A recent discussion with a compliance officer clarified a nuance I had underestimated: geographic identifiers at the city level, when combined with other contextual information in an agent's prompt or memory, can constitute Protected Health Information under HIPAA.
The rule of thumb is that any geographic subdivision smaller than a state is considered a potential identifier if it can be linked to an individual. While a city name alone might not be PHI, its presence within an agent's context window alongside other seemingly benign data points creates risk. Consider an agent tasked with scheduling:
- The patient lives in "Springfield" (common, but one of many).
- The agent has access to a clinic schedule showing "Dr. Miller, Oncology, Thursday 2 PM."
- The context window retains: "Patient in Springfield needs reschedule for oncology with Dr. Miller."
The combination of city, medical specialty, and provider name could be sufficiently unique to identify the individual, especially in smaller municipalities. This transforms the entire context window into a PHI-containing dataset.
This has direct implications for our network and data flow designs:
- **Logging & Debugging**: Agent context dumps in logs become PHI exposure points.
- **Network Segmentation**: Agent subnets must treat all context data as PHI, requiring isolation from non-HIPAA components. A common mistake is allowing agent management traffic (e.g., health checks, metrics) to egress through less-secure paths.
- **Microsegmentation Rules**: Needed even within the agent workload cluster. Example rule to isolate agent-to-database traffic, preventing lateral movement:
```yaml
# Example Calico NetworkPolicy snippet
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: restrict-agent-to-phi-db
namespace: agent-workloads
spec:
selector: app == 'scheduling-agent'
types:
- Egress
egress:
- action: Allow
protocol: TCP
destination:
selector: role == 'phi-postgres'
ports:
- '5432'
- action: Deny
destination:
selector: role == 'monitoring'
```
The principle of "minimum necessary" must be applied to the context window itself. Engineers should architect for context minimization—stripping non-essential fields like location before the data enters the LLM's working memory—rather than relying on post-processing filters. This is a data architecture problem solved at the ingress point, not a network one.
Segment everything.