How a healthcare org deployed LLMs without violating HIPAA

How a healthcare org deployed LLMs without violating HIPAA

Simor Consulting | 14 Jul, 2026 | 05 Mins read

A hospital system with twelve facilities and 14,000 clinical staff wanted to use large language models to assist with clinical documentation. Physicians spent an average of two hours per day on documentation — writing notes, completing prior authorization requests, and responding to patient messages. The hospital’s CIO believed that an LLM-based assistant could reduce documentation time by thirty to forty percent, giving physicians more time with patients.

The obstacle was HIPAA. The hospital handled protected health information for 2.3 million patients. Any system that processed PHI had to comply with HIPAA’s security and privacy rules, which impose strict requirements on data access, storage, transmission, and audit. The commercial LLM APIs that the hospital’s IT team wanted to use — the same APIs that power consumer chatbots — did not meet HIPAA requirements. The API providers processed requests on their own infrastructure, retained inputs for model improvement (with opt-out options that were insufficient for HIPAA’s minimum necessary standard), and could not guarantee the data isolation that HIPAA required.

The hospital’s compliance team was clear: no patient data could leave the hospital’s network. Not to an API. Not to a cloud service. Not to a vendor. The LLM had to run inside the hospital’s infrastructure, or the project could not proceed.

The compliance constraints

HIPAA’s requirements for an LLM-based clinical tool fell into four categories. Data residency: all PHI must remain within the hospital’s controlled infrastructure. No patient data could be transmitted to an external service, even in encrypted form, unless the service was covered by a business associate agreement that met the hospital’s security standards.

Access control: the LLM could only access PHI that the requesting physician was authorized to see. A physician in the cardiology department could not access psychiatry notes through the LLM, even if the LLM was technically capable of processing them.

Audit trail: every interaction between a clinical user and the LLM had to be logged, including the input text, the output text, and the user’s identity. The audit trail had to be retained for six years, consistent with HIPAA’s record retention requirements.

Model isolation: the LLM’s weights and inference infrastructure had to be isolated from any system that contained PHI, except through a controlled access layer that enforced the access control and audit requirements. The model itself could not have direct access to patient records.

The architecture: local LLM with a PHI firewall

We designed an architecture that kept all PHI within the hospital’s network while providing a useful clinical documentation assistant.

This diagram requires JavaScript.

Enable JavaScript in your browser to use this feature.

The PHI firewall was the core component. It sat between the physician’s workstation and the LLM inference server. When a physician requested documentation assistance, the PHI firewall performed three functions. First, it checked the physician’s authorization against the hospital’s access control system to verify that the physician was permitted to access the patient’s records. Second, it retrieved the relevant clinical context from the EHR system and de-identified it — replacing patient names, dates of birth, medical record numbers, and other direct identifiers with consistent placeholders. Third, it logged the request, including the physician’s identity, the patient’s identity, and the timestamp.

The de-identified context was passed to the local LLM for inference. The LLM generated a draft documentation note based on the de-identified clinical context. The draft used placeholders — “the patient,” “MRN-XXXXX” — instead of real identifiers. The LLM never saw real patient data.

The PHI firewall then re-identified the draft, replacing placeholders with the actual patient identifiers, and returned the re-identified draft to the physician’s workstation. The physician reviewed the draft, made corrections, and saved the final note to the EHR.

The local LLM deployment

The hospital’s IT team provisioned a dedicated GPU server within their data center. The server ran an open-source LLM with 70 billion parameters, selected for its performance on clinical documentation benchmarks. The model was quantized to reduce memory requirements, allowing it to run on four A100 GPUs rather than eight.

The model was not fine-tuned on hospital data. Fine-tuning would have required the model to process real patient records during training, which would have violated the data isolation requirement. Instead, the team used a model that had been pre-trained on publicly available medical literature and clinical guidelines. The documentation quality was adequate for draft generation, though physicians reported that it occasionally used terminology that was not consistent with the hospital’s documentation standards.

The team addressed this with prompt engineering rather than fine-tuning. The context builder included hospital-specific documentation guidelines, preferred terminology, and template structures in every prompt. The LLM followed these guidelines with reasonable consistency, though not as reliably as a fine-tuned model would have.

What we gave up

The local LLM was less capable than the commercial APIs. The commercial models were trained on far more data and had more refined instruction-following capabilities. Physicians who had used commercial LLMs outside of work noticed the difference. The local model produced drafts that required more editing — an average of four minutes of editing per note, compared to an estimated two minutes if a commercial model had been available.

The second trade-up was cost. The GPU server cost $180,000 to procure and approximately $4,000 per month to operate. Commercial LLM APIs would have cost approximately $8,000 per month for the same usage volume but required no capital expenditure. The hospital accepted the higher total cost because the commercial option was not compliant.

The third trade-off was model updates. Commercial LLM providers update their models regularly. The hospital’s local model was static unless the IT team manually deployed a new version. The team planned quarterly model updates, but each update required validation testing to ensure that the new model’s outputs met clinical documentation standards.

Results

In the first six months, physicians used the documentation assistant for approximately thirty percent of their clinical notes. Documentation time for notes that used the assistant decreased by thirty-five percent on average, from forty-two minutes to twenty-seven minutes per note. Physicians reported that the primary time savings came not from the draft quality but from the assistant’s ability to pre-populate structured fields — medication lists, problem lists, assessment codes — from the clinical context.

The HIPAA compliance posture was validated by the hospital’s internal audit team and by an external security assessment. No PHI was detected in any log, network trace, or inference server memory dump during the assessment. The PHI firewall’s audit trail was complete and consistent.

The decision heuristic

If your AI use case requires processing PHI, the compliance constraint is not negotiable and should not be treated as an afterthought. The architecture must enforce data isolation at the infrastructure level, not at the application level. An application-layer guardrail that prevents the model from returning PHI is insufficient if the model has seen PHI during inference. The PHI firewall pattern — de-identify before inference, re-identify after inference — provides infrastructure-level enforcement. It is more complex than calling a commercial API. It is also the only pattern that can pass a HIPAA audit.

Shipping a production AI system?

Find the control gaps before they turn into incidents. Take the AI Production Scorecard for a fast baseline across the seven layers, or book an architecture review and we will turn it into a hardening plan.

Similar Articles

Anatomy of an AI Incident: Post-Mortem of a Model Provider Outage
Anatomy of an AI Incident: Post-Mortem of a Model Provider Outage
19 Jun, 2026 | 09 Mins read

On a Tuesday at 2:14 PM, a major model provider began returning elevated error rates for a specific model endpoint. By 2:31 PM, a customer support platform that depended on that endpoint was producing

Agent Guardrails: Containing What an Agent Can Do in Production
Agent Guardrails: Containing What an Agent Can Do in Production
25 Jun, 2026 | 09 Mins read

Input guardrails check whether a user prompt is safe. Output guardrails check whether a model response is appropriate. Agent guardrails check whether the actions an agent takes are within bounds. Thes

How a retailer reduced inference latency 90% with feature store caching
How a retailer reduced inference latency 90% with feature store caching
21 Apr, 2026 | 04 Mins read

A mid-market e-commerce retailer with roughly $200M in annual revenue had invested eighteen months building a product recommendation engine. The models were accurate. Offline evaluation showed meaning

The data pipeline that cost $50K/month — and the audit that found why
The data pipeline that cost $50K/month — and the audit that found why
22 Apr, 2026 | 04 Mins read

A financial services firm running analytics on trade settlement data came to us with a specific complaint: their cloud data platform cost had tripled in eighteen months, and nobody could explain why.

EU AI Act enforcement begins: what data teams must do now
EU AI Act enforcement begins: what data teams must do now
25 Apr, 2026 | 04 Mins read

The first enforcement window of the EU AI Act opened in February 2026, and the grace periods that protected early movers are expiring on a rolling schedule through 2027. This is no longer a policy dis

Migrating from batch to streaming: a 6-month journey
Migrating from batch to streaming: a 6-month journey
28 Apr, 2026 | 05 Mins read

A logistics company processing two million shipments per day ran their entire operational reporting stack on nightly batch ETL. Every morning at 6 AM, operations managers reviewed dashboards built on

When RAG failed: a knowledge retrieval project post-mortem
When RAG failed: a knowledge retrieval project post-mortem
29 Apr, 2026 | 05 Mins read

A legal technology company had invested six months building a retrieval-augmented generation system to help contract attorneys find relevant precedent clauses across a corpus of 180,000 executed agree

From 3-hour dashboards to 3-minute insights: a BI modernization story
From 3-hour dashboards to 3-minute insights: a BI modernization story
05 May, 2026 | 05 Mins read

A manufacturing company with facilities in twelve countries ran its operational reporting on a traditional BI stack: a data warehouse, an ETL pipeline, and a dashboard tool that had been deployed six

The vector database that couldn't scale — and what we did instead
The vector database that couldn't scale — and what we did instead
12 May, 2026 | 05 Mins read

A media company with a library of twelve million articles, transcripts, and research documents had built a semantic search system on a managed vector database. The system was designed to let journalis

Building an AI operating system for a 10,000-person company
Building an AI operating system for a 10,000-person company
19 May, 2026 | 05 Mins read

A diversified industrial company with 10,000 employees across manufacturing, logistics, and field services had accumulated forty-seven separate AI projects over three years. Each business unit had bui

How we killed our ETL pipeline (and productivity went up)
How we killed our ETL pipeline (and productivity went up)
26 May, 2026 | 05 Mins read

A B2B SaaS company running a customer success platform had a data pipeline that consumed sixty percent of the data engineering team's time. Not feature work. Not analytics. Pipeline maintenance. The p

A compliance-first AI rollout in financial services
A compliance-first AI rollout in financial services
03 Jun, 2026 | 05 Mins read

A regional bank with $12 billion in assets wanted to use machine learning to improve its commercial loan underwriting process. The existing process was manual, relying on credit analysts who spent fou

Regulators are coming for your training data — are you ready?
Regulators are coming for your training data — are you ready?
06 Jun, 2026 | 03 Mins read

The regulatory focus on AI is narrowing from the models themselves to the data that trains them. The EU AI Act requires documentation of training data provenance and composition. The US Copyright Offi

How to audit your AI pipeline for bias -- step by step
How to audit your AI pipeline for bias -- step by step
07 Jun, 2026 | 06 Mins read

Bias in AI systems is not a theoretical risk. It is a measurable property that can be detected, quantified, and mitigated at every stage of the pipeline. The teams that treat bias as an audit problem

The $2M model that never made it to production
The $2M model that never made it to production
09 Jun, 2026 | 05 Mins read

A retail chain with 400 stores spent two years and $2.1 million building an inventory optimization model. The model was technically excellent. It reduced predicted stockouts by thirty-two percent and

Data mesh in practice: year 2 retrospective
Data mesh in practice: year 2 retrospective
16 Jun, 2026 | 05 Mins read

An insurance company with $400 million in premium volume adopted data mesh two years ago. The central data team had become a bottleneck. Every business unit — claims, underwriting, actuarial, and dist

Designing guardrails: a practical architecture guide
Designing guardrails: a practical architecture guide
21 Jun, 2026 | 06 Mins read

The guardrail problem in AI is a tension between two failure modes. Too few guardrails and the system produces harmful, inaccurate, or brand-damaging outputs. Too many guardrails and the system refuse

When your AI vendor goes bankrupt — surviving platform lock-in
When your AI vendor goes bankrupt — surviving platform lock-in
23 Jun, 2026 | 05 Mins read

A healthcare analytics company received notice on a Tuesday afternoon that their primary AI infrastructure vendor was filing for Chapter 7 bankruptcy. The platform hosted their patient risk stratifica

Sovereign AI: why countries are building their own models
Sovereign AI: why countries are building their own models
27 Jun, 2026 | 03 Mins read

France released a fully open-source large language model trained on curated French-language data. India announced a multilingual model covering 22 scheduled languages. The UAE expanded its Falcon mode

Real-time fraud detection: from proof-of-concept to production in 90 days
Real-time fraud detection: from proof-of-concept to production in 90 days
30 Jun, 2026 | 05 Mins read

A payment processor handling twelve million transactions per day had a fraud detection system that was accurate but slow. The system reviewed transactions in batch, four times per day. A fraudulent tr

Consolidating 47 data sources into one knowledge layer
Consolidating 47 data sources into one knowledge layer
01 Jul, 2026 | 05 Mins read

A global professional services firm with 8,000 consultants maintained institutional knowledge across forty-seven separate systems. Project proposals lived in a document management system. Client engag

The GDPR audit that reshaped our entire ML pipeline
The GDPR audit that reshaped our entire ML pipeline
07 Jul, 2026 | 05 Mins read

A European fintech with twelve million customers received a GDPR audit notice from their national data protection authority. The audit focused on the company's machine learning pipeline, which powered

How to write an AI incident response plan
How to write an AI incident response plan
12 Jul, 2026 | 07 Mins read

AI systems fail differently than traditional software. A traditional software bug produces incorrect output deterministically -- the same input always produces the same wrong output, and a fix elimina

Metadata Management for AI Governance
Metadata Management for AI Governance
24 May, 2024 | 03 Mins read

# Metadata Management for AI Governance AI systems in production require metadata management to support compliance, auditing, and model oversight. Without systematic tracking of model lineage, traini

Case Study: End-to-End RAG Platform for Customer Support
Case Study: End-to-End RAG Platform for Customer Support
05 Dec, 2025 | 05 Mins read

A SaaS company with 200 support agents and 10,000+ knowledge base articles had an 18-hour average response time and 23% first-contact resolution. Their largest enterprise client threatened to cancel a

The Governance Layer: Managing AI Risk, Compliance, and Audit
The Governance Layer: Managing AI Risk, Compliance, and Audit
07 Feb, 2026 | 13 Mins read

A healthcare system deployed an AI triage assistant. It worked well in testing. In production, it started routing patients with chest pain to low-priority queues. The error was subtle and infrequent.

Case Study: Building a Production AI Knowledge Layer for Financial Services
Case Study: Building a Production AI Knowledge Layer for Financial Services
01 Mar, 2026 | 10 Mins read

A regional bank's investment research team spent 60% of their time gathering information and 40% doing analysis. Analysts had to search through regulatory filings, internal research memos, market data

Case Study: Multi-Agent System for Supply Chain Optimization
Case Study: Multi-Agent System for Supply Chain Optimization
13 Jun, 2026 | 12 Mins read

A mid-size automotive parts manufacturer with operations spanning 15 countries and relationships with over 200 suppliers faced a supply chain coordination problem that was consuming too much of their

Responsible AI by Design: Integrating Ethics into AI Architecture
Responsible AI by Design: Integrating Ethics into AI Architecture
02 Jun, 2026 | 09 Mins read

Responsible AI is not a checklist you complete before deployment. It is a set of architectural decisions that you make throughout the design process, each of which involves trade-offs that are real an