HIPAA Compliance with Sonomos

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities and business associates to implement safeguards protecting Protected Health Information (PHI). The HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) specifies the technical safeguards required. Sonomos provides a technical control layer specifically for AI tool usage — one of the highest-risk and least-monitored channels for PHI disclosure today.

Prototype-aware planning

The browser extension is an early prototype. It’s a meaningful technical safeguard for the web-based AI workflows it covers (Claude.ai, Gemini, Grok via Cloak; everywhere else via Send Guard), but it does not see native desktop AI apps, IDE assistants, or local LLMs. If those are in scope for your environment today, plan complementary controls and watch for the Sonomos Desktop release.

The 18 HIPAA identifiers Sonomos detects

Sonomos detects all 18 HIPAA-defined identifiers, including:

• Names, dates (DOB, admission, discharge), phone and fax numbers
• Email addresses, Social Security numbers, medical record numbers
• Health plan beneficiary numbers, account numbers
• Certificate and license numbers, vehicle and device identifiers
• Web URLs, IP addresses, biometric identifiers
• Full-face photographs (via image detection / OCR)
• Any other unique identifying number or code

See the full breakdown in the Detector Reference.

How Sonomos fits a HIPAA compliance program

Caution

Sonomos is a technical safeguard, not a complete HIPAA compliance solution. It should be part of a broader compliance program that includes administrative and physical safeguards, staff training, sanction policies, and BAAs with service providers.

Sonomos supports HIPAA compliance by:

• Preventing impermissible PHI disclosure — Cloak masks PHI before it reaches AI platforms, addressing 45 CFR § 164.502(a) at the technical control level.
• Providing audit trails — compliance reports document detection and masking events (counts and metadata, never the PHI itself) for 45 CFR § 164.312(b).
• Operating locally — no PHI is transmitted to Sonomos servers, which simplifies the BAA picture: there is no PHI in transit to or at rest with Sonomos.
• Supporting workforce-wide policy enforcement — the Teams plan lets administrators enforce minimum Cloak and Send Guard settings across staff.

Recommended configuration for healthcare

1. Enable Cloak on every supported AI platform used by staff. Verify with the quickstart on each — claude.ai, gemini.google.com, grok.com.
2. Set Send Guard to “Banner + Modal” (default) — and on the Teams plan, pin this minimum so members can’t drop below it.
3. Configure compliance report delivery to your compliance officer. Use the scheduled delivery option so reports arrive on a predictable cadence.
4. Document the gap. Because the extension is browser-only, your policy should describe what other controls cover native AI desktop apps, IDE assistants, and local LLMs in the meantime — or restrict their use.
5. Train staff on placeholders. Cloak is a safety net; teaching clinicians to write prompts like “a 65-year-old patient presenting with…” instead of using real identifiers is the strongest control.

Mapping to HIPAA Security Rule safeguards

Safeguard	How Sonomos contributes
§ 164.308(a)(1) — Risk analysis	Compliance reports give visible evidence of AI-related PHI exposure risk
§ 164.308(a)(5) — Security awareness	The risk widget keeps PHI exposure visible during everyday work
§ 164.312(a)(1) — Access control	Teams policies enforce minimum Cloak / Send Guard settings
§ 164.312(b) — Audit controls	Compliance reports document detection and masking events
§ 164.312(e)(1) — Transmission security	Cloak prevents PHI from being transmitted to AI platforms in the first place

This mapping is a starting point, not a substitute for an organization-specific risk assessment.

What about BAAs?

Because Sonomos runs locally and does not receive PHI, our standard position is that a BAA is not required for the extension. We’re happy to walk through this with your compliance team — contact info@sonomos.ai.

For the Teams plan, our terms of service describe what metadata Sonomos receives (account info, billing, aggregate detection counts — never PHI text).

Coming in Sonomos Desktop

Specifically for healthcare environments, Sonomos Desktop adds:

• Native AI desktop client coverage (Claude Desktop, ChatGPT Desktop, Copilot) for clinicians who prefer those over the web.
• System-wide clipboard and screenshot scanning — a major gap on locked-down clinical workstations where copy-paste from the EHR into AI tools is hard to monitor.
• Air-gapped / fully offline mode for environments without external network access.
• Tamper-evident audit log for forensic-grade evidence of control operation.
• MDM-managed deployment via Jamf, Intune, or Workspace ONE.

See the Sonomos Desktop overview for the broader scope.

Next steps

Teams setup Roll Sonomos out across a clinical workforce with admin-enforced policies.

Compliance reports How to generate and route reports to your compliance officer.

Other compliance regimes GDPR, PCI-DSS, GLBA, CCPA/CPRA, and SOX — see the full list of compliance guides.

Sonomos for healthcare A clinician-focused quickstart that pairs with this guide.