DEV Community

Cover image for Building a HIPAA-Compliant Chatbot with AWS Lambda & Bedrock
LAVANYA LAHARI NANDIPATI
LAVANYA LAHARI NANDIPATI

Posted on

Building a HIPAA-Compliant Chatbot with AWS Lambda & Bedrock

#aws #software #hipaa #awsbedrock

As a software engineer working in healthcare, I’ve seen first-hand how patients want instant answers but compliance makes everything tricky. We can’t just throw PHI (Protected Health Information) into ChatGPT and call it a day.

So I decided to build a HIPAA-friendly chatbot using AWS Lambda (serverless backend) and Amazon Bedrock (LLM service) β€” with data masking to keep sensitive info safe.

πŸ“Œ This post walks you through:

  • Why chatbots in healthcare are challenging πŸš‘
  • How to design a compliant architecture πŸ”
  • Code snippets for AWS Lambda + Bedrock βš™οΈ
  • Tips for keeping PHI secure πŸ›‘οΈ

🚨 The Challenge: AI + Healthcare = Risk

  • Chatbots are great for FAQs, triage, and scheduling.
  • But if you send raw PHI (like names, MRNs, diagnoses) to an LLM… that’s a compliance nightmare.
  • HIPAA requires minimum necessary access and strict controls.

πŸ—οΈ Architecture at a Glance

Flow:

  1. Patient message β†’ API Gateway
  2. Lambda pre-processor β†’ scrubs PHI (names, DOB, SSNs)
  3. Bedrock LLM β†’ processes the masked query
  4. Lambda post-processor β†’ reinserts placeholders if needed
  5. Response β†’ returned to patient securely

Flowchart showing HIPAA-compliant chatbot architecture: Patient β†’ API Gateway β†’ Lambda β†’ Bedrock β†’ Lambda β†’ Patient

API Gateway β†’ Lambda (mask PHI) β†’ Bedrock β†’ Lambda (restore placeholders) β†’ Patient

βš™οΈ Step 1: Setting up AWS Lambda

A basic Python Lambda handler:

import boto3
import re

bedrock = boto3.client('bedrock-runtime')

def mask_phi(text):
    # toy example: replace dates + names
    text = re.sub(r'\d{2}/\d{2}/\d{4}', '[DATE]', text)
    text = re.sub(r'\b(Alice|Bob|John)\b', '[NAME]', text)
    return text

def lambda_handler(event, context):
    user_input = event['queryStringParameters']['q']
    masked_input = mask_phi(user_input)

    response = bedrock.invoke_model(
        modelId="anthropic.claude-v2",
        contentType="application/json",
        accept="application/json",
        body=f'{{"prompt":"{masked_input}"}}'
    )

    return {
        "statusCode": 200,
        "body": response['body'].read().decode('utf-8')
    }
Enter fullscreen mode Exit fullscreen mode

πŸ€– Step 2: Talking to Bedrock Safely

  • Always send masked input only.
  • Example:

Input:

John Smith has a fever since 09/21/2025. Should he see a doctor?
Enter fullscreen mode Exit fullscreen mode

Masked:

[NAME] has a fever since [DATE]. Should they see a doctor?
Enter fullscreen mode Exit fullscreen mode

πŸ” Step 3: Post-Processing

If you need to restore placeholders (like Hello [NAME]), you can map them back safely from session state.

βœ… Why This Matters

  • Patients get instant responses
  • Engineers stay HIPAA-compliant
  • Serverless (Lambda) keeps costs low
  • Bedrock provides enterprise-grade LLMs without exposing PHI

πŸš€ Next Steps

  • Add DynamoDB to store chat history (encrypted)
  • Plug in Cognito for authentication
  • Expand PHI scrubbing with Amazon Comprehend Medical

πŸ™Œ Closing Thoughts

As engineers, we often think "just ship the feature" β€” but in healthcare, privacy is the feature.

This project taught me that it’s possible to marry AI innovation with compliance if we design carefully.

πŸ‘‰ πŸ‘‰ Repo link: GitHub – hipaa-chatbot-bedrock

Top comments (0)