HIPAA was written for fax machines and patient charts. Agents are neither. The Office for Civil Rights has signalled enforcement against AI handling PHI, and the practical bar is higher than most engineers expect. Here is what a HIPAA-compliant MCP server actually requires in 2026.
Does HIPAA apply to your MCP server?
Three triggers, any one is enough:
- The server reads, writes, or processes Protected Health Information (PHI).
- The server is operated by a Covered Entity (provider, plan, clearinghouse) or its Business Associate.
- The server passes PHI to a downstream service — even briefly.
If yes, the requirements below are not optional.
Business Associate Agreements (BAAs)
Every entity in the data path needs a BAA with the entity above it. For an MCP server that passes PHI to an LLM:
- BAA between you and the model vendor (Anthropic, OpenAI both offer one for healthcare tier).
- BAA between you and any cloud hosting (AWS, GCP, Azure all have HIPAA-eligible services).
- BAA with any MCP server vendor whose tools touch PHI.
No BAA = no PHI. Period.
The nine controls
1. Encryption in transit
TLS 1.2 or higher for every MCP transport. JSON-RPC over stdio is not over the network but is still subject to OS-level protections — disk encryption on the host.
2. Encryption at rest
Every store touching PHI: database, vector index, audit logs, even the agent's memory layer. AES-256 minimum; KMS-backed keys preferred.
3. Access controls
Role-based access at every layer. The MCP server validates the requesting identity (via the SSO pattern) and rejects calls outside the user's role.
4. Audit controls
Every PHI access logged with: who, what, when, why. See the audit trails guide — the same schema works. Retention: 6 years minimum.
5. Integrity
Tamper-evident logs (hash chaining) so a breach cannot rewrite history. Both for compliance and for the post-incident investigation.
6. Person or entity authentication
MFA required for every user accessing PHI through the agent. SSO + MFA at the host; MFA-aware tokens passed through to the MCP server.
7. Transmission security
PHI must not appear in URLs, query params, or non-encrypted logs. Many MCP servers log request payloads — disable or redact for HIPAA contexts.
8. Minimum necessary
Limit PHI to the minimum required for the task. The MCP server should expose narrow tools (get_diagnosis(patient_id)) not broad ones (get_patient_record(id)). Argument validation enforces it.
9. Breach notification readiness
Process to detect and notify within 60 days of breach discovery. Wire alerting on anomalous PHI access patterns into your observability platform.
What an MCP server design looks like
The shape of a HIPAA-compliant MCP server:
auth check (token + scope)
↓
audit log (intent)
↓
minimum-necessary filter on arguments
↓
upstream PHI fetch (encrypted in transit)
↓
field-level redaction (return only what was requested)
↓
audit log (result hash, not content)
↓
return
Every layer is non-optional. The pattern is mature enough that healthcare-specific MCP server templates exist (search "HIPAA MCP" on this directory).
What does NOT count as compliance
- A PHI server "behind a firewall" — encryption in transit still required.
- A vendor BAA without your own controls — BAA is necessary, not sufficient.
- LLM vendor's HIPAA tier without configuration — every call must opt in to the PHI-eligible endpoint.
- "We do not log PHI" — you have to prove it.
Penalty model
HHS-OCR penalties scale by tier:
| Tier | Per violation | Annual cap |
|---|---|---|
| Did not know | $137 – $34,464 | $2.07M |
| Reasonable cause | $1,379 – $68,928 | $2.07M |
| Wilful neglect (corrected) | $13,785 – $68,928 | $2.07M |
| Wilful neglect (uncorrected) | $68,928+ | $2.07M |
Plus state-level enforcement and class-action exposure. A single breach can run into tens of millions.
Common mistakes
- Forgetting the LLM vendor BAA — most teams remember cloud and database, miss the model.
- Logging full prompts — prompts often contain PHI even when the response does not.
- Memory layer leakage — long-term agent memory becomes a PHI store; same controls apply.
- No covered-entity training — the workforce must understand HIPAA before they touch PHI.
Where this is heading
Two trends by 2027: HIPAA-specific MCP server certifications (vendor-led, similar to FedRAMP), and OCR-published guidance specifically on agentic systems. The bar will rise; build to it now.