- Ontology property-level permissions on PHI fields
- Agent IAM scopes which agents may read which objects
- Minimum-necessary enforced — restricted reads fail closed
- 403 denied on any over-broad PHI access
Let agents touch PHI without losing the audit trail.
HIPAA governs protected health information (PHI) for covered entities and their business associates. Its Security Rule requires administrative, physical, and technical safeguards — access controls, audit controls, integrity, and transmission security — and the Privacy Rule limits use to the minimum necessary. When an agent reads a chart or drafts a prior-auth, it handles PHI. Cortex enforces minimum-necessary access at the property level and seals every PHI touch into a tamper-evident ledger.
Built for the HIPAA Security & Privacy Rules · BAA on request
HIPAA Security & Privacy Rules, in plain language.
HIPAA (the Health Insurance Portability and Accountability Act) protects individually identifiable health information. The Security Rule (45 CFR Part 164, Subpart C) requires technical safeguards: access control (§164.312(a)), audit controls (§164.312(b)), integrity (§164.312(c)), and transmission security (§164.312(e)). The Privacy Rule adds the minimum-necessary standard — use and disclose only the PHI needed for the task. For AI agents, the risk is over-broad access and an unprovable trail. Cortex addresses both: ontology property-level permissions enforce minimum-necessary at read time, DLP screens PHI in and out of tool calls, and the hash-chained Trust Ledger gives you audit controls whose integrity is itself provable.
applies to ▸ United States healthcare · covered entities & business associates
Each requirement becomes an enforced, recorded control.
HIPAA's technical safeguards and the minimum-necessary standard map directly onto Cortex's data-layer controls. Each PHI access is gated and recorded, so an OCR audit finds a complete, tamper-evident trail.
- Every PHI access sealed into the Trust Ledger
- verifyChain proves the access log was not altered
- 10-hop lineage: who accessed, why, and under what policy
- Signed receipts as offline-verifiable evidence
- Hash-chained records detect insert / edit / delete
- Datapoint provenance pins facts to source records
- Action Fabric compensation reverses improper writes
- value_hash proves a value was not altered after write
- DLP screens PHI in and out of every tool call
- Output guardrails redact PHI from generated content
- Oversight gate holds high-risk disclosures for review
- Cost caps bound bulk processing of PHI (402)
- TLS 1.2+ in transit; AES-256 at rest
- Tenant isolation keyed on (tenantId, id) everywhere
- Air-gapped deployment with local models, zero external calls
- Business Associate Agreement available on request
From a written obligation to provable evidence.
Every obligation reduces to a fail-closed runtime gate whose verdict lands in a tamper-evident ledger you can hand an examiner. This is the table a Compliance Pack exports for this framework.
| Obligation | Enforced Cortex control | Ledger evidence |
|---|---|---|
| §164.312(a) — access control / unique identity | Ontology permissions + Agent IAM | 403 on restricted read |
| §164.312(b) — audit controls | Trust Ledger (hash-chained) | verifyChain ▸ ok:true |
| §164.312(c) — integrity of PHI | value_hash + record_hash chain | hashOk:false flags edits |
| Minimum-necessary use & disclosure | DLP + output guardrails | 451 PHI redacted |
| §164.312(e) — transmission security | TLS in transit · AES-256 at rest | encrypted · tenant-isolated |
| Accountable for every PHI touch | 10-hop lineage + receipts | lineage/:correlationId |
One-click evidence export, straight from the Trust Ledger.
An OCR investigation or a breach review turns on your access and audit logs. A Compliance Pack maps the Security Rule safeguards to their Cortex controls and exports the sealed PHI-access records — whose integrity verifyChain can prove, closing the gap a mutable log leaves open.
- The HIPAA control map, generated — not assembled by hand
- Sealed run records you can verifyChain offline
- Datapoint provenance: every fact threads back to its source
- Honest by construction — evidence is generated, never asserted
The HIPAA verdicts you'll see in the demo.
These are not slideware promises — they are the literal codes and receipts the runtime returns when you challenge it against this framework's controls.
Three steps from HIPAA on paper to provable.
- 01
Map
Pick HIPAA. Cortex lines each obligation up against the runtime gate that enforces it — no spreadsheet archaeology.
- 02
Enforce
Every agent run passes the same fail-closed gates. A denied control returns a real code (402 / 403 / 409) — never a silent pass.
- 03
Prove
Export a Compliance Pack: the mapping table plus the sealed ledger records that show each control fired, verifiable offline.
Aligned with — never certified-claimed
Cortex is built for and aligned with the HIPAA Security and Privacy Rules and will sign a Business Associate Agreement. There is no HIPAA certification; compliance is your obligation as a covered entity or business associate, supported by the controls and evidence Cortex enforces.
The Cortex capabilities that satisfy this framework.
Each obligation above is enforced by a real capability in the runtime. Explore the ones that do the work for this framework.
Map the rest of your regulatory surface.
The same enforced controls and one-click evidence export cover the other frameworks your auditors cite.
SOC 2
Aligned with SOC 2 Trust Services Criteria: access controls, change management, audit logging, and tamper-evident evidence..
EU AI Act
Aligned with the EU AI Act: human oversight, logging and traceability, risk management, and audit-ready evidence packs..
ISO/IEC 42001
Aligned with ISO/IEC 42001: an AI management system with policies, roles, records, and continual improvement — evidence exported one-click..
All frameworks
The full compliance hub — every framework Cortex maps to, with the shared control-to-evidence model.
Built for the frameworks your auditors already cite.
The sealed ledger, signed receipts, and lineage graph map to the obligations across every regime you report against — aligned with, never claiming a certification you don't hold.
Turn HIPAA from a burden into a button.
See how Cortex maps HIPAA to enforced controls and exports auditor-grade evidence on demand.