HIPAA Security Rule
The Healthcare / HIPAA vertical is included on the Enterprise plan.
Scope
Behavry's Healthcare compliance module maps 7 HIPAA Security Rule requirements to Behavry capabilities. The goal is continuous evidence that AI agents interacting with PHI — clinical summarization agents, coding assistants in payer back-offices, copilots in EHR workflows — are operating under appropriate administrative, physical, and technical safeguards.
Source: backend/behavry/compliance/healthcare.py. UI: Compliance → Healthcare (HIPAA).
Covered requirements
| 45 CFR § | Safeguard | Behavry answer |
|---|---|---|
| 164.308(a)(1) | Security management — risk analysis | Behavioral Risk Framework, AI Surface Mapping |
| 164.308(a)(3) | Workforce authorization | User roles, SSO with role mapping |
| 164.308(a)(4) | Information access management | Policy Engine, Requester Identity Propagation |
| 164.308(a)(5) | Security awareness & monitoring | Human AI Governance, Browser Extension alerts |
| 164.312(a)(1) | Access control — unique user identification | Agent Identity, Requester Identity Propagation |
| 164.312(b) | Audit controls | Decision Trace, SIEM Connectors |
| 164.312(c)(1) | Integrity | Hash-chained audit log, Public Evidence Verification |
PHI-specific DLP patterns
The HIPAA module activates a PHI pattern set in the DLP scanner:
- ICD-10 and CPT codes near patient identifiers
- Medical record numbers (format-heuristic; tenant-tunable)
- SSN near clinical context (patient name, DOB proximity)
- Prescription patterns (drug names, dosage, refill counts)
- Provider NPI (National Provider Identifier)
Tagged hipaa:phi in the DLP taxonomy. Inbound rules and policies can target this tag directly:
deny[reason] {
input.content.dlp_findings[_].category == "hipaa:phi"
not input.agent.is_covered_entity_approved
reason := "PHI cannot leave approved workflows"
}
BAA considerations
Behavry's SaaS offering is available under a Business Associate Agreement. BYOC and self-hosted deployments keep all PHI inside the customer's environment; no BAA is needed with Behavry beyond whatever covers the container images and support relationship.
Export
GET /api/v1/compliance/healthcare/export?format=pdf|csv|json