Healthcare Tech Company Achieves HIPAA-Compliant Claude Agent Operations

A Series A healthcare tech company builds tools for clinical documentation. Their product uses Claude to help clinicians generate patient notes from voice recordings. It’s genuinely useful software — clinicians spend 30-40% of their day on documentation, and Claude can draft notes in seconds.

The problem: patient data flows through those agent sessions. Protected Health Information. The kind of data where a breach costs millions and triggers federal investigations.

The Problem

Their initial implementation sent audio transcripts directly to the Anthropic API. The transcripts contained patient names, dates of birth, diagnoses, medications — everything in a HIPAA-covered record. Anthropic’s standard data policies were sufficient for most use cases, but their legal team flagged that they needed a Business Associate Agreement (BAA) and tighter controls around what data left their environment.

Beyond the API question, they had a second problem: when a HIPAA auditor asked “show me the access controls on your AI systems,” they had nothing to show. No logs of which agent sessions accessed which patient data. No proof that agents were limited to the data they needed. No demonstration that the company had implemented “minimum necessary” access — a HIPAA requirement.

They needed to demonstrate control, not just assume it.

The Solution

Sentrely Enterprise deployed inside their AWS VPC in three days. No data leaves their environment through the gateway. All agent sessions, audit logs, and access records stay within their VPC.

The policy setup for their clinical documentation agents:

• Read access to transcripts for specific patient encounters, not the entire database
• Write access to draft notes in a specific S3 prefix only
• No access to billing records, insurance information, or historical charts
• Human review required before any note is finalized (already part of their product flow)
• Full audit trail of every data access, exportable to their compliance team’s S3 bucket

The immutable audit log became their compliance evidence. For every patient encounter processed by a Claude agent, the log shows: which agent, which transcript accessed, when, what was written, when the clinician reviewed it.

The Results

HIPAA audit passed with zero AI-related findings. The auditor reviewed the audit trail, verified the access controls, confirmed the BAA coverage, and signed off. The company’s Head of Compliance described it as “the smoothest part of the audit.”

Zero PHI exposure incidents. Policy scoping means agents literally cannot access data outside their permitted scope. The gateway returns 403s on any out-of-scope access attempt, and every 403 is logged.

3 days to production compliance posture. From “we have a compliance problem” to “we have a compliant system.”

The CISO’s summary: “HIPAA compliance for AI was supposed to be a six-month project. It took a week to understand what we needed and three days to implement it. The key was having a system that generates evidence automatically, not one we’d have to reconstruct before every audit.”