top of page
Search

Remaining Compliant: HIPAA + AI

  • Aug 6, 2025
  • 3 min read

Artificial Intelligence (AI) is revolutionizing healthcare by improving diagnostics, enhancing patient experiences, and streamlining operations. But as AI tools become more embedded in clinical and administrative workflows, healthcare organizations must ensure they remain fully compliant with the Health Insurance Portability and Accountability Act (HIPAA). This article offers a practical guide to aligning AI adoption with HIPAA’s Privacy, Security, and Breach Notification Rules.


Why HIPAA Still Matters in the Age of AI

HIPAA hasn’t changed just because AI has arrived. Whether it’s a predictive analytics tool, a generative AI scribe, or a patient-facing chatbot, HIPAA compliance requirements still apply if protected health information (PHI) is involved.

Organizations must treat AI systems as extensions of their health IT infrastructure—subject to the same expectations around patient privacy, secure data handling, and breach notification.


HIPAA Compliance Considerations by AI Use Case

1. Clinical Decision Support and Predictive Analytics

AI tools used for treatment or healthcare operations must:

  • Access only the minimum necessary PHI

  • Use de-identified data when possible for training

  • Prevent discriminatory outcomes, even beyond HIPAA requirements

2. Patient-Facing Chatbots

If a chatbot collects symptoms, demographics, or appointment details, it’s handling PHI. Ensure:

  • All exchanges are encrypted

  • The vendor signs a Business Associate Agreement (BAA)

  • Chat logs are protected by access controls

  • Chatbots are built for healthcare—not general-purpose platforms

3. Generative AI (e.g., Documentation Assistants)

Avoid inputting PHI into public models like ChatGPT (unless they sign BAAs, which they typically don’t). Instead:

  • Use HIPAA-compliant generative AI solutions

  • Train on de-identified data

  • Filter outputs to prevent accidental PHI exposure

  • Operate models in secure environments (e.g., dedicated cloud tenancy)


HIPAA Rules That Still Apply

Privacy Rule

  • AI can only use PHI for permitted purposes (treatment, payment, operations)

  • “Minimum necessary” still applies—avoid feeding full records unnecessarily

  • De-identify data when possible using Safe Harbor or Expert Determination

Security Rule

  • Encrypt PHI at rest and in transit

  • Limit access with role-based controls

  • Log and monitor all data access by AI

  • Conduct AI-specific risk assessments before deployment

Breach Notification Rule

  • Prepare for AI-related breaches (e.g., chatbot misfires)

  • Encrypt PHI to reduce breach notification obligations

  • Ensure vendors notify you promptly if their systems are compromised

  • Include AI in your incident response plans


Strategies for HIPAA-Compliant AI Adoption

  1. Use De-identified or Synthetic Data

    • Strip identifiers from training data

    • Consider limited data sets or data use agreements where needed

    • Add filters to detect PHI in outputs

  2. Vet Your Vendors

    • Require BAAs before sharing PHI

    • Review security certifications (e.g., HITRUST, NIST)

    • Include AI-specific terms (e.g., no reuse of PHI for training)

    • Audit regularly

  3. Conduct Risk Assessments

    • Document risks during model training, inference, and output

    • Assess re-identification risks when combining datasets

    • Retain documentation for 6+ years, per HIPAA rules

  4. Update Incident Response Plans

    • Define what AI incidents look like

    • Train staff on how to spot and report them

    • Assign vendor contacts and response duties in your plan


Common Mistakes to Avoid

Mistake

Why It’s Risky

How to Fix It

Using public AI models with PHI

Most don’t sign BAAs or encrypt input

Only use HIPAA-compliant AI services

Assuming AI gets a compliance exemption

AI must follow the same rules as humans

Apply HIPAA controls at every stage

Failing to de-identify data

You may be exposing PHI unnecessarily

Use Safe Harbor or Expert Determination

Missing BAA with AI vendors

Leaves you legally exposed

Never share PHI without a signed BAA

Not logging AI activity

Makes it harder to detect or prove misuse

Enable auditing and access logs

Skipping staff training

Increases risk of accidental PHI use

Train on approved tools and safe practices


AI in healthcare offers immense promise—but only if it’s implemented safely and legally. HIPAA compliance must remain front and center. By embedding privacy and security from the beginning, and holding AI vendors to the same standard, healthcare organizations can confidently use AI to improve outcomes while protecting patient trust.


Sources:

  • U.S. Department of Health & Human Services. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. http://HHS.gov , 2003.

  • U.S. Department of Health & Human Services. HIPAA Security Rule. http://HHS.gov , 2003.

  • U.S. Department of Health & Human Services. HIPAA Breach Notification Rule. http://HHS.gov , 2009.

  • "Guidance Regarding Methods for De-identification of Protected Health Information." http://HHS.gov , Nov. 2012.

  • "Cloud Computing and HIPAA." HHS Office for Civil Rights, http://HHS.gov , 2022.

  • Office for Civil Rights (OCR). "Business Associate Contracts." http://HHS.gov , 2013.

  • "Artificial Intelligence (AI) in Healthcare: Regulatory Compliance and Considerations." American Health Law Association, http://AHLA.org , 2022.

  • "Compliance Assistance and Enforcement." U.S. Department of Health & Human Services, http://HHS.gov , 2022.

  • "Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients." http://HHS.gov , 2018.

  • National Institute of Standards and Technology. "NIST Cybersecurity Framework." http://NIST.gov , 2018.

bottom of page