A core HIPAA and good-engineering principle: send and store the least data needed.
For RAG that means: Retrieve narrowly — don't dump the whole report into the prompt Strip identifiers from any snippet that must leave the device Prefer summaries over raw records when they suffice Never log payloads containing PHI Data minimization also shrinks your breach blast radius and your compliance scope.