Skip to main content

HIPAA Compliance

This page explains how KoreShield can help organizations implement HIPAA-aligned safeguards when deploying LLM features that may process protected health information (PHI). It is not legal advice and does not guarantee compliance on its own. Always consult your compliance and legal teams.

HIPAA Scope and Shared Responsibility

HIPAA applies to covered entities and their business associates when handling PHI. Compliance is a shared responsibility between your organization, your infrastructure, and third-party providers. KoreShield can help by:
  • reducing exposure of sensitive content through policy enforcement
  • keeping provider credentials server-side
  • supporting structured logging and audit trails
  • enabling data minimization in prompts and retrieved content
You are responsible for:
  • determining whether PHI is present
  • data retention and deletion policies
  • access controls and user authentication
  • infrastructure security (encryption, network controls, key management)
  • executing appropriate BAAs with vendors where required

1) Minimum Necessary Data

Only send the minimum PHI required to complete the task. Avoid embedding full patient records or identifiers when a summary will do. Practical guidance:
  • pre-sanitize prompts to remove direct identifiers
  • keep identifiers in metadata rather than free-form text
  • avoid storing PHI in logs unless required

2) Access Control and Segmentation

Restrict access to PHI by role and tenant. Ensure requests are scoped to the appropriate patient or case context. Practical guidance:
  • enforce role-based access controls in your application
  • scope requests by user and patient identifiers
  • isolate data by tenant and environment

3) Audit Logging

HIPAA requires auditability of access and changes. KoreShield supports structured logs for consistent parsing. 
logging:
  json_logs: true
  container_mode: true
Log access to PHI, policy decisions, and security events in your SIEM or audit store.

4) Policy Enforcement

Use KoreShield policies to block or warn on unsafe content and suspicious requests. 
security:
  sensitivity: high
  default_action: block
  features:
    sanitization: true
    detection: true
    policy_enforcement: true

5) Data Retention and Deletion

Define clear retention windows for prompts, logs, and outputs. Limit storage of PHI and delete data when it is no longer needed.

6) Vendor Management

If PHI is sent to external LLM providers, ensure you have the proper contractual and security controls in place, including BAAs when required.

HIPAA Mapping (Operational)

This table is a practical mapping, not a legal interpretation:
Control AreaImplementation
Access controlapplication RBAC, tenant isolation, key management
Audit controlsstructured logging, SIEM integration, trace IDs
Integrity controlsrequest validation, policy enforcement, output scanning
Transmission securityTLS for all in-transit data

Deployment Checklist

  • Identify PHI data flows and minimize exposure
  • Enable structured logging and centralized audit storage
  • Implement least-privilege access to KoreShield and providers
  • Ensure TLS and secrets management are in place
  • Document incident response procedures for security events

Build docs developers (and LLMs) love

Get started for freeTalk to us