Avery
RuntimeUse casesPricingHelpBlog
← All postsBlog

Building HIPAA-compliant AI agents

2026-06-11 · Avery NXR

Every healthcare team wants to use AI. Every compliance team says no.

The reason is structural. Cloud AI tools are structurally incompatible with HIPAA's requirements for protected health information. Not because the cloud AI vendors are negligent. Because the architecture forces choices that don't survive a compliance review.

This post is for healthcare IT leaders, clinical operations directors, and the founders building healthcare products who have hit the compliance wall. The path forward exists. It runs through local-first AI.

What HIPAA actually requires, why cloud AI fails it, what local-first AI changes, and how to build a HIPAA-compliant agent for a real healthcare workflow. With a concrete example you can deploy.

What HIPAA actually requires for AI workloads

The relevant HIPAA components for AI deployments:

The Privacy Rule. Restricts uses and disclosures of PHI. AI systems that process PHI are subject to the same rules as humans handling PHI.

The Security Rule. Requires administrative, physical, and technical safeguards. AI systems need authentication, encryption, audit logs, integrity controls.

Business Associate requirements. Any third party that touches PHI must be a Business Associate with a signed BAA. If your AI vendor processes PHI, they need a BAA.

The minimum necessary standard. PHI should be limited to the minimum needed for the specific task. AI systems that get more data than they need violate this.

Breach notification. If PHI is improperly disclosed, you have notification obligations to the affected individuals, HHS, and potentially the media. The threshold is low.

Audit requirements. Hospitals and other covered entities are subject to periodic OCR audits. The auditors look for documentation, audit logs, and evidence of ongoing compliance.

These are real requirements with real teeth. Multi-million dollar penalties for violations. Plus the reputational damage of a breach disclosure.

Why cloud AI structurally fails HIPAA

The mismatch isn't about whether the vendor has good intentions. It's about architecture.

Cloud AI requires sending PHI to a third party. That third party becomes a Business Associate. You need a BAA. Some cloud AI providers offer them; many do not. Even with a BAA, the compliance burden for your specific workflow is still yours.

The minimum necessary standard is hard to meet when you're sending arbitrary prompts to a cloud API. A user can paste an entire patient record into a chat window. The model "sees" all of it. The cloud vendor's logs probably contain all of it. Even if the vendor doesn't retain the data long-term, it transited their infrastructure.

Audit logs become bifurcated. Your audit log records that you made a call to the AI vendor. The vendor's audit log records what they did with the data. Reconciling these for a compliance review is hard.

Breach notification gets complicated. If the AI vendor has a breach, are you responsible for notifying patients? The contract usually says yes. Your team becomes responsible for incidents that happened on someone else's infrastructure.

The minimum necessary standard combined with the way LLM prompts work creates ongoing friction. Each prompt is its own little disclosure decision. Each one needs to satisfy the standard. Most organizations can't audit prompt-level disclosure decisions across hundreds of users.

Some healthcare organizations make it work with cloud AI by adding heavy controls: deidentification before any data leaves, prompt logging and review, role-based limits on who can use the AI, periodic compliance audits of usage. The controls work but they're expensive to maintain and they limit how the AI can be used.

What local-first AI changes

The local-first architecture removes most of the friction.

PHI never leaves the device. The AI model runs on the same hardware where the PHI already lives. No transmission. No third-party processor. No BAA needed because no business associate exists.

The minimum necessary standard becomes architectural. The model only sees what you explicitly pass to it. Since the model is local, you can be surgical about what data flows where.

Audit logs are unified. The AI usage is part of your existing audit infrastructure. Everything you need for a compliance review is in your environment.

Breach risk is bounded. If PHI is exposed, it's exposed within your boundary. Notification still applies, but you control the response from start to finish.

The compliance review becomes much simpler. Auditors look at one system, your system, with documentation you control.

What still requires your compliance team's review

Local-first AI handles the architectural piece. Other pieces still need attention.

Access controls. Who can run the agents? What can they pass in? Role-based access aligned with the principle of least privilege.

Audit log retention. HIPAA wants six years of access logs. Your AI audit logs need to align.

Incident response. What happens when something goes wrong? Who gets notified? How do you assess scope?

Sanction policies. What happens to users who violate policy?

Training. Anyone who uses the AI needs to understand the rules.

BAA decisions for any auxiliary services. Even if the AI itself is local, you might use cloud services for storage, identity, monitoring. Those still need BAAs.

These are the same compliance considerations that apply to any new system. Local-first AI doesn't eliminate them. It just removes the architectural impossibility that made cloud AI a non-starter.

A concrete build: patient intake summarization agent

Here's a real workflow you can deploy.

The use case. A nurse runs intake for a new patient. The intake notes are 5 to 10 pages of unstructured text covering medical history, current symptoms, medications, social history, etc. The clinician arriving for the appointment needs a 1-page structured summary highlighting key findings.

Currently, the nurse writes the summary by hand. It takes 15 to 20 minutes per patient. The summary quality varies by nurse. Sometimes important details get missed.

The AI version. After the nurse completes intake, an AI agent reads the notes and generates a structured summary covering: chief complaint, relevant medical history, current medications with potential interactions, key social factors, recommended priority areas for the clinician.

The architecture, built with Avery NXR:

A local AI model running on the clinic's workstation. Qwen2.5 14B is a good fit for medical text.

A structured prompt template that defines the summary format and constraints (no inference about diagnosis, no recommendation about treatment, just structured extraction).

A trigger that fires when intake notes are saved to the EMR. Reads the notes from the EMR via local API, runs them through the model, writes the summary back to the EMR.

An audit log that captures: who ran the agent (the nurse's user ID), when, on which patient (encrypted patient ID), what notes were passed in (hashed for tamper detection), what summary was returned (full text).

A configuration that disallows the agent from any network call. Local processing only.

The result. Summary generation takes 30 seconds instead of 20 minutes. Quality is consistent. The audit log demonstrates compliance to OCR auditors.

The compliance documentation that goes with it

Beyond the technical build, the documentation matters.

A System Description. What the agent does, what data it processes, what controls are in place.

A Risk Analysis. What could go wrong, what's the mitigation, what's the residual risk.

A Data Flow Diagram. Where PHI moves, what touches it, where it ends up.

An Access Control Policy. Who can use the agent, how access is granted and revoked, how audits are performed.

A Breach Response Plan. What happens if the agent does something wrong, how scope is assessed, how notifications happen.

Training Records. Documentation that users have been trained on appropriate use.

Periodic Review. Schedule for reviewing the configuration, the access list, the audit logs, the risk analysis.

Avery NXR ships templates for all of these aligned to HIPAA specifically. They're not a substitute for your compliance team's review, but they cut the documentation effort substantially.

The Consult Mode pattern for HIPAA workflows

Some healthcare tasks genuinely benefit from frontier model capability. Complex differential diagnosis. Rare disease analysis. Treatment optimization for unusual presentations.

For these, the Consult Mode pattern works.

The local model processes the patient data and generates the analysis it can. If the case is flagged as complex (low confidence, rare condition flags, etc.), the system offers to escalate.

The escalation requires explicit clinician consent. The clinician sees what would be sent to the frontier model. PHI is anonymized (names, dates, locations, MRN). The clinician can decline.

If the clinician approves, the anonymized payload goes to the frontier model via the clinician's BYOK key. The response comes back, gets associated with the local patient record, and the entire flow is audit-logged.

This pattern lets you get frontier capability for rare hard cases without making cloud AI the default. Cloud is the exception, not the rule. The compliance posture stays clean.

What this looks like for a hospital system

For a hospital system deploying local-first AI broadly:

Workstation-class hardware in clinical areas (M-series Macs or equivalent). Each runs Avery NXR with appropriate models.

Centralized model management. IT manages model updates, plugin versions, configuration policy.

Integration with the EMR via local APIs. Either the EMR runs on the same hardware or talks to a local backend that bridges securely.

Audit log aggregation. Per-workstation logs flow to a centralized SIEM for monitoring.

Identity integration. Active Directory or other SSO for user authentication.

The deployment scales from a single workstation in a small clinic to thousands of workstations in a major health system. The architecture is the same.

The business case

The economics for hospital systems:

Time savings on each AI-assisted workflow. For the intake example, 15 minutes per patient saved across thousands of patients per month is significant clinician time freed up.

Quality improvements. Consistent summaries, fewer missed details, better handoffs between shifts.

Compliance cost reduction. The audit log architecture makes OCR audits faster and cheaper.

Cloud AI cost avoidance. The hardware investment pays back versus paying for cloud AI at hospital scale within months.

Strategic positioning. Hospitals using AI well for clinical workflows differentiate in physician recruitment and patient experience.

The cost of the hardware and the deployment is real but bounded. For a mid-size hospital, the total cost of deploying local-first AI broadly is comparable to a single year of cloud AI fees that the hospital could not have paid anyway due to compliance.

When to keep using paper or basic EMR features

Local-first AI is powerful but not the answer to everything.

Simple structured data tasks (medication lists, vital signs trends) that the EMR already handles well don't need AI.

Real-time clinical decision support requires regulatory clearance (FDA approval as software-as-medical-device for certain use cases). AI assistants that suggest diagnoses or treatments cross this line.

Workflows that involve external parties (specialists, labs, insurance companies) might be better served by integrations than by AI.

The right framing: AI is a tool. Local-first AI is the only architecture that lets you use that tool on PHI without compliance friction. Use it where it adds value. Don't force it.

The closing thought

Healthcare AI has been waiting for the right architecture. Cloud AI got most of the attention but never solved the compliance problem. The use cases languished. Clinicians kept writing summaries by hand. Patients kept waiting longer than they should.

Local-first AI is the architecture that works. The technology is ready. The compliance framework is ready. The deployment patterns exist.

The work that has been waiting on a HIPAA-compliant path can move forward. The intake summarization agent above is a real, deployable workflow. There are dozens more like it.

If your healthcare team has been told "no AI" by compliance, the conversation can change now. The path runs through local-first.

avery.software