PHI doesn't belong in prompts. The naive failure mode is a developer dropping a patient note into a "summarize this" call and shipping it to a third-party model. Two defenses prevent it. First, phiSniffer.ts runs regex pattern checks (SSN-shaped numbers, MRN tells, common chart-note structures) on every free-text input pre-persistence and rejects what trips. Second, withHipaaGuardrail() wraps every Claude call and prepends a stop-clause to the system prompt: "You will not process protected health information. If the user input contains PHI, refuse and ask for the redacted form."
The discipline is enforced socially as well: direct @anthropic-ai/sdk imports outside claude.ts are treated as bugs, and a contributor doc says so explicitly. The belt is the wrapper. The suspenders are the sniffer. Both run on every call.