Glossary · Compliance

HIPAA-Compliant AI

HIPAA-compliant AI handles protected health information under a Business Associate Agreement and meets the HIPAA Security Rule. Definition and vendor checklist.

By Kadin Nestler · May 28, 2026 · Updated May 28, 2026
On this page

What HIPAA actually requires

HIPAA applies to "covered entities" (providers, health plans, clearinghouses) and "business associates" (vendors processing PHI on behalf of covered entities). When a healthcare practice uses an AI tool that touches PHI, that tool's vendor is a business associate and must sign a BAA. The BAA contractually binds the vendor to HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule. Anthropic, OpenAI, and Google all offer BAAs on enterprise tiers; consumer-tier accounts typically do not qualify.

HIPAA Security Rule technical safeguards

  • Access control — unique user IDs, automatic logoff, encryption.
  • Audit controls — logs of who accessed what PHI when.
  • Integrity controls — protection against improper alteration.
  • Person authentication — verify users are who they claim.
  • Transmission security — encryption in transit, HTTPS, TLS 1.2+.

The 2026 HIPAA Security Rule NPRM

HHS Office for Civil Rights published a Notice of Proposed Rulemaking in December 2024 updating the HIPAA Security Rule for the first time in 20 years. The proposed compliance deadline is around May 2026. Key changes: mandatory encryption (previously addressable), explicit MFA requirement, written incident response plan, asset inventory, technology controls list. Any AI vendor handling PHI needs to align with this update.

Vendor checklist for HIPAA-compliant AI

  • Will the vendor sign a BAA? (Required.)
  • Is data encrypted at rest and in transit?
  • Is PHI used to train the underlying model? (Should be no.)
  • What is the data retention policy?
  • Where is data hosted? US-only is usually expected.
  • What audit logs does the vendor provide?
  • What is the breach notification SLA?
  • Has the vendor completed SOC 2 Type 2 or HITRUST certification?

What it means for your business

For any healthcare SMB — dental, optometry, allied health, mental health, vet — running AI without a BAA is a citation waiting to happen. Get the BAA first, configure the AI second.

  • AI Data Privacy — AI data privacy covers how personal data is collected, processed, retained, and shared by AI systems. Definition, key laws, and a vendor checklist.
  • SOC 2 for AI — SOC 2 is an audit framework for vendors handling customer data, including AI services. Definition, Type 1 vs Type 2, and what SMBs should demand.
  • AI Governance — AI governance is the policy and process layer for managing AI risk in an organization. Definition, frameworks, and what SMBs actually need.
  • AI Vendor Selection — AI vendor selection is how SMBs evaluate AI vendors on capability, cost, and risk. A practical 12-question checklist and decision framework.
  • AI Disclosure — AI disclosure is the legal and ethical obligation to tell users they are interacting with AI. Definition, applicable laws, and SMB practical guidance.
← Back to the full glossary