Key Takeaways
- AI coding assistants generate HIPAA violations by default, and most teams only discover them during code review, not before the endpoint reaches production.
- HIPAA covers 18 PHI identifiers, including IP addresses and biometric data, and your AI coding assistant knows none of them unless you explicitly tell it to.
- The 2025 HIPAA Security Rule made network segmentation mandatory and added 72-hour breach notification, vulnerability scanning every 6 months, and annual pen testing.
- A HIPAA-compliant codebase and a HIPAA-compliant organization are different things, and mixing them up is the most common reason audits fail.
- Momentum open-sourced
hipaa-agent.mdso any team can add HIPAA enforcement to Claude Code or Cursor in minutes, built from real healthcare infrastructure work.
Is Your HealthTech Product Built for Success in Digital Health?
.avif)
We Open-Sourced a HIPAA Compliance Agent for AI Coding Assistants
AI coding assistants write code fast. They don't check whether that code handles patient data correctly.
If you're building healthcare software, your AI assistant will generate API endpoints that log PHI in error messages, store SSNs in plaintext, skip audit logging, and forget session timeouts. You catch these during code review, if you catch them at all.
We built a HIPAA agent to fix this. It's a single .md file you add to Claude Code, Cursor, or any AI coding tool that accepts system-level instructions. Once loaded, the agent enforces HIPAA-compliant patterns while your code is being written, not after.
What it covers
- PHI identification. All 18 HIPAA identifiers: names, SSN, dates of birth, medical record numbers, IP addresses, biometric data, and more. The agent knows when data becomes PHI and what protections it requires.
- Encryption. AES-256 at rest, TLS 1.2+ in transit, proper password hashing with Argon2id or bcrypt. Code examples included.
- Access controls. Role-based access, MFA enforcement (mandatory under the 2025 Security Rule), session timeouts calibrated by environment sensitivity, account lockout policies.
- Audit logging. What to log, what never to log (actual PHI), 6-year retention requirements, tamper-proof storage patterns. The agent will flag code that puts patient names in log messages.
- Database security. Column-level encryption for sensitive fields, row-level security policies, query auditing, separated PHI tables.
- API security. OAuth 2.0 with short-lived tokens, rate limiting for authentication and bulk export endpoints, input validation, minimum-necessary response filtering.
- Cloud deployment. BAA requirements and HIPAA-eligible services for AWS, Azure, and GCP. Which services you can and can't use for PHI workloads.
- Development environments. No real PHI in dev or staging. De-identification using Safe Harbor, synthetic data generation, deterministic tokenization for referential integrity.
- 2025 HIPAA Security Rule updates. Network segmentation (now mandatory, no longer addressable), vulnerability scanning every 6 months, penetration testing every 12 months, 72-hour incident notification.
How to use it
- Download
hipaa-agent.mdfrom the GitHub repository - Add it to your project or AI tool configuration
- Start coding. The agent applies compliance patterns automatically.
In Claude Code, you can load it as a skill. In Cursor, add it to your .cursorrules or reference it in the system prompt. It works with any AI coding tool that accepts markdown instructions.
Where this comes from
At Momentum, I handle infrastructure security and compliance for our healthcare projects. Over the past few years, we've built HIPAA-compliant systems across the healthcare spectrum: medication management platforms, caregiving applications with EHR integrations (Epic, Cerner, NextGen), medical testing workflows, prior authorization systems handling millions of patients, elderly health monitoring with ML-powered anomaly detection.
We also maintain several open-source healthcare projects: Open Wearables (a unified API for wearable health data), FHIR MCP Server (natural language access to clinical data), and HealthStack (Terraform modules for compliant cloud infrastructure).
This agent is a distillation of the compliance patterns I apply across those projects. The same checks I run during infrastructure review and code audit, packaged so an AI assistant can apply them during development.
What it does not do
This is a coding aid, not legal advice. It does not replace a compliance officer, a Business Associate Agreement, or a formal risk assessment. HIPAA compliance involves organizational policies, physical safeguards, staff training, and incident response procedures that go beyond code.
The agent makes your AI assistant aware of what HIPAA requires at the technical level. It reduces the number of compliance issues that make it to code review. It does not guarantee compliance on its own.
Get the HIPAA Agent
The HIPAA agent is free, MIT licensed, and available on GitHub.
If you try it out, I'd appreciate your feedback. Open an issue on the repo if something is missing, inaccurate, or could be improved. The goal is to keep this maintained as HIPAA requirements evolve, and community input helps.
If you found this useful, consider starring the repository and sharing it with other developers working on healthcare projects.
Resources:
HIPAA-compliance skill setup guide.
Full HIPAA-Compliant Infrastructure as Code for Healthcare on AWS.
