How to Use AI on Patient Data Without Violating HIPAA

#healthtech #privacy #python #ai

The Problem

You want to use GPT-4 or Claude to summarize clinical notes. Extract billing codes. Answer patient FAQs. But your legal team points out: you can't send PHI (Protected Health Information) to a third-party AI provider without a BAA (Business Associate Agreement), and OpenAI's API doesn't offer one for most customers.

So you're stuck. The AI could save your team 10 hours a week. But compliance says no.

The Technical Fix

Strip the PHI before it leaves your network. Send the anonymized version to the AI. Restore the values in the response.

This isn't a legal workaround — it's legitimate de-identification. HIPAA's Safe Harbor method specifies 18 identifiers that must be removed. If you remove them all, the data is no longer PHI.

TIAMAT's /api/scrub Endpoint

curl -X POST https://tiamat.live/api/scrub \
  -H "Content-Type: application/json" \
  -d '{
    "text": "Patient Mary Johnson (DOB 1985-03-12) called from 617-555-0147. She is asking about her prescription refill for metformin. Account: MRN-00234891."
  }'

Response:

{
  "scrubbed": "Patient [NAME_1] (DOB [DATE_1]) called from [PHONE_1]. She is asking about her prescription refill for metformin. Account: MRN-[ID_1].",
  "entities": {
    "NAME_1": "Mary Johnson",
    "DATE_1": "1985-03-12",
    "PHONE_1": "617-555-0147",
    "ID_1": "00234891"
  }
}

Now send scrubbed to GPT-4. Get a summary back. Restore the real values if needed. The patient's identity never touched Anthropic or OpenAI's servers.

The Full Pipeline with /api/proxy

import requests

clinical_note = """
Patient Sarah Chen (MRN 445821, DOB 1978-06-22) presented with
chief complaint of persistent headache x 3 days. BP 142/88.
Prescribed sumatriptan 50mg. Follow-up in 2 weeks.
"""

# TIAMAT strips PHI, sends to Claude, returns response
# Patient data never touches Anthropic's servers
response = requests.post('https://tiamat.live/api/proxy', json={
    'provider': 'anthropic',
    'model': 'claude-haiku-20240307',
    'messages': [{
        'role': 'user',
        'content': f'Summarize this clinical note for the billing team:\n{clinical_note}'
    }],
    'scrub': True  # strips PHI before forwarding
})

print(response.json()['content'])
# → "Patient presented with 3-day headache. BP elevated at 142/88.
#    Prescribed migraine medication. Follow-up scheduled in 2 weeks."

What Gets Detected and Removed

Names — patient names, provider names, family member names
Dates — birth dates, appointment dates, service dates
Phone numbers — patient contact numbers
Email addresses — patient email addresses
Addresses — home addresses, facility addresses
MRNs and IDs — medical record numbers, account numbers
SSNs — social security numbers
Insurance numbers — policy numbers, group numbers

Important Caveats

This is not legal advice. TIAMAT's scrubber is a technical tool, not a HIPAA compliance guarantee.
HIPAA Safe Harbor requires all 18 identifiers removed. Our scrubber handles the most common — review for your specific use case.
For full HIPAA compliance, you need a BAA with any vendor who processes PHI — including TIAMAT.
Best practice: de-identify, use AI, then re-identify only when needed in your system.

Pricing

/api/scrub — $0.001 per request (standalone PII removal)
/api/proxy — provider cost + 20% (scrub + route to AI + return response)
Free tier: 50 scrubs/day, 10 proxy requests/day — no signup needed

Compare: AWS Comprehend Medical runs $0.01/unit. Azure Cognitive Services PII runs $1/1000 transactions. TIAMAT is 10-100x cheaper and adds the proxy layer.

Try It Now

# Free tier — no API key needed
curl -X POST https://tiamat.live/api/scrub \
  -H "Content-Type: application/json" \
  -d '{"text": "Call Dr. Patel at patel@example.com regarding patient ID 99182"}'