HIPAA AI compliance considerations.
AI in healthcare touches HIPAA at every step. PHI in training data, PHI in inference requests, PHI in AI output, audit logging of AI decisions, business associate agreements with AI vendors. This page walks through the HIPAA considerations every healthcare AI buyer needs to understand before signing any AI contract.
PHI in training data
AI models trained on PHI require HIPAA-compliant data handling at every step: storage, access controls, audit logging, breach notification protocols. Buyers should ask vendors whether their training data includes PHI from their organization or comparable organizations, and what de-identification or contractual protections apply.
PHI in inference requests
Every AI inference request (every eligibility check, every coded encounter, every denial prediction) involves transmitting PHI to the AI system. The transmission must be encrypted in transit and at rest. The vendor must execute a BAA. Audit logging of every inference is essential for post-incident investigation.
PHI in AI output and downstream use
AI outputs (drafted appeals, suspect HCC lists, predicted denials) contain PHI and must be handled with the same protections as primary records. Downstream systems receiving AI output (your EHR, your AR system, your reporting tools) inherit the PHI handling responsibility.
Business associate agreements with AI vendors
Every AI vendor processing PHI must have an executed BAA. The BAA should specifically cover AI training data use (typically permitted only for the covered entity's benefit), audit logging requirements, breach notification timelines, and subcontractor flow-down obligations to the AI vendor's cloud infrastructure providers.
Audit logging requirements
Every AI decision affecting a patient or claim must be logged with: model version, input data snapshot (or hash for storage efficiency), output, confidence score, and any downstream action triggered. Logs should be retained for at least the HIPAA 6-year minimum, longer for clients with HITRUST or state-law requirements.
Special considerations for generative and agentic AI
Generative and agentic AI introduce new HIPAA considerations because the AI is producing new content (appeals, summaries, recommendations) and taking actions. Every generated artifact requires the same PHI protections. Every action requires the same audit trail. Critical actions should require human signoff before transmission to payers or patients.