HIPAA and AI: What Every Practice Owner Needs to Know Before Adopting AI Software
HIPAA-compliant AI requires four things from any vendor: a signed Business Associate Agreement, PHI stored in HIPAA-eligible infrastructure, a written commitment that patient data is not used to train AI models, and a complete audit trail of every PHI access. Most consumer AI tools fail at least one of these criteria — and that failure constitutes an impermissible PHI disclosure.
Why HIPAA questions stop AI adoption cold
In physician surveys, HIPAA compliance is consistently the first concern raised when practices consider adopting AI tools. The concern is not irrational — AI products for consumers have proliferated faster than healthcare-specific guardrails, and the gap between "marketed as AI for medicine" and "actually HIPAA-compliant" is wider than most vendors acknowledge.
The core issue is that HIPAA imposes specific technical and contractual obligations on every entity that touches protected health information (PHI) on a practice's behalf. AI tools that process clinical notes, patient demographics, diagnosis codes, or any other individually identifiable health information are business associates under HIPAA's regulatory definition — and must be treated accordingly. Many AI vendors do not meet this standard, and some are explicit that their consumer-tier services do not provide HIPAA coverage.
The HHS Office for Civil Rights (OCR) has identified AI-related PHI disclosures as an emerging enforcement focus. Practices that adopted AI tools without verifying their HIPAA compliance posture before the first patient note was processed face retroactive exposure. The goal of this post is to give you the framework to evaluate any AI vendor before any PHI is shared with them.
What HIPAA actually requires for AI software
HIPAA's Privacy Rule (45 CFR Part 164, Subpart E) and Security Rule (45 CFR Part 164, Subpart C) establish the obligations that apply when PHI is shared with a business associate. Three provisions are most directly relevant to AI software:
Minimum necessary standard (§ 164.502(b))
PHI disclosed to a business associate must be limited to the minimum necessary to perform the contracted function. An AI scribe that receives the full EHR record to generate a progress note may be receiving more PHI than the minimum necessary — the standard requires that access be scoped appropriately.
Business Associate Agreement requirement (§ 164.308(b))
A covered entity must obtain satisfactory assurances — in the form of a written BAA — from any business associate before sharing PHI. The BAA must specify permitted uses, require appropriate safeguards, obligate breach reporting within 60 days of discovery, and require that PHI be returned or destroyed at contract termination.
Audit controls (§ 164.312(b))
The Security Rule requires covered entities to implement hardware, software, and procedural mechanisms that record and examine activity in systems containing PHI. For AI systems, this means every query, every document access, and every output generation involving PHI must be logged with timestamp, user identity, and action taken.
The 4 questions to ask any AI vendor before sharing PHI
Every AI vendor serving healthcare should be able to answer these four questions in writing. An evasive or incomplete answer to any of them is a disqualifying finding.
Will you sign a Business Associate Agreement?
A BAA is not optional if PHI will be processed. A vendor who declines to sign a BAA, or who offers only a modified BAA that limits their obligations below what the HIPAA regulations require, should not receive any PHI. Request the BAA before any pilot or trial that involves real patient data. Standard BAA templates from AHA and MGMA are publicly available for comparison.
Where is PHI stored, and is that infrastructure HIPAA-eligible?
HIPAA does not require on-premises storage, but it does require that PHI be stored in infrastructure that supports the required security controls — access controls, encryption at rest, audit logging, and physical safeguards. Major cloud providers (AWS, Azure, GCP) offer HIPAA-eligible services with their own BAA programs. Consumer-tier services from these same providers do not carry HIPAA eligibility. Ask which specific infrastructure environment your PHI is stored in, and whether it is covered under the vendor's BAA.
Is PHI used to train or fine-tune AI models?
Using patient data to improve AI models is a use of PHI beyond the treatment, payment, and operations purposes that HIPAA permits without authorization. A HIPAA-compliant AI vendor must either not use PHI for model training at all, or must have a valid patient authorization that meets § 164.508 requirements for each patient whose data is used. Most enterprise healthcare AI vendors commit in writing to a no-training-on-PHI policy. Consumer AI tools often do not make this commitment in healthcare contexts. This question is specifically cited by OCR as an area of scrutiny.
What does your audit trail capture, and how long is it retained?
HIPAA requires audit controls under § 164.312(b). For AI systems, a compliant audit trail should capture: every query involving PHI (what was asked, what PHI was retrieved), every document generated (what patient, what content, what time), every user who accessed PHI (with authentication record), and every export or transmission of PHI. HIPAA requires audit records to be retained for a minimum of 6 years. Many AI tools provide no audit trail at all — which means the practice cannot demonstrate HIPAA compliance in the event of an audit.
The "HIPAA-adjacent" trap: why consumer AI APIs do not qualify
A significant category of AI tools marketed to physicians route through consumer-tier AI APIs — typically large language model providers — without carrying enterprise HIPAA coverage. These tools may appear clinically capable, and some are genuinely useful for non-PHI tasks. But the moment a physician dictates a note containing a patient name, date of birth, diagnosis, or any other individually identifiable health information into one of these tools, PHI is being transmitted to a vendor without a BAA.
The practical test: if a tool does not offer a BAA as part of its commercial agreement, it is using consumer-grade infrastructure that does not support HIPAA compliance. A tool that includes HIPAA language in its marketing but cannot produce a signed BAA is making a representation it cannot legally support. OCR has been clear that HIPAA compliance is determined by the actual technical and contractual posture of the relationship, not by marketing language.
For behavioral health practices — where the sensitivity of PHI is highest and state-level privacy laws (42 CFR Part 2 for substance use disorder records, various state mental health confidentiality statutes) add requirements beyond HIPAA — the risk of a non-compliant AI tool is amplified. Consumer AI tools that route through shared infrastructure are definitionally unsuitable for this specialty.
What a HIPAA-compliant AI architecture actually looks like
A defense-in-depth HIPAA posture for AI systems requires controls at four layers:
Infrastructure layer
PHI stored in HIPAA-eligible cloud infrastructure with encryption at rest (AES-256 or equivalent) and in transit (TLS 1.2+). Cross-tenant isolation that ensures one practice cannot access another's data under any circumstances. Geographic data residency controls for practices in regulated jurisdictions.
Access control layer
Role-based access controls implementing minimum-necessary principles. Multi-factor authentication for all PHI-accessing users. Session management with automatic timeout. Revocable credential management that allows immediate termination of access on staff departure.
Audit and monitoring layer
Immutable audit logs of all PHI access events, retained for 6+ years. Real-time anomaly detection for access patterns that deviate from baseline — bulk PHI exports, access from unusual IP ranges, after-hours queries on sensitive records. Automated alerting for potential breach scenarios.
Contractual layer
Executed BAA with each covered entity customer. Subcontractor BAAs with all downstream vendors who receive PHI. Documented breach response plan with OCR notification procedures. Annual security risk assessments per § 164.308(a)(1).
How MedOp is built for HIPAA compliance from the architecture up
MedOp's security architecture was designed with HIPAA compliance as a first-order requirement, not a retrofit. Key elements include:
PHI is stored in private, per-tenant encrypted storage — each practice has an isolated data environment. Patient data is never commingled across tenants, and MedOp commits in its BAA that PHI is never used to train or improve AI models without explicit authorization. This commitment is not just a marketing statement — it is a contractual obligation with audit evidence.
MedOp's Compliance Monitor agent runs continuous anomaly detection on PHI access patterns — flagging bulk exports, unusual access times, and credential sharing behaviors before they become reportable events. Every AI action involving PHI produces an immutable audit record: what was accessed, by which agent, at what time, with what output. This audit trail satisfies § 164.312(b) and provides the documentation needed for OCR audits and payer credentialing reviews that increasingly ask about AI vendor compliance posture.
AI vendor HIPAA compliance checklist
Vendor will execute a Business Associate Agreement before any PHI is shared
PHI is stored in HIPAA-eligible infrastructure (not consumer-tier cloud)
Vendor commits in writing that PHI is not used for model training
Full audit trail of PHI access is provided and retained 6+ years
Subcontractor BAAs are in place for all downstream data processors
Breach notification procedures meet the 60-day OCR reporting requirement
Annual security risk assessment is performed and documented
Access controls enforce minimum-necessary and support MFA
What happens when an AI tool is not HIPAA-compliant and something goes wrong
The financial exposure from a HIPAA violation involving AI is not theoretical. OCR penalty tiers range from $100 per violation (violations without knowledge) to $50,000 per violation (willful neglect without correction), with an annual maximum of $1.9 million per violation category. A practice that routinely used a non-BAA AI tool for six months, processing 25 patients per day, could theoretically be assessed penalties on each PHI disclosure — though enforcement actions at the individual practice level typically focus on the largest exposures and practices with prior compliance failures.
Beyond the regulatory penalty, HIPAA breaches — including those discovered through OCR audit rather than an actual data breach — trigger mandatory breach notification to affected patients, media notification requirements for breaches affecting more than 500 individuals, and inclusion in the OCR breach portal (publicly searchable). The reputational impact of appearing in the breach portal is a significant deterrent that the penalty dollar amounts alone do not capture.
For AI vendors who evaluated for use with AI scribe tools specifically, the BAA and audit trail questions are the most commonly incomplete items in vendor evaluations. The four-question framework above provides a minimum standard. Larger practices and those in higher-sensitivity specialties should also request the vendor's SOC 2 Type II report and penetration testing documentation.
Review MedOp's security and compliance documentation
BAA template, PHI storage architecture, audit trail specifications, and Compliance Monitor agent documentation — all available before you book a demo.
Frequently asked questions
Is AI clinical documentation HIPAA-compliant?
AI clinical documentation can be HIPAA-compliant, but not all tools are. Compliance requires four things from the vendor: (1) a signed Business Associate Agreement (BAA) that defines their obligations as a covered entity's business associate; (2) PHI stored in HIPAA-eligible infrastructure — typically private cloud or on-premises, not shared consumer-grade servers; (3) a written guarantee that patient data is not used to train or improve AI models without explicit patient authorization; and (4) a complete audit trail logging every access to PHI, by whom, and when. Consumer AI tools (ChatGPT, Gemini, and many "AI scribe" apps that route through their APIs) typically do not meet all four criteria. Always request and review the BAA before sharing any patient data with a vendor.
What makes AI software HIPAA-compliant?
HIPAA compliance for AI software requires the vendor to function as a Business Associate under 45 CFR Part 164. That means: executing a BAA that obligates them to safeguard PHI, implement physical and technical safeguards, report breaches within 60 days, and restrict data use to the purposes defined in the agreement. On the technical side, HIPAA-compliant AI requires end-to-end encryption (in transit and at rest), access controls with minimum-necessary enforcement, audit logging of all PHI access, and a documented breach response plan. The "HIPAA-compliant" label alone means nothing without these specific safeguards — ask for the BAA and the vendor's security documentation.
Does using AI for medical notes violate HIPAA?
Using AI for medical notes does not automatically violate HIPAA, but it can if the tool does not meet HIPAA requirements. The key risk points are: (1) sending PHI to a consumer AI service that will not sign a BAA — this is an impermissible disclosure of PHI; (2) using a vendor that retains patient data for model training without a patient authorization that meets 45 CFR § 164.508 requirements; and (3) lacking an audit trail that satisfies HIPAA Security Rule requirements at § 164.312(b). Physicians who use consumer AI tools (dictating notes into ChatGPT, for example) without a BAA are in violation regardless of the tool's general usefulness or accuracy.
What is a Business Associate Agreement and when is it required?
A Business Associate Agreement (BAA) is a written contract required by HIPAA whenever a covered entity (a practice) shares PHI with a vendor that performs functions on its behalf (a business associate). If an AI vendor processes, stores, or transmits PHI as part of their service, they are a business associate and a BAA is required before any PHI is shared with them. The BAA must specify what the business associate is permitted to do with the data, require them to implement appropriate safeguards, and obligate them to report breaches. Many AI vendors offer standard BAAs; some larger vendors (certain cloud providers) have self-service BAA processes. If a vendor will not sign a BAA, sharing PHI with them is an impermissible disclosure.
What is the risk of using non-HIPAA-compliant AI in a medical practice?
Using non-HIPAA-compliant AI in a medical practice carries several categories of risk. Regulatory risk: HIPAA violation penalties range from $100 to $50,000 per violation (per incident), with an annual maximum of $1.9 million per violation category. The HHS Office for Civil Rights (OCR) has increased its enforcement activity significantly, and AI-related PHI disclosures are an emerging enforcement focus. Reputational risk: a breach or OCR investigation becomes public record and can damage patient trust in ways that are difficult to recover from. Contractual risk: payer contracts often require HIPAA compliance as a condition of participation — a documented HIPAA failure can jeopardize payer relationships. The practical protection is straightforward: only share PHI with vendors who have signed a BAA and can demonstrate the technical safeguards required.