Eight layers of protection sit between your sensitive data and the AI model. Here's what changes — and what doesn't — when Tenet is running.
Tenet secures the MCP/Claude Code data path — prompts, tool calls, file operations, and shell commands. What Tenet covers →
Every message, file, and command — intercepted before Claude sees it.
You paste patient intake notes into Claude. Claude reads them, processes them, generates a response. No filter, no gate, no scan.
Claude writes to a file? No check. Runs a shell command with credentials? No interception. Reads a medical record? No audit.
Every data path is wide open.
Four hooks intercept every interaction at every data path. Your prompts are scanned before Claude sees them. Writes, edits, and shell commands are checked before execution. File reads and web fetches are monitored on output.
Nothing passes through unchecked.
| Hook | When it fires | What it scans |
|---|---|---|
| Session Start | New session opens | Auto-starts server, injects policy context |
| User Prompt | You type a message | Full prompt text before Claude sees it |
| Pre-Tool Use | Claude writes / edits / executes | File contents, code, shell commands |
| Post-Tool Use | Claude reads files or fetches data | Tool output (detect & advise) |
Four hooks cover every data ingress and egress path — prompts, writes, edits, shell commands, and file reads.
Three-stage pipeline. 17+ entity types. All local. All under 20ms.
All five identifiers pass through to the model undetected.
All five caught and redacted. Three detection methods, all running on your machine.
Three-stage pipeline. 17+ entity types. All local. All under 20ms.
Claude works with sanitized data. You see the original.
Full PHI in the model context window. Name, exact date, SSN, full ZIP.
HIPAA Safe Harbor compliant. Dates → year only. ZIP → first 3 digits. Everything else → opaque placeholder.
Opaque placeholders: [SSN_1], [EMAIL_2], [NAME_3]
HIPAA §164.514(b)(2)(i): ZIP → 3 digits, dates → year only, ages >89 → ≥90
HIPAA Safe Harbor compliant. Dates → year only. ZIP → first 3 digits. Everything else → opaque placeholder.
Claude sees placeholders. You see real names. The switch is invisible & secure.
Redaction only works if you can still read the output. Tenet replaces placeholders with originals on the way back — so your workflow is unbroken, and Claude never saw the real data.
That's what lands in your document. The original is gone.
Claude saw a placeholder. You see the real name.
Encrypted locally. Decrypted on output. Never transmitted.
AES-256-GCM encryption at rest. Keys derived from macOS Keychain. Session-scoped tokens, auto-expire after 1 hour. Originals never leave your device.
Every detection, every decision, timestamped. The actual PHI is never logged.
Claude accessed appointment history for 14 patients across 3 sessions. Read an underwriting file with adverse health history. Drafted a referral letter with a full medical record number.
No record of any of it. Your compliance team can't reconstruct what happened. Neither can you.
Every event logged. Entity type, which hook fired, what action was taken, when. PHI values excluded by design.
Entity type, confidence score, which hook fired, what action was taken, timestamp, session ID
The actual sensitive data — PHI is excluded from audit entries, enforced at the code level
Every detection timestamped. Entity type, hook, action. PHI values never logged — enforced at the code level.
You're always in control. Tenet asks before acting on anything sensitive.
You decide. Tenet remembers your choice for identical situations — no repeated prompts.
| Mode | Behavior | Best for |
|---|---|---|
| Auto | Redact and proceed (or block, based on policy) | Day-to-day workflow |
| HITL | Pause and ask: "PII detected. Use redacted version?" | High-stakes operations |
| Block | Stop the operation entirely | Maximum safety |
Three modes: Auto, HITL, Block. Decision memory means no repeated prompts for identical situations.
One command to activate HIPAA mode. Pre-configured for healthcare, finance, and security.
Same settings for a doctor, a broker, and a sysadmin. No way to say "this is healthcare data" or "this is a financial context." The tool doesn't know what compliance regime you're operating under.
One-size-fits-all. No compliance awareness.
Automatic prompt classification routes detected entity types to the right policy.
| Profile | Use case | Key settings |
|---|---|---|
| HIPAA Safe Harbor | Healthcare | 15 entity types, Safe Harbor transforms, fail-closed |
| HIPAA Minimum Necessary | Narrow healthcare | 8 entity types, stricter threshold (0.80) |
| Financial | Banking / insurance | Credit cards, account numbers, tax IDs |
| Security | InfoSec | Passwords, usernames, IP addresses |
Looking for organization-wide policy enforcement? Deploy standardized tenets across your team from a central configuration. Audit aggregation, WORM-compliant log retention, and BAA support available.
Talk to us about enterprise controls →One command activates HIPAA, Financial, or Security mode. Extensible via custom JSON tenets.
Nothing leaves your machine. Period.
Your data leaves your machine to be scanned. The detection service sees your PHI.
Loopback only. Not accessible from the network. No external API dependencies.
~300MB model runs on your CPU via ONNX Runtime — no GPU required, loopback-only, no data leaves your machine.
Evaluating Tenet for your organization?
For security, compliance, and engineering reviewers: Technical Architecture →
+ Clinical NER — diagnoses, treatments, and lab tests detected to auto-activate HIPAA mode
+ Multilingual — PHI detection works across the languages your patients speak
Validated on 2,710 annotated samples · synthetic data · real-world performance may vary
Healthcare providers, insurers, and financial institutions deploy Tenet with a BAA, organization-wide policies, and dedicated compliance support.
Let's talk about Enterprise controls →Tenet is available as a research preview for macOS. Download, install, and connect to Claude Cowork in under five minutes.
Download for Mac (.dmg)