← Template libraryMode on clone: log
Industry-specificcriticalv1.0.0 · System
PHI / Healthcare Data Protection
Detects and blocks Protected Health Information (PHI) — medical record numbers, diagnoses, treatments, identifiers — unless system has BAA in place.
📘Clone & start observing
Creates a Guideline policy. Observation only — nothing is blocked until you promote to Strict.
Defaults to template name. Customise to distinguish multiple instances of the same template.
Leave empty to apply broadly via the template's default data-classification / risk-tier filters.
Rationale
HIPAA-covered entities must ensure PHI is only processed by Business Associates with signed BAAs. Most LLM providers do not offer BAAs by default.
Example violation
Prompt: "Patient MRN 4421-A diagnosed with stage 2 lymphoma, prescribed Rituximab 375mg/m2"Triggers (2)
- inputScan prompts
- outputScan responses
Detectors (2)
- regexphi-identifiersMRN, member ID patterns
- pii_detectormedical-nerMedical NER for diagnoses, drugs, procedures
Actions (2)
- blockBlock with BAA explanation
- logAudit log (de-identified)
Tunable parameters (3)
PHI identifier patterns
advancedregex
Add patterns specific to your EHR system.
Default: ["\\bMRN[-\\s]?\\d{4,}\\b","\\bMember\\s?ID[-\\s]?\\d{6,}\\b"]
Medical NER confidence
basicnumber
Higher = fewer false positives.
Default: 0.75
BAA-covered systems (allowlist)
basickeywords
Application IDs of systems with valid BAAs — these bypass the block.
Default: []
Regulatory references
HIPAA Privacy RuleGDPR Art. 9
Template defaults (suggested target after promotion)
Suggested mode
block
Risk tiers
—
Data classifications
—
Departments
—
Cloned policies start in Guideline mode. Use the promotion wizard to flip to Strict once you trust the false-positive rate.