TL;DR

AI agents are brilliant at retrieving data and terrible at knowing when to stop. HIPAA’s minimum necessary standard was built for humans who could exercise judgment at the point of access; agents, by design, overexpose PHI inside workflows long before traditional DLP or audits ever see it. Bonfy closes this gap by inserting real-time, policy-driven controls directly into AI workflows—so every retrieval, transformation, and output is constrained to the minimum PHI the task truly requires. The result: health systems can scale AI across documentation, billing, and prior auth with confidence that “minimum necessary” is not just a policy on paper, but a technical safeguard enforced at machine speed.

***************************************************

In his article, HIPAA Has a Term for What AI Agents Do by Default. It’s Called Overexposure,” Gidi Cohen, CEO of Bonfy, surfaces a critical truth: AI agents are structurally misaligned with HIPAA’s minimum necessary standard. They are built to retrieve as much information as possible, as fast as possible—not to decide what is appropriate for a specific purpose, in a specific context.

That distinction matters. HIPAA’s minimum necessary requirement is not a suggestion; it is a foundational obligation that governs how protected health information (PHI) is used, disclosed, and requested across U.S. healthcare. It assumes that a human being, embedded in a workflow and aware of their role, will exercise judgment about how much PHI is truly needed. When AI agents enter those same workflows and start making retrieval decisions, that assumption breaks.

This blog takes Gidi’s argument as a starting point and focuses on what comes next: how Bonfy is designed to close the overexposure gap from inside the AI workflow, so health systems can scale automation without abandoning the minimum necessary standard that has underpinned HIPAA compliance for three decades.

The Structural Mismatch: Minimum Necessary vs. Maximum Retrieval

HIPAA’s minimum necessary standard was written for a world where humans hold the keys to PHI. A nurse, physician, or revenue cycle specialist implicitly answers three questions before viewing or using patient data:

  • What is the task I’m performing?
  • What is the purpose of this task?
  • What is the least amount of PHI I need to complete it?
  • Pulls a far larger slice of a chart than needed to answer a prior authorization question.
  • Surfaces psychiatric or reproductive health history in an administrative summary where that detail is not appropriate.
  • Retrieves a longitudinal record for a coding question that only required a single encounter note.

AI agents, as Gidi points out, do none of this. They inherit broad, authorized access to systems like EHRs, billing platforms, and document repositories, then execute multi-step workflows optimized for completeness and efficiency. They are built to collect as much relevant data as they can find, not to reason about regulatory boundaries or ethical exposure.

The failure mode is subtle but serious. Most of the time, there is no unauthorized access in the traditional sense. Instead, an agent:

In each case, the access is technically allowed, but the scope of what’s exposed exceeds what the minimum necessary standard permits. That is overexposure by design—not because anyone wrote malicious code, but because nobody built minimum necessary into the agent’s decision-making path.

Why Policies, Training, and Traditional DLP Fall Short

One of the most uncomfortable implications of Gidi’s piece is that traditional healthcare governance tools are poorly suited to this new failure mode.

Writing a policy that says “AI systems must follow the minimum necessary standard” does not make it true. Training users on HIPAA does not teach a model to apply human judgment. Periodic audit and log review are valuable, but they are always retrospective. By the time a team discovers that an agent has been overexposing PHI in its outputs, the violation has already happened—and potentially at scale.

Traditional data loss prevention (DLP) was never built to solve this problem either. Classic DLP focuses on data in transit or at rest, watching for sensitive information leaving the organization or being stored where it shouldn’t be. It rarely has deep visibility into the internal reasoning of an AI agent, the intermediate tool calls it makes, or the nuanced context of why certain PHI is being retrieved in the first place.

The net result is a dangerous blind spot: AI agents sit between systems, continuously pulling, transforming, and composing data, while most controls sit at the edges. Minimum necessary is being violated in the middle, inside the workflow, with very little direct oversight.

That is the gap Bonfy was built to close.

Bonfy’s Approach: Enforcing Minimum Necessary Inside the Workflow

Bonfy’s core belief is that if the risk is created inside the workflow, the control must live there too. Instead of treating AI as a black box and trying to clean up after the fact, Bonfy inserts a real-time control layer into the agent’s execution path.

At a high level, Bonfy does three things that directly address the overexposure problem Gidi describes:

  1. Understands content and context together
    Bonfy inspects the content being accessed or generated—identifying PHI, sensitive categories, and patient-specific details—while also understanding the surrounding context: the workflow type, the role of the user or agent, the system being accessed, and the declared purpose of the interaction. That pairing allows policies to express “minimum necessary” in operational terms. For example: “For prior authorization, only retrieve encounter notes and diagnostic information relevant to the requested service, and exclude psychotherapy notes.”
  2. Sits in the interaction layer, not just at the perimeter
    Bonfy integrates directly into the tools and agents that operate across clinical and administrative workflows. Instead of only scanning data at ingress or egress, Bonfy evaluates data while it is being accessed, combined, and used by the agent. Every retrieval, transformation, or output can be checked against policy before PHI is exposed to another system or user.
  3. Converts human judgment into machine-enforced rules
    HIPAA’s minimum necessary standard has historically been enforced through training and culture. Bonfy’s role is to capture that judgment as explicit policy and apply it consistently at machine speed. Based on those policies, Bonfy can allow, redact, mask, scope down, or block PHI in real time, effectively teaching the AI workflow to behave as if a trained human were supervising every access.

The result is a structural shift: instead of “maximum retrieval by default,” AI workflows start behaving as “minimum necessary by design.”

How This Works in Real Healthcare Use Cases

Consider a few of the use cases Gidi calls out, and how they behave with Bonfy in the loop.

Clinical documentation and summarization

Without controls, an agent tasked with creating an administrative summary often over-collects: it pulls a large portion of the patient’s record and may include highly sensitive clinical details that are irrelevant to the administrative purpose.

With Bonfy embedded:

  • Retrieval is scoped based on policies that reflect the audience and purpose of the summary.
  • Sensitive PHI types can be excluded or tightly constrained unless clearly justified.
  • Any attempt to surface out-of-scope PHI can be redacted or blocked before it reaches the final output.
  • Only encounters within specific time frames or visit types are retrieved for coding questions.
  • Nonessential sensitive details are masked from internal communications or exported artifacts.
  • Different roles (e.g., internal billing vs. external vendor) see different levels of detail, automatically.
  • Limit retrieval to diagnoses, procedures, and supporting notes directly related to the requested service.
  • Prevent unrelated historical details from being pulled into the packet or narrative generated by an agent.
  • Apply consistent rules across different prior auth agents and tools, so behavior stays predictable and auditable.
  • Prevent overexposure before it happens, rather than documenting it after the fact.
  • Demonstrate that HIPAA obligations are enforced as technical safeguards, not just written policies.
  • Confidently expand AI use cases across clinical, administrative, and revenue cycle functions, knowing that PHI exposure is continuously monitored and constrained.

Coding, billing, and revenue cycle workflows

Agents helping coders or billers tend to favor completeness. But HIPAA doesn’t require “everything that might be helpful,” it requires the minimum necessary.

With Bonfy, policies can enforce that:

Prior authorization

Prior authorization is one of the clearest examples where minimum necessary and overexposure can collide. Payers need enough information to make a decision, but not an unfiltered chart.

In this workflow, Bonfy can:

Across all of these use cases, the key idea is the same: Bonfy does not replace the agent; it governs the agent’s interaction with PHI so that the workflow stays inside HIPAA’s boundaries.

Turning Compliance Pressure into AI Confidence

Gidi’s article makes it clear that AI does not get a pass from HIPAA. The proposed updates to the Security Rule reinforce that AI systems handling PHI are subject to the same rigor as any other system in the healthcare environment.

For many organizations, that can feel like a brake on innovation. If every new AI-assisted workflow risks triggering a minimum necessary violation, the safe option is to move slowly—or not at all.

Bonfy’s mission is to offer a better path: give health systems a way to adopt AI at the speed they want, with the safeguards regulators expect and patients deserve. By embedding minimum necessary enforcement directly into AI workflows, Bonfy helps organizations:

Gidi named the problem: AI agents overexpose by default. Bonfy’s role is to make sure your workflows don’t—so you can realize the benefits of AI without compromising the standard that has anchored healthcare privacy for thirty years.