How We Built HIPAA-Compliant AI with Zero PHI Exposure
A mid-Atlantic regional healthcare system with 2,000+ clinicians needed AI-powered clinical decision support without exposing protected health information to foundation models.
The Challenge
Clinicians spent an average of 96 minutes per day on manual clinical data lookups — querying EHR systems, cross-referencing lab results, reviewing medication histories. At $150/hour average clinician rate, this represented $115M annually across the system.
The organization wanted to deploy an AI assistant, but faced a fundamental conflict:
- AI productivity: Foundation models need clinical context (patient names, dates, diagnoses) to provide useful answers
- HIPAA compliance: PHI cannot be sent to shared FM inference endpoints. Policy-based controls like prompt engineering were rejected by the HIPAA Privacy Officer as insufficient
The requirement: It must be structurally impossible for PHI to reach the foundation model, not merely policy-prohibited.
Technology Stack
Amazon Bedrock (Claude 3.5 Sonnet / Claude 3 Haiku tiered), Amazon Bedrock Guardrails, AgentCore Runtime, Strands Agents SDK, AWS Lambda (PHI-zone processing), Amazon Comprehend Medical, DynamoDB (token mapping with 24hr TTL), Cognito (MFA + SAML federation), VPC endpoints, KMS encryption, CloudTrail audit logging.
MCP server exposing PHI anonymization tools for cross-agent interoperability.
AWS Partner Validation
This case study is part of EFS Networks' AWS Agentic AI Competency submission. View our validated case studies on the AWS Partner Network.
Key Capabilities Demonstrated
Problem Category: Healthcare AI, Clinical Decision Support, HIPAA Compliance, Privacy-Preserving AI
AI Models Used: Claude 3.5 Sonnet (complex reasoning), Claude 3 Haiku (simple lookups)
Compliance Framework: HIPAA Privacy Rule, AWS HIPAA Business Associate Agreement, Structural PHI Protection
Architecture Pattern: Dual-zone architecture with IAM-enforced separation, Amazon Comprehend Medical entity extraction, tokenization with DynamoDB TTL
AWS Services: Amazon Bedrock, Bedrock Guardrails, AgentCore Runtime, Strands Agents SDK, Comprehend Medical, Lambda, DynamoDB, Cognito MFA
Business Outcome: $115M annual cost reduction opportunity, 96 minutes/day saved per clinician, zero PHI exposure incidents, 99.94% anonymization accuracy
Let's talk about what you're building.
Our team brings over two decades of experience to every engagement. Tell us about your project and we'll show you what's possible.