How does Claw EA prevent PHI exposure by AI agents?

DLP redaction strips protected health information before it reaches model providers. Egress allowlists restrict which external endpoints agents can contact. Secret boundaries prevent credential leakage. All three controls produce signed receipts proving enforcement.

Can Claw EA support a BAA for HIPAA compliance?

Enterprise tier includes BAA/DPA availability. The architecture is designed so that PHI never leaves your approved boundary — DLP redaction runs before model calls, not after.

How long are audit logs retained for healthcare compliance?

HIPAA requires 6-year retention for security-relevant records. Enterprise tier provides 7-year tamper-evident retention with hash-linked proof chains.

Healthcare

AI Agent Governance for Healthcare and Life Sciences

Healthcare organizations deploying AI agents face HIPAA, HITECH, and 21 CFR Part 11 requirements that demand provable data handling controls. An agent that touches patient data, clinical notes, or billing records must operate within a verifiable boundary.

What Goes Wrong Without Controls

A regional health system deploys agents to automate clinical documentation, insurance pre-authorization, and patient scheduling. Within weeks:

An agent summarizing clinical notes sends a prompt containing a patient's name, DOB, and diagnosis to a third-party model API — a HIPAA breach reportable to HHS
A scheduling agent accesses the EHR API to check availability but also pulls patient records it does not need — excessive access with no boundary enforcement
An auditor asks for evidence that PHI was redacted before every model call during Q2 — the team has no receipts, only application logs that show the call was made

DLP redaction, egress allowlists, and proof bundles prevent all three scenarios and produce the evidence to prove it.

Regulatory Mapping

Regulation	Requirement	Claw EA Control
HIPAA Security Rule	Access controls, audit controls, transmission security	DLP redaction, egress allowlist, proof bundles
HITECH Act	Breach notification, increased penalties	Secret boundary prevents credential/PHI leakage; receipts prove containment
21 CFR Part 11	Electronic records, electronic signatures	Ed25519 signatures on every receipt and bundle satisfy electronic signature requirements
State privacy (CCPA, etc.)	Data minimization, access logging	Scoped tokens enforce data minimization; tamper-evident logs provide access records

AI Agent Governance for Healthcare and Life Sciences

What Goes Wrong Without Controls

Regulatory Mapping

Recommended Control Stack

DLP Redaction

Secret Boundary

Egress Allowlist

Audit Log Retention

Relevant Workflows

Map your controls to your stack