A complete architectural guide for deploying retrieval-augmented generation in healthcare — without exposing PHI to third-party services. Built from real hospital deployments.
Retrieval-Augmented Generation (RAG) is an architecture that grounds AI responses in your proprietary documents rather than the model's training data. When a clinician asks "What was the last hemoglobin A1c for patient X?", the system retrieves the relevant lab results from your records and feeds them to the LLM as context. The LLM generates a response based on that retrieved data, not its pre-trained knowledge.
For healthcare, RAG is the difference between an AI that hallucinates clinical details and one that provides accurate, source-grounded answers. It enables clinical documentation assistance, prior authorization support, patient triage, care coordination, and medical research — all while keeping patient data within your controlled environment.
HIPAA's Privacy Rule (45 CFR Parts 160 and 164) governs the use and disclosure of Protected Health Information (PHI). When you send patient data to a cloud AI provider, that provider becomes a business associate under HIPAA, requiring a Business Associate Agreement (BAA). Even with a BAA, you're relying on their security controls, audit practices, and breach notification procedures.
On-premise RAG eliminates the business associate relationship entirely. The AI runs on your infrastructure. PHI never leaves your network. No BAA is needed because there is no third-party data processor. The HHS Office for Civil Rights (OCR) has issued specific guidance on AI/ML use with PHI — and on-premise deployment is the architecture that most directly satisfies their risk assessment requirements.
The core design principle for a HIPAA-compliant RAG pipeline is clear data boundaries. Every component in the architecture must be evaluated against a single question: does this component touch PHI, and if so, is it within our controlled environment?
| Component | PHI Exposure | Location | HIPAA Safeguard |
|---|---|---|---|
| EHR System | Full PHI | On-premise / HIPAA-compliant cloud | Existing BAA with EHR vendor; access controls |
| Document Ingestion Pipeline | Full PHI | On-premise (your infrastructure) | Network segmentation; encryption at rest |
| Vector Database | Embedded PHI (text chunks) | On-premise (your infrastructure) | Encryption at rest; access controls; audit logging |
| Embedding Model | Transient PHI (inference only) | On-premise (your infrastructure) | No data retention; memory encryption where available |
| LLM Inference Server | Transient PHI (prompt + context) | On-premise (your infrastructure) | No training on input data; no data retention |
| API Gateway | Queries and outputs | On-premise (your infrastructure) | TLS encryption; authentication; rate limiting |
| Audit Log System | Metadata (not full PHI) | On-premise (your infrastructure) | Append-only storage; tamper detection; 6-year retention |
Everything. The vector database, the embedding model, the LLM, the ingestion pipeline, the API gateway, and the audit logging system all run within your network boundary. The only external connections are for software updates (model weights, OS patches) — and even those should flow through a controlled proxy with egress filtering.
Clinical notes, lab results, imaging reports, medication histories, and discharge summaries are ingested into the vector database. Patient queries are processed through the RAG pipeline. AI-generated summaries are returned to clinicians. At no point does any PHI cross your network perimeter.
Define clear boundaries between PHI-bearing data and non-PHI data. For example, clinical guidelines and drug interaction databases may not contain PHI and could theoretically be processed externally — but in practice, the RAG pipeline blends them with patient-specific data during retrieval, so the entire pipeline should be treated as PHI-bearing.
The ingestion pipeline is where raw clinical documents become searchable knowledge. It must handle multiple document types, preserve clinical context, and maintain data integrity throughout the process.
Progress notes, consultation notes, and discharge summaries are the most common documents in healthcare RAG systems. They contain free-text clinical narratives that benefit most from AI summarization and retrieval. Key considerations: preserve the note author, date, and encounter ID as metadata; maintain section boundaries (History of Present Illness, Assessment, Plan) for better retrieval granularity.
Laboratory reports are structured data that require special handling. Tables with reference ranges, units, and flag indicators (H/L) must be preserved during text extraction. Chunking strategy for lab results should keep individual test panels together rather than splitting them across chunks.
Radiology, pathology, and cardiology reports combine structured findings with narrative interpretations. The impression/conclusion section is often the most clinically relevant — weight it higher during retrieval. DICOM metadata (patient ID, study date, modality) should be preserved as chunk metadata.
The embedding model converts clinical text into numerical vectors that capture semantic meaning. Model selection for healthcare requires balancing clinical accuracy, computational efficiency, and deployment simplicity.
| Model | Parameters | Dimension | Clinical Performance | Deployment |
|---|---|---|---|---|
| BGE-large-en-v1.5 | ~560M | 1024 | Strong general-purpose; good for clinical text | CPU or GPU; ONNX runtime |
| E5-large-v2 | ~560M | 1024 | Excellent retrieval quality; instruction-tuned | CPU or GPU; ONNX runtime |
| clinicalBERT embeddings | ~110M | 768 | Domain-specific; trained on clinical text | CPU; HuggingFace transformers |
| nvidia-nemotron-4b | ~4B | 4096 | State-of-the-art retrieval; higher compute cost | GPU required; vLLM or TGI |
For healthcare RAG, prioritize retrieval accuracy over embedding speed. Clinical queries are precision-sensitive — retrieving the wrong lab result or medication history has real consequences. Start with BGE-large or E5-large for general clinical text. If your use case involves highly specialized medical terminology (oncology, cardiology, radiology), consider fine-tuning an embedding model on your document corpus.
PHI-safe embedding means the embedding model runs on-premise and does not retain or transmit any input data. All models listed above are inference-only when deployed locally — they do not update their weights based on input documents.
The vector database stores embeddings and powers similarity search. For healthcare, the database must support access controls, audit logging, and data isolation between patients and departments.
Chroma is lightweight, Python-native, and easy to deploy. It runs as an in-process library or a local HTTP server. Best for single-department deployments or proof-of-concept systems. Limitations: no built-in RBAC, limited horizontal scaling.
Weaviate offers built-in RBAC, hybrid search (vector + BM25 keyword search), and multi-tenant data isolation. Its GraphQL API makes it easy to filter retrieved results by patient ID, document type, or date range — critical for ensuring clinicians only see authorized patient data.
Milvus scales to billions of vectors and supports distributed deployment. Best for health systems with large document corpora (millions of clinical notes) and high concurrent user counts. Requires more operational expertise to deploy and maintain.
Use HNSW (Hierarchical Navigable Small World) indexing for balanced recall and speed. Set ef_construction to 200–400 during indexing and ef_search to 100–200 during query time. For healthcare, prioritize recall over speed — missing a relevant clinical document is worse than a 100ms delay.
Implement row-level security or collection-level partitioning by department and patient. When a clinician queries the system, the retrieval should be scoped to patients within their care team or assigned caseload. This is not just a security best practice — it's a HIPAA minimum necessary requirement.
Generic RAG retrieval works for general knowledge bases. Healthcare requires strategies tuned to clinical reasoning patterns and safety requirements.
Clinical queries often reference patients indirectly ("the patient in room 302", "my post-op patient from Tuesday"). Implement query disambiguation that resolves patient references using the clinician's current context (active patients, recent encounters). This requires integration with the EHR's active session data — not patient records, just session metadata.
Clinical retrieval benefits from re-ranking. After initial vector similarity search, apply a cross-encoder re-ranking model to refine the top 20–50 results to the most relevant 5–10. This is especially important for queries that span multiple clinical domains (e.g., "What medications is the patient on that interact with their recent lab results?").
HIPAA Security Rule (45 CFR 164.312(b)) requires audit controls — hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI. Your RAG pipeline must log every interaction.
| Requirement | Implementation | Retention |
|---|---|---|
| User authentication | Log user ID, timestamp, and authentication method for every session | 6 years minimum |
| Data access events | Log every query, including user ID, patient references, and timestamp | 6 years minimum |
| Retrieved documents | Log document IDs returned for each query (not full content) | 6 years minimum |
| System modifications | Log configuration changes, model updates, and document ingestion events | 6 years minimum |
| Failed access attempts | Log authentication failures, authorization denials, and rate limit triggers | 6 years minimum |
| Tamper detection | Use append-only storage with cryptographic hashing (e.g., hash chain or WORM storage) | 6 years minimum |
Use a dedicated audit logging service (e.g., ELK stack, Graylog, or a simple structured log file with rotation) separate from the RAG application. Audit logs should be written synchronously — if the log write fails, the query should fail rather than proceed without logging. This ensures no PHI access goes unrecorded.
Audit log reviews should be part of your regular HIPAA compliance program. Quarterly reviews of access patterns can identify unusual behavior (e.g., a user querying patients outside their department) before it becomes a breach.
Integrating your RAG pipeline with Epic, Cerner, or other EHR systems is where many healthcare AI projects fail. The goal is seamless clinical workflow integration without exposing PHI to third-party middleware or APIs.
Epic offers several integration pathways: Hyperspace (for UI embedding), Bridge (for data extraction), and TrueConnect (for messaging). For on-premise RAG, the recommended pattern is: (1) use Epic Bridge or File Interface to export clinical documents to a local directory, (2) run the ingestion pipeline on those files, (3) embed the RAG interface in Epic Hyperspace as a local web application. PHI never leaves the Epic environment or your RAG infrastructure.
Cerner's HealtheConnect and Code Engine provide integration points. Similar to Epic, use local data export (not cloud-based APIs) to feed the RAG pipeline. Cerner's Millennium interface tools can push documents to a local file share that the ingestion pipeline monitors.
Building a HIPAA-compliant RAG pipeline is a significant undertaking that requires expertise in AI architecture, healthcare IT, and compliance. Most health systems benefit from partnering with a consultant who has deployed these systems before — someone who understands Epic and Cerner integration, HIPAA audit requirements, and the clinical workflows that make or break AI adoption.
BPI has deployed on-premise RAG systems for healthcare organizations, including a regional hospital system that processed clinical notes in-house without exposing PHI to cloud AI vendors with no exposure of PHI to public AI services. Our Zero Data Touch model means we build on your infrastructure without ever receiving or storing your PHI. Learn more about our healthcare AI services or book a consultation to discuss your specific requirements.
HIPAA-compliant AI for clinical documentation, prior authorization, patient triage, and care coordination. On-premise. Zero PHI exposure.
Learn More →Complete architecture walkthrough — GPU selection, model deployment, RAG pipelines, and security hardening.
Read Guide →Browse our full library of technical guides — compliance checklists, vendor evaluation frameworks, and more.
View All Guides →Book a free 30-minute consultation. We'll discuss your clinical workflows, your EHR environment, and whether on-premise RAG is the right fit. No pressure. No pitch deck.
Book a Free ConsultationNo commitment. No sales pitch. Just a conversation. We respond within 24 hours.