines data restrictions. You specify what data categories an agent can access (PHI, genomics, billing records). The policy is enforced at runtime. An agent can't bypass it without code changes. When the agent runs, Orloj logs every data access against the policy, giving you the audit trail HIPAA requires.
ToolPermission is fine-grained access control. You define which agents can call which tools. A scheduling agent gets access to the calendar tool and the patient lookup tool. It can't call the lab system or the prescription writer. These permissions are centralized. You revoke access without redeploying.
Audit Logging captures every material action. When an agent accesses data, calls a tool, or sends information to an external service, it's logged with context: agent identity, task ID, timestamp, data classification, result. That log is immutable and queryable. You can answer "what data did this agent access in the last 30 days" in seconds.
Model Whitelisting prevents accidental data leakage. You specify which LLMs agents can use. Consumer models like OpenAI GPT-4 can be restricted from healthcare data. Internal models or enterprise-grade providers with BAAs can be whitelisted. If an agent tries to route data to an unapproved model, it fails.
HIPAA Compliance Checklist
Here's how Orloj's features map to HIPAA requirements:
Audit Trail: AgentPolicy + Audit Logging give you complete visibility. Every data access is recorded with agent, timestamp, data type, and result. The audit log is queryable and exportable.
Access Control: ToolPermission enforces minimum necessary. Agents are scoped to specific tools. You can audit what permissions each agent has and revoke instantly.
Business Associate Agreements: Model Whitelisting ensures data only goes to approved providers. You define which LLMs are BAA-covered. Agents can't route to unauthorized providers.
Data Classification: AgentPolicy requires tagging data by sensitivity. The policy enforces handling rules per classification. Logging tracks which classifications were accessed.
Incident Response: Complete audit logs let you reconstruct what happened during a breach. You can answer "was this data accessed" and "by which agents" within minutes.
Regular Testing: Orloj's YAML-based policies are version-controlled. You can audit policy history and test changes in staging before production.
Sample HIPAA-Compliant Configuration
Here's what a real policy looks like:
apiVersion: agent.orloj.dev/v1beta1
kind: AgentPolicy
metadata:
name: patient-summary-agent
namespace: healthcare
spec:
agent:
selector:
name: clinical-summarizer
permissions:
tools:
- name: patient-database
read: ["demographics", "chief_complaint", "assessment", "plan"]
write: false
- name: lab-system
read: []
write: false
- name: note-retriever
read: ["current_encounter_notes"]
write: false
dataClassification:
allowed:
- PHI
- CLINICAL_DATA
prohibited:
- GENETIC_DATA
- PSYCHIATRIC_RECORDS
models:
approved:
- name: azure-gpt4-healthcare
provider: "Microsoft"
baaCovered: true
- name: internal-llm
provider: "Self-hosted"
baaCovered: true
denied:
- name: openai-gpt4
reason: "No BAA coverage"
- name: claude-api
reason: "No BAA coverage"
audit:
enabled: true
retention: "2555 days"
exportTo: "hipaa-audit-store"
rateLimit:
requests: 100
window: "1h"
status:
active: true
lastUpdated: "2026-04-15T10:30:00Z"
This agent can read patient demographics and notes. It can't write anything. It can't access lab data, genetic records, or psychiatric notes. Its requests go only to approved, BAA-covered LLMs. Every call is logged with full context.
When an audit happens, you export the logs. You can show exactly what data this agent accessed, when, and where it went.
FAQ: Healthcare Leaders and Compliance Officers
Q: Can AI agents actually be HIPAA compliant?
Yes, but most frameworks don't support the governance you need. You need audit logging at the tool level, access control that's enforced at runtime, and model whitelisting to prevent data leakage. Standard agent frameworks expect you to bolt this on yourself. Orloj includes it.
Q: How do I audit agent access to patient data?
The right way: your agent framework logs every tool call with context—what data was accessed, by which agent, at what time, with what classification. You need immutable audit logs that live outside the agent's control. You need to be able to query them by date, agent, data type, and outcome. Orloj does this. Most frameworks don't.
Q: Do agents need a Business Associate Agreement?
If your agent sends data to any external service—any API, any cloud provider, any third-party LLM—yes. The BAA covers the data processor. You need to verify that your LLM provider has a healthcare BAA in place. Some do. Many don't. Your governance should prevent agents from sending data to unapproved providers.
Q: What about fine-tuning on patient data?
HIPAA generally doesn't allow it. Fine-tuning means the data becomes part of the model. You lose control over who can access it. Some enterprise LLM providers offer fine-tuning with BAA coverage and data isolation, but it's the exception. For most deployments, don't fine-tune on PHI. Your governance should prevent it.
Q: How often should we audit agent permissions?
Quarterly at minimum. When an agent's role changes, audit immediately. When a team member leaves, revoke their agent's permissions that day. When you add a new tool or data source, review which agents have access. Orloj's YAML-based policies make these audits straightforward—you can diff policy files and track who changed what.
Q: What if an agent malfunctions and accesses data it shouldn't?
Your audit log tells you exactly what happened. When. What data was accessed. What was done with it. From there, you follow your incident response protocol: notify affected patients, investigate root cause, remediate the access control that failed. The audit trail is your evidence that you detected it and responded appropriately.
Q: Can we use consumer LLMs like ChatGPT for healthcare agents?
Technically yes, but it's a compliance nightmare. ChatGPT's API doesn't have a healthcare BAA. OpenAI reserves the right to log and learn from inputs. You're sending patient data to a system you don't control. Compliance officers will push back. If you use consumer APIs, you need a policy that strictly prohibits PHI. Your model whitelist should exclude them entirely.
Implementation Reality
I'll be honest: building HIPAA-compliant agents is more work than the marketing says. You need to design your agent's task scope narrowly. You need to test access controls. You need a process for retiring agents and revoking permissions. You need to practice your audit response before an incident happens.
Orloj handles the infrastructure. You still have to handle the design.
But here's what Orloj does for you: it removes the burden of building audit trails, access control, and governance from scratch. You don't reinvent that wheel. You define your policy in YAML, deploy it, and it's enforced. Your compliance team can audit the policy files, not just trust that your developers did it right.
For healthcare systems evaluating agent frameworks, that matters. A lot.
Disclaimer: This post is educational information about compliance considerations for AI agents in healthcare. It is not legal advice. HIPAA is complex, and the details vary by deployment, business relationship, and data classification. Consult with your legal and compliance teams before deploying agents in healthcare. Orloj provides tools to enforce governance policies, but governance alone doesn't guarantee compliance. Implementation and operational security are your responsibility.
Related posts
Agent Governance for Financial Services: What Compliance Teams Actually Need
Regulators care about audit trails, model risk management, and data access controls. Most agent frameworks provide none of these. Here's what financial services compliance actually requires from agent infrastructure.
EU AI Act and Agent Systems: What You Need to Do Before August 2026
The EU AI Act's enforcement date for high-risk systems is August 2, 2026. If you operate agents in healthcare, finance, HR, or critical infrastructure, you have four months to implement governance, audit trails, and technical documentation. Here's what needs to happen now.
Why Every Agent System Needs a Governance Layer (Not Just Guardrails)
Guardrails check outputs. A governance layer controls inputs, execution, access, and budget. They solve different problems. Most teams need both.