Example: Healthcare Data Access Guard

Guard AI agent access to patient records using HIPAA-aligned consensus with clinical and privacy personas.

Scenario

An AI clinical decision support (CDS) system requests access to a patient's electronic health records to generate a treatment recommendation. The patient, a 58-year-old with a complex cardiac history, was admitted through the ED two hours ago. The CDS agent needs lab results, medication history, and prior imaging reports.

Before any Protected Health Information (PHI) is returned to the agent, a healthcare data access guard evaluates the request. Four specialist personas assess whether the access meets HIPAA requirements: Is there an active treatment relationship? Does the request satisfy the Minimum Necessary Standard? Is the access properly logged for the designated record set? Can the data be de-identified where full PHI is not required?

⚠

What happens without the guard

The CDS agent receives unrestricted access to the patient's entire medical record -- including behavioral health notes, HIV status, substance abuse treatment records, and psychotherapy notes that have stricter protections under 42 CFR Part 2 and 45 CFR 164.508. The organization has now committed a HIPAA Privacy Rule violation. Under the HITECH Act tiered penalty structure, this falls under "reasonable cause" (Tier B): $1,000 to $50,000 per violation, with an annual maximum of $1.5M per violation category. An OCR (Office for Civil Rights) investigation follows, requiring costly remediation, breach notification, and potential corrective action plan.

The four guard personas

Persona ID	Role	Evaluates
`hipaa-privacy-officer`	HIPAA Privacy Officer	Treatment/Payment/Operations (TPO) basis, authorization requirements, special category protections
`clinical-data-steward`	Clinical Data Steward	Minimum Necessary Standard compliance, data scope appropriateness for clinical use case
`access-control-reviewer`	Access Control Reviewer	Agent authorization, role-based access, treatment relationship verification
`audit-compliance`	Audit & Compliance Analyst	Access logging, designated record set tracking, breach risk assessment

Full working example

Initialize the board

import { LocalBoard, createStorage } from "@consensus-tools/core";

const config = {
  storage: { type: "sqlite", path: "./healthcare-guard.db" },
  consensus: {
    defaultPolicy: "APPROVAL_VOTE",
    quorum: 4,
    stakeRequired: 8,
    approvalThreshold: 0.75, // 3 of 4 must approve for ALLOW
  },
};

const storage = await createStorage(config);
const board = new LocalBoard(config, storage);
await board.init();

// Fund all guard personas
const personas = [
  "hipaa-privacy-officer",
  "clinical-data-steward",
  "access-control-reviewer",
  "audit-compliance",
];
for (const persona of personas) {
  await board.ledger.faucet(persona, 150);
}

Post the data access review job

The CDS agent posts an access request. The input includes the requesting system's identity, the patient context, and the specific data categories requested.

const job = await board.engine.postJob("cds-agent-cardiology", {
  title: "PHI Access Request: Patient MRN-7742 — Treatment Recommendation",
  description: "Evaluate AI agent request to access patient health records for clinical decision support",
  input: JSON.stringify({
    request_id: "PHI-REQ-2026-0319-1423",
    requesting_agent: {
      id: "cds-agent-cardiology",
      system: "CardioAssist CDS v3.1",
      agent_type: "clinical_decision_support",
      authorized_scopes: ["lab_results", "medication_history", "imaging_reports", "vital_signs"],
    },
    patient_context: {
      mrn: "MRN-7742",
      encounter_id: "ENC-2026-0319-0891",
      encounter_type: "EMERGENCY",
      admitting_diagnosis: "Acute chest pain, rule out STEMI",
      treatment_relationship: {
        active: true,
        attending_provider: "DR-CHEN-4419",
        service_line: "CARDIOLOGY",
        admission_time: "2026-03-19T12:23:00Z",
      },
    },
    data_requested: [
      { category: "lab_results", scope: "troponin, BMP, CBC, coagulation panel", timeframe: "last_72h" },
      { category: "medication_history", scope: "active_medications_and_allergies", timeframe: "current" },
      { category: "imaging_reports", scope: "chest_xray, echocardiogram, prior_cath", timeframe: "last_24m" },
      { category: "vital_signs", scope: "continuous_monitoring", timeframe: "since_admission" },
    ],
    data_not_requested: [
      "behavioral_health_notes",
      "substance_abuse_records",
      "psychotherapy_notes",
      "hiv_status",
      "genetic_testing",
    ],
  }),
  reward: 40,
  stakeRequired: 8,
  consensusPolicy: { type: "APPROVAL_VOTE", quorum: 4, approvalThreshold: 0.75 },
  expiresInSeconds: 60, // Time-sensitive: ED patient
});

console.log(`Job posted: ${job.id}`);

ℹ

Time sensitivity matters

The 60-second expiry reflects the clinical reality: a patient in the ED with possible STEMI cannot wait for a multi-hour review. The guard must be fast without sacrificing rigor.

Persona evaluations — ACCESS ALLOWED path

In this scenario, all four personas approve the request. The data categories are clinically appropriate, the treatment relationship is active, and the request excludes protected special categories.

// --- HIPAA Privacy Officer ---
await board.engine.claimJob("hipaa-privacy-officer", job.id, {
  stakeAmount: 8,
  leaseSeconds: 30,
});
await board.engine.submitJob("hipaa-privacy-officer", job.id, {
  summary: "ALLOW — Valid Treatment purpose under 45 CFR 164.506. No authorization required for TPO use. Special categories (42 CFR Part 2, psychotherapy notes) correctly excluded from request.",
  confidence: 0.97,
  artifact: {
    verdict: "ALLOW",
    legal_basis: "TPO_TREATMENT",
    regulatory_refs: [
      "45 CFR § 164.506 — Uses and disclosures for treatment, payment, health care operations",
      "45 CFR § 164.502(a)(1) — Permitted uses without authorization",
      "45 CFR § 164.508(a)(2) — Psychotherapy notes exclusion verified",
    ],
    conditions: [
      "Access limited to data categories specified in request",
      "No re-disclosure to non-treatment entities without additional review",
    ],
    details: "The requesting CDS agent has a valid treatment purpose: generating a recommendation for an actively admitted ED patient with an attending provider on record. This falls squarely within Treatment under the TPO exception. No patient authorization is required. The agent correctly excluded behavioral health, substance abuse (42 CFR Part 2), and psychotherapy notes from the request.",
  },
});

// --- Clinical Data Steward ---
await board.engine.claimJob("clinical-data-steward", job.id, {
  stakeAmount: 8,
  leaseSeconds: 30,
});
await board.engine.submitJob("clinical-data-steward", job.id, {
  summary: "ALLOW — Request satisfies Minimum Necessary Standard. Data categories are clinically appropriate for cardiac workup. Timeframes are reasonable and scoped.",
  confidence: 0.94,
  artifact: {
    verdict: "ALLOW",
    minimum_necessary_assessment: {
      lab_results: "APPROPRIATE — Troponin, BMP, CBC, coags are standard cardiac panel. 72h window captures serial troponins.",
      medication_history: "APPROPRIATE — Active meds and allergies are essential for drug interaction checking and treatment planning.",
      imaging_reports: "APPROPRIATE — Prior cardiac imaging within 24 months provides baseline for comparison. Scope limited to relevant modalities.",
      vital_signs: "APPROPRIATE — Continuous monitoring since admission is the minimum required for trend analysis.",
    },
    regulatory_refs: [
      "45 CFR § 164.502(b) — Minimum Necessary Standard",
      "45 CFR § 164.514(d) — Implementation specifications",
    ],
    details: "Each data category is justified by the clinical context (acute chest pain r/o STEMI). The agent is not requesting full chart access — it has scoped to specific categories, timeframes, and data types. This meets the Minimum Necessary Standard under 45 CFR 164.502(b). Note: the treatment exception at 164.502(b)(2)(i) exempts treatment disclosures from minimum necessary, but the agent's self-scoping is best practice.",
  },
});

// --- Access Control Reviewer ---
await board.engine.claimJob("access-control-reviewer", job.id, {
  stakeAmount: 8,
  leaseSeconds: 30,
});
await board.engine.submitJob("access-control-reviewer", job.id, {
  summary: "ALLOW — Agent is registered with appropriate scopes. Active treatment relationship confirmed via encounter record. Role-based access policies satisfied.",
  confidence: 0.96,
  artifact: {
    verdict: "ALLOW",
    access_checks: {
      agent_registered: true,
      agent_scopes_valid: true,
      scopes_requested_within_authorized: true,
      treatment_relationship_active: true,
      encounter_verified: true,
      attending_provider_on_record: true,
    },
    details: "Agent cds-agent-cardiology is registered with scopes [lab_results, medication_history, imaging_reports, vital_signs]. All requested data categories fall within authorized scopes. Treatment relationship verified: encounter ENC-2026-0319-0891 is active with attending provider DR-CHEN-4419 on the cardiology service line.",
  },
});

// --- Audit & Compliance Analyst ---
await board.engine.claimJob("audit-compliance", job.id, {
  stakeAmount: 8,
  leaseSeconds: 30,
});
await board.engine.submitJob("audit-compliance", job.id, {
  summary: "ALLOW — Access will be logged to designated record set audit trail. Breach risk assessment: LOW. Recommend standard 6-year retention for access log.",
  confidence: 0.93,
  artifact: {
    verdict: "ALLOW",
    audit_requirements: {
      access_log_entry_required: true,
      designated_record_set_tracking: true,
      retention_period_years: 6,
      breach_risk_level: "LOW",
    },
    regulatory_refs: [
      "45 CFR § 164.528 — Accounting of disclosures",
      "45 CFR § 164.530(j) — 6-year retention requirement",
    ],
    conditions: [
      "Access event must be logged with: agent ID, patient MRN, data categories accessed, timestamp, purpose",
      "Log must be available for patient's right-of-access request under 164.524",
      "Retain access log for minimum 6 years per 164.530(j)",
    ],
    details: "This access event must be logged in the designated record set audit trail. While treatment disclosures are exempt from the accounting-of-disclosures requirement under 164.528(a)(1), organizational policy requires logging all AI agent access for risk monitoring. Breach risk is LOW given the valid treatment purpose and scoped data request.",
  },
});

Resolve — ALLOW decision

All four personas approved. The board resolves and the CDS agent receives the scoped data.

const resolution = await board.engine.resolveJob("cds-agent-cardiology", job.id);

console.log("Decision:", resolution);
// {
//   outcome: "ALLOW",
//   approvalCount: 4,
//   totalVotes: 4,
//   approvalRate: 1.0,
//   requiredThreshold: 0.75,
//   winners: [
//     "hipaa-privacy-officer",
//     "clinical-data-steward",
//     "access-control-reviewer",
//     "audit-compliance"
//   ],
//   conditions: [
//     "Access limited to data categories specified in request",
//     "No re-disclosure to non-treatment entities",
//     "Access event logged to designated record set audit trail",
//     "6-year retention for access log"
//   ]
// }

Alternative outcomes: BLOCK and REQUIRE_HUMAN

The scenario above results in ALLOW because the request is well-formed. Here is what triggers the other outcomes.

The access is blocked automatically when any of these conditions are detected:

// Example: Agent requests psychotherapy notes
await board.engine.submitJob("hipaa-privacy-officer", job.id, {
  summary: "BLOCK — Request includes psychotherapy notes. These require explicit patient authorization under 45 CFR 164.508(a)(2). No authorization on file.",
  confidence: 0.99,
  artifact: {
    verdict: "BLOCK",
    flags: ["PSYCHOTHERAPY_NOTES_REQUESTED", "AUTHORIZATION_REQUIRED", "NO_AUTHORIZATION_ON_FILE"],
    regulatory_refs: ["45 CFR § 164.508(a)(2)"],
    details: "Psychotherapy notes have the highest protection level under HIPAA. They cannot be disclosed for treatment purposes without explicit patient authorization. This is a hard block — no override without signed authorization.",
  },
});

// Example: No active treatment relationship
await board.engine.submitJob("access-control-reviewer", job.id, {
  summary: "BLOCK — No active treatment relationship. Patient was discharged 3 days ago. No active encounter on record.",
  confidence: 0.98,
  artifact: {
    verdict: "BLOCK",
    flags: ["NO_TREATMENT_RELATIONSHIP", "ENCOUNTER_CLOSED", "ACCESS_DENIED"],
  },
});

BLOCK triggers include:

Requesting special category data (psychotherapy notes, substance abuse records under 42 CFR Part 2, HIV status) without explicit authorization
No active treatment relationship or encounter
Agent not registered or requesting data outside authorized scopes
Patient has opted out of AI-assisted care (where applicable under state law)

Reputation settlement

After a human reviewer confirms the decision was correct, reputation is settled.

// Human privacy officer confirms the ALLOW was appropriate
for (const persona of personas) {
  await board.ledger.payout(persona, 10, job.id);
}

// If a persona had voted incorrectly (e.g., BLOCK on a valid request),
// their stake would be slashed instead:
// await board.ledger.stake("incorrect-persona", 8, job.id); // stake forfeited

const balances = await board.ledger.getBalances();
console.log(balances);
// {
//   "hipaa-privacy-officer": 152,
//   "clinical-data-steward": 152,
//   "access-control-reviewer": 152,
//   "audit-compliance": 152,
// }

ℹ

Why reputation matters in healthcare

A hipaa-privacy-officer persona that consistently makes correct access decisions accumulates reputation, increasing its weight in future evaluations. A persona that generates false blocks on legitimate treatment access (delaying patient care) or false allows on unauthorized access (causing HIPAA violations) gets slashed. This creates a natural selection pressure toward accurate, well-calibrated privacy decisions.

The audit trail

Every access decision produces a complete, immutable audit record:

Artifact	Contents	Regulatory Purpose
Job record	Full access request: agent ID, patient MRN, data categories, clinical context	45 CFR 164.530(j) — documentation requirement
4 submissions	Each persona's independent evaluation with regulatory citations	Evidence of reasonable safeguards under 164.530(c)
Resolution record	Final ALLOW/BLOCK/REQUIRE_HUMAN decision with conditions	Accountability documentation for OCR investigations
Ledger entries	Stake locks, payouts, slashing events	Governance audit trail
Access log entry	Timestamp, agent, patient, data accessed, purpose	45 CFR 164.528 — accounting of disclosures

⚠

OCR investigation readiness

When the Office for Civil Rights investigates a potential HIPAA violation, they request documentation of the organization's safeguards, access controls, and decision rationale. This guard produces exactly that documentation automatically. Organizations without this level of audit granularity typically spend 6-18 months in costly remediation under an OCR corrective action plan.

Key regulatory references

45 CFR 164.502 -- General rules for uses and disclosures of PHI, including the Minimum Necessary Standard at 164.502(b)
45 CFR 164.506 -- Uses and disclosures for Treatment, Payment, and Health Care Operations (TPO) without patient authorization
45 CFR 164.508 -- Uses and disclosures requiring patient authorization, including psychotherapy notes at 164.508(a)(2)
45 CFR 164.524 -- Individual's right of access to their designated record set
45 CFR 164.528 -- Accounting of disclosures requirement
42 CFR Part 2 -- Confidentiality of substance use disorder patient records (stricter than HIPAA)
HITECH Act -- Tiered penalty structure: Tier A (unknowing) $100-$50K; Tier B (reasonable cause) $1K-$50K; Tier C (willful neglect, corrected) $10K-$50K; Tier D (willful neglect, not corrected) $50K+; annual cap $1.5M per category

Previous←Fintech: Transaction Guard NextLegaltech: Contract Review→