TL;DR
- Keragon MCP provides secure, healthcare-focused controls within the MCP service boundary, including credential isolation, explicit tool permissions, and audit logging.
- HIPAA compliance is a shared responsibility. Keragon secures the MCP layer; customers govern PHI use across the full workflow.
- PHI should only be routed through Keragon MCP after a BAA with Keragon is executed, and when appropriate agreements are in place with other vendors involved. </aside>
Important Note: This article is for informational purposes and does not constitute legal advice. Customers should consult counsel and their compliance teams to evaluate HIPAA obligations for their specific use case.
Overview
Keragon MCP allows AI clients (such as ChatGPT or Claude) to interact with healthcare tools through explicitly configured tools, secure credential handling, and auditable actions.
This article explains:
- What Keragon MCP provides at the integration and infrastructure layer
- What customers are responsible for across the full PHI lifecycle (prompts → tools → downstream systems → logs → retention) </aside>
Key principle: Keragon provides technical safeguards at the MCP layer. Users remain responsible for HIPAA compliance across the entire workflow.
Shared Responsibility Model
Keragon MCP is designed to support HIPAA-eligible workflows, but HIPAA compliance depends on how MCP is configured and operated.
When PHI is involved and a Business Associate Agreement (BAA) is executed, Keragon may act as a Business Associate within the scope defined in that agreement.
⚠️ Customers should not route PHI through Keragon MCP until a BAA with Keragon is fully executed and MCP is configured in accordance with that agreement.
What Keragon MCP Provides
Keragon MCP supplies infrastructure-level controls designed for secure healthcare integrations.
Controlled Integration Layer
- Acts as a gateway between AI clients and healthcare tools
- Prevents direct AI access to EHRs, billing tools, or internal databases
- Users control which tools and actions are exposed
Explicit Tool Permissions
- AI clients can call only tools explicitly configured by the user
- Tools are intended to be narrowly scoped (for example, task-specific reads rather than broad queries)
- Supports HIPAA’s minimum necessary access principle
Secure Credential Handling
- System credentials (API keys, OAuth tokens) are stored and managed within Keragon
- Credentials are not exposed to AI models during normal MCP operation
🔐 Users remain responsible for ensuring credentials are not embedded in prompts, outputs, or client-side code.
Audit Logging
- MCP tool invocations are logged and visible in the Keragon History tab
- Logs support monitoring, review, and investigation workflows
⚠️ Depending on configuration, logs or tool payloads may contain PHI and should be governed accordingly.
Business Associate Agreement (BAA) Support
- Keragon offers a BAA for eligible customers on paid plans
- The BAA defines Keragon’s responsibilities when PHI is involved
For additional security details, see the Keragon Trust Center.
What Keragon MCP Does Not Do
Keragon MCP does not, by itself:
- Determine whether you are permitted to use or disclose PHI for a given purpose
- Define your workforce access policies or internal role-based access controls
- Make AI providers or downstream vendors HIPAA compliant by default
- Control how third-party AI models store, retain, or train on data
- Eliminate LLM-specific risks such as prompt injection, sensitive information disclosure, or excessive tool agency (these must be addressed by customer design and governance)
🔐 These areas are governed by the user as part of normal HIPAA operations.
AI/MCP Security Risks (and what customers must control)
Using AI with MCP introduces well-known risks in LLM-enabled systems. With the right configuration and operational controls, these risks can be effectively managed.
1. Prompt injection (direct and indirect)
Attackers (or untrusted content) can attempt to manipulate the model into calling tools in unintended ways, including requesting broader data access or exfiltration.
Customer responsibilities / recommended controls
- Treat tool inputs as untrusted: validate and constrain parameters server-side.
- Avoid “free-text do-anything” tools (e.g., unrestricted search across all patients).
- Use allowlists, strict schemas, and deny-by-default patterns.
2. Sensitive information disclosure
PHI can leak through prompts, tool outputs, chat transcripts, logs, screenshots, exports, or downstream systems.
Customer responsibilities / recommended controls
- Minimize PHI shared with the model and returned by tools (minimum necessary).
- Redact or exclude unnecessary identifiers from tool outputs where appropriate.
- Control who can view conversation transcripts and audit logs containing PHI.
3. Excessive agency / over-permissioned tools
Broad tools can turn an AI system into an operator with more power than intended (e.g., bulk export, write/modify actions).
Customer responsibilities / recommended controls
- Separate read vs. write tools; keep write tools off by default for PHI workflows unless necessary.
- Add human confirmation steps for write/modify actions in your AI workflows (especially in production systems).
- Apply rate limits and anomaly monitoring for tool invocation.
4. Tool drift / supply chain changes
Tool definitions, connected systems, and workflows change over time. Without change control, a “safe today” setup can become risky tomorrow.
Customer responsibilities / recommended controls
- Implement change management: review, test, and approve tool changes before enabling them for production or PHI.
- Use versioning and “deny new actions by default” principles (review diffs before expanding scope).
Customer Responsibilities for HIPAA Compliance
Keragon provides certain controls at the MCP layer. Customers must design and operate a HIPAA-compliant workflow end-to-end.
1. Execute BAAs when required (and choose HIPAA-appropriate AI plans)
If PHI is involved, customers must:
- Execute a BAA with Keragon before routing PHI through MCP.
- Ensure BAAs (or appropriate HIPAA-ready contractual terms) are in place with AI providers and any downstream vendors that create/receive/maintain/transmit PHI.
Reminder: AI providers often distinguish consumer vs. enterprise/HIPAA-ready offerings. Customers are responsible for selecting offerings and terms appropriate for PHI use cases.
2. Configure MCP tools to enforce “minimum necessary”
Customers are responsible for:
- Exposing only necessary tools and data fields
- Avoiding overly broad retrieval tools or unrestricted queries
- Designing tools to support role-based access and data minimization
3. Implement strong identity and access governance
Customers should:
- Authenticate users (SSO/MFA recommended)
- Restrict access by role (including who can configure tools, connect clients, and view logs)
- Deprovision access promptly when roles change or users leave
- Limit who can approve changes to tools/workflows
4. Add workflow safeguards for write/modify actions
Customers should:
- Require human confirmation for write/modify tools affecting production systems or patient records
- Maintain separation of duties (e.g., developers configure tools; clinical admins approve go-live scope)
- Log and review all write operations and investigate anomalies
5. Govern PHI in prompts, outputs, transcripts, and logs
Customers are responsible for:
- Preventing unnecessary PHI from being included in prompts/tool payloads
- Governing chat transcripts and audit logs as potentially PHI-bearing records
- Defining retention/deletion rules across all systems in the workflow (AI provider, Keragon logs, downstream systems)
6. Perform risk analysis and maintain HIPAA-required administrative safeguards
Customers must:
- Conduct and document a risk analysis for the AI/MCP workflow (including prompt injection, disclosure, and tool-permission risks)
- Maintain policies for AI and PHI usage
- Define incident response and escalation procedures
- Review and act on audit logs and security monitoring outputs
Shared Responsibility Summary
| Area | Keragon MCP | Customer |
|---|---|---|
| MCP service security (within Keragon boundary) | ✅ | |
| Credential storage/isolation (within Keragon boundary) | ✅ | Ensure secrets not placed in prompts/outputs/logs |
| Tool invocation logging (MCP layer) | ✅ | Govern access/retention; review & respond |
| Tool authorization mechanisms | ✅ | Define correct scope; least privilege; parameter constraints |
| PHI minimization (minimum necessary) | Supports via tool design | ✅ Required end-to-end |
| Workforce IAM (SSO/MFA/RBAC) | ✅ | |
| Prompt injection / excessive agency mitigations | ✅ Design & operational controls | |
| AI provider compliance, retention, and training policies | ✅ Vendor due diligence + BAAs | |
| Change control for tool definitions | ✅ Review, test, approve changes before expanding scope | |
| Risk analysis & security management process | ✅ Required | |
| BAAs | Offers BAA (where applicable) | Must execute BAAs where required |
Suggested Compliance Statement
“Keragon MCP provides technical controls within the MCP service boundary—such as credential isolation, explicit tool authorization, and audit logging—to support customers building HIPAA-compliant workflows. If PHI is processed through Keragon MCP, Keragon will act as a Business Associate only under an executed BAA and within its scope. Customers are responsible for HIPAA compliance end-to-end, including minimum necessary access, identity and access management, safe tool design (including protections against prompt injection and excessive agency), governance of PHI in prompts/outputs/logs, vendor contracting (including BAAs where required), and ongoing risk analysis and oversight.”
Summary
- Keragon MCP provides infrastructure-layer safeguards for secure AI-to-healthcare integrations.
- HIPAA compliance is shared: Keragon secures the MCP layer; customers must govern PHI use, tool scope, user access, AI vendor compliance, and operational controls.
- LLM/MCP workflows introduce risks like prompt injection, sensitive information disclosure, and excessive agency—customers must implement mitigations as part of their risk analysis and governance.