Compliance
HIPAA compliance for AI workloads
PHI cannot reach a model uncontrolled. Prism redacts it before storage; Prism X blocks it before it leaves the employee browser.
- All 18 HIPAA Safe Harbor identifiers covered
- PHI redacted before storage in Prism
- Employee prompts to AI tools blocked at the browser
- Audit log of every PHI-related event for breach assessment
About this framework
The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules govern protected health information (PHI). The Privacy Rule's Safe Harbor de-identification standard lists 18 identifier categories that must be removed for data to be considered de-identified. The Security Rule (45 CFR §164.312) mandates audit controls. AI is not exempt — PHI processed by an LLM remains regulated.
Who needs to comply
Industries this applies to
Healthcare payers
Health insurers and TPAs handling PHI are covered entities.
Life and disability insurers
Underwriting on health data triggers HIPAA business-associate obligations.
Pharma and clinical AI
Any AI workload touching PHI is in scope.
Mapping
Where Prism and Prism X address HIPAA
| Obligation | Capability | Evidence |
|---|---|---|
| Privacy Rule — minimum necessary, de-identification | Prism Guardrails (Safe Harbor catalog) | Built-in detectors for all 18 Safe Harbor identifier categories |
| Security Rule — audit controls (§164.312(b)) | Prisms + Prism X Audit Events | Comprehensive log of AI access events with redacted snippets |
| Breach Notification Rule | Prism Sessions + Prism X Audit Events | Reconstruct any AI incident at conversation level for breach assessment |
| Workforce AI tool use | Prism X (DLP at the browser) | Block PHI from leaving the browser into ChatGPT, Claude, Gemini, Copilot |
Obligation
Privacy Rule — minimum necessary, de-identification
Capability
Prism Guardrails (Safe Harbor catalog)
Evidence
Built-in detectors for all 18 Safe Harbor identifier categories
Obligation
Security Rule — audit controls (§164.312(b))
Capability
Prisms + Prism X Audit Events
Evidence
Comprehensive log of AI access events with redacted snippets
Obligation
Breach Notification Rule
Capability
Prism Sessions + Prism X Audit Events
Evidence
Reconstruct any AI incident at conversation level for breach assessment
Obligation
Workforce AI tool use
Capability
Prism X (DLP at the browser)
Evidence
Block PHI from leaving the browser into ChatGPT, Claude, Gemini, Copilot
Read the source
Go straight to the regulator
Not familiar with this framework? These are the authoritative sources, opened in a new tab.
Built for: Covered entities and business associates using AI on PHI
Related
LLM Guardrails
Real-time detection and enforcement for PII, PHI, prompt injection, content policy violations, and off-topic responses, scoped per agent, per project, per knowledge base.
AI DLP
Pattern-based and contextual detection for PII, PHI, credentials, and confidential markers, with validators that reduce false positives and priority ordering that keeps outcomes explainable.
Shadow AI Audit Log
Structured events back to your tenant support security operations, compliance review, and regulatory evidence, at the granularity your privacy model allows.
GDPR Compliance for AI Workloads
GDPR doesn't change for AI: lawful basis, minimization, and the right to explanation still apply. Prism produces the records each Article expects.
ISO/IEC 42001 AI Management System
ISO 42001 is the first auditable management-system standard for AI. Prism produces the operational evidence each clause asks an internal auditor to see.
AI compliance for healthcare payers
PHI cannot reach a model unscrubbed. Prism Guardrails strip 18 Safe Harbor identifiers at ingestion; Prism X blocks employees from pasting PHI into consumer AI tools.
Start tracing in 5 minutes
One SDK. Five minutes. Full audit trails, PII redaction, and guardrail enforcement, from day one.