Every healthcare team is shipping AI right now — patient triage, clinical scribing, claims summarization, intake chatbots. The teams that get it right treat HIPAA as an architectural decision they make on day one, the same way they approach building a HIPAA-compliant healthcare app in the first place. The teams that get it wrong paste a patient note into ChatGPT and call it a feature. This guide is for the first group.
What HIPAA Compliant AI Actually Means
There is no FDA seal, no HHS stamp, no certification body that pronounces an AI model HIPAA compliant. HIPAA does not regulate models — it regulates how organizations handle Protected Health Information. An AI feature is HIPAA compliant when the entire pipeline around it satisfies the Privacy Rule, the Security Rule, and the Breach Notification Rule.
That means three things have to be true at once. First, every vendor that touches PHI on your behalf — including the AI provider — has signed a Business Associate Agreement. (If the BAA versus HIPAA distinction is fuzzy, our BAA vs HIPAA explainer covers it in detail.) Second, the data flowing through the pipeline is encrypted, access-controlled, and logged the same way as any other PHI in your stack. Third, you can prove all of the above with documentation an Office for Civil Rights (OCR) auditor will accept.
HIPAA compliant AI is not a model you buy. It is a pipeline you architect — vendor BAAs, PHI minimization, encryption in transit and at rest, audit logs, and a documented risk analysis covering each AI step.
Why this matters more in 2026
The January 2025 Security Rule update removed the old "addressable" exemptions. Encryption, multi-factor authentication, and written incident response are now required, no exceptions. Combined with OCR's 2024 guidance treating AI-generated outputs containing PHI as Designated Record Set material, AI features are squarely inside the regulated perimeter — not a side experiment that gets a pass because it is new.
Where PHI Actually Leaks Into AI
Most HIPAA failures around AI come from one of five places. Knowing them lets you design the system to make each one impossible by default rather than catching them in code review.
Prompts. A clinician pastes a patient note into a model that has no BAA, or your app forwards a chart entry to a vendor endpoint that does not.
Training data. A vendor reserves the right to train future models on your prompts. Without zero-retention contractually disabled, your PHI becomes part of someone else's training set.
Logs. Vendor abuse-monitoring logs hold prompts for 30+ days by default. If those logs sit on infrastructure that is not BAA-covered, that is a breach.
Embeddings & vector stores. Embeddings of PHI are PHI. A vector database without encryption, access control, and a BAA is a liability, not a clever cache.
Outputs. AI-generated outputs that incorporate PHI inherit PHI status. A patient summary written by an LLM is just as regulated as the chart it came from.
Common Trap — "Just 'de-identify' before sending"
De-identification is a real compliance pathway, but it is not a regex. Free-text clinical notes routinely contain initials, dates, ZIP codes, device identifiers, and rare-disease descriptors that automated scrubbers miss. If your strategy is "strip names and ship," you are still sending PHI — and you still need a BAA.
Which AI Vendors Sign a BAA in 2026
The major API providers all offer BAAs on their enterprise tiers, but the BAA covers specific endpoints under specific conditions. The trap is assuming a vendor is "HIPAA compliant" in general when only one product line actually is.
| Vendor | BAA Available | Where It Applies | What It Does Not Cover |
|---|---|---|---|
| OpenAI | API + ChatGPT Enterprise | Free / Plus / Team | |
| Anthropic | API (zero-retention on request) | claude.ai consumer | |
| Google Vertex AI | Gemini via Vertex AI | Gemini consumer apps | |
| AWS Bedrock | Bedrock-hosted models | Out-of-region endpoints | |
| Azure OpenAI Service | Azure-hosted GPT endpoints | openai.com endpoints | |
| Hugging Face Inference | Enterprise tier only | Public Inference API | |
| Self-hosted (Llama, Mistral) | No BAA needed — you own it | You own all controls |
Self-hosting open-weight models like Llama 3 or Mistral on HIPAA-eligible infrastructure (AWS, Azure, GCP, with their BAA) sidesteps the AI-vendor BAA question entirely — the model runs inside your own compliance perimeter. The tradeoff is that you now own the model lifecycle, evaluation, and safety stack. If your app also serves European users, your AI pipeline has to satisfy GDPR alongside HIPAA — overlapping but not identical regimes.
Verify Before You Ship
Vendor BAAs cover specific products under specific configurations. "OpenAI signed a BAA" does not mean every endpoint is covered. Read the BAA, confirm the model and region you plan to call, and document it.
The Architecture That Keeps AI HIPAA Safe
A HIPAA compliant AI feature looks the same regardless of whether you are summarizing a SOAP note, classifying claim line items, or running a triage chatbot. The pipeline has six controls. Skipping any one of them turns the system into a liability.
6
Required pipeline controls
6 yrs
Audit log retention minimum
$1.9M
Max annual penalty per category
1. BAA-covered endpoint, region-pinned
Route every AI call through an endpoint covered by a signed BAA, in a US region you control. Block the rest at the network or SDK layer so a developer cannot accidentally swap a model name and send PHI to an uncovered endpoint.
2. PHI minimization at the prompt layer
Send the minimum necessary information. If the model needs to summarize a note, send the note — not the full chart. If it needs to classify a claim, send the claim line — not the patient roster. Build a tokenizer or schema layer that strips identifiers the model does not need.
3. Zero-retention contracted in writing
Most vendors retain prompts for abuse monitoring by default. For PHI traffic, request and confirm zero-retention in the BAA and verify it shows up in the dashboard or contract. Keep a copy.
4. Encryption in transit and at rest
TLS 1.2+ on every call. AES-256 at rest for any prompt, response, embedding, or vector store. This is the same baseline as any other PHI store; AI does not get a pass.
5. Audit logs that pass § 164.312(b)
Log who initiated the AI call, when, what prompt template, what model, what response ID, and what record it relates to. Retain for six years, store immutably, and make sure the log itself does not contain raw PHI unless your retention policy says it should. (For the exact field-level schema OCR will accept, see our deep dive on HIPAA audit logging.)
6. Output handling and human review
An LLM hallucinating a wrong allergy or dosage is not a HIPAA issue, but it is a patient-safety issue and a malpractice issue. For any clinical output, design a human-in-the-loop review step and document it in your risk analysis.
Real Healthcare AI Use Cases — and How to Make Each Compliant
1. AI Medical Scribing
Audio + transcript are PHI. Use a BAA-covered scribe vendor (Abridge, Nuance DAX, Suki) or self-host on HIPAA-eligible infra. Encrypt audio at rest, retain only what the chart needs, log every session.
2. Patient Intake Chatbots
Treat the chat transcript as a chart entry. BAA with the LLM vendor, encrypted store, role-based access, audit log per turn. Never persist conversation history client-side.
3. Clinical Note Summarization
Send the note, not the chart. Strip identifiers the summary does not need. Run the summary through a PHI-detection check before saving — embeddings of summaries are PHI too.
4. Claims & Prior Auth Automation
Claim data is PHI when linked to a member. Use a BAA-covered model, audit every decision, keep a deterministic fallback. Insurers will ask for the audit trail in any dispute.
5. Symptom Checkers & Triage
Output is regulated as a clinical recommendation. BAA + audit + medical-review workflow + clear disclaimer. The FDA also has a view here — Software as a Medical Device rules may apply.
6. Population Health Analytics
Aggregate analytics often qualify for de-identified treatment under Safe Harbor. Run de-identification before the model sees the data and document the method.
The HIPAA Compliant AI Checklist
Print this. Walk it for every AI feature in your roadmap before a single call goes to production.
BAA signed with the AI vendor, covering the exact endpoint and region you call
Zero-retention configured and confirmed in writing (or in the dashboard)
Prompt layer strips identifiers the model does not need
Network or SDK layer blocks calls to non-BAA endpoints
TLS 1.2+ in transit, AES-256 at rest for prompts, responses, and embeddings
Vector stores and caches are HIPAA-eligible and BAA-covered
Audit log captures user, time, model, prompt template, response ID, record link
Audit logs retained for six years, immutable, separate from raw PHI store
Risk analysis updated to cover the AI step and its failure modes
Human-in-the-loop review for any clinical or patient-facing output
Incident response plan covers prompt leaks, model hallucinations, and vendor breach
Training and acceptable-use policy in place — clinicians know what they can and cannot paste
The Mistakes That Get Healthcare AI Teams in Trouble
Mistake 1: Treating consumer ChatGPT as a private workspace
Free, Plus, and Team tiers of consumer ChatGPT do not come with a BAA. Clinicians pasting notes into the consumer app is one of the most common HIPAA failures of 2025 and 2026 — the kind of slip that shows up in OCR settlements with six- and seven-figure penalties. We catalog real cases in our roundup of HIPAA violations and penalties. Block it at the network layer and provide a sanctioned alternative.
Mistake 2: Forgetting the embedding store
Teams BAA the LLM and forget the vector database. Embeddings derived from PHI carry the same regulatory weight as the source. Pinecone, Weaviate, and pgvector on AWS RDS all support HIPAA configurations — pick one of them, do not stand up a public instance.
Mistake 3: Logging full prompts to a non-BAA observability tool
Datadog, Sentry, and most APM tools support HIPAA configurations on enterprise plans. The default plan typically does not. If your AI prompt is in your error log, that error log is now PHI infrastructure.
Mistake 4: Skipping the risk analysis update
HIPAA § 164.308 requires a documented risk analysis. Adding an AI feature without updating the analysis is the single most common gap OCR cites in post-incident reviews. The fix is twenty minutes of writing.
Mistake 5: Trusting de-identification without testing it
Run a sample of your traffic through the de-identification step, then have a second model attempt to re-identify. Real Safe Harbor compliance requires you to confirm all 18 identifier categories are removed — not just names and SSNs.
How to Actually Ship a HIPAA Compliant AI Feature
Decide whether the feature touches PHI
If the AI step processes anything that could combine with another field to identify a patient, treat it as PHI. When in doubt, treat it as PHI.
Pick a vendor with a BAA on your target endpoint
Confirm the BAA covers the specific model and region. Get zero-retention in writing. Save the BAA in your compliance binder.
Design the prompt layer to send minimum necessary
Strip identifiers the model does not need. Use IDs and references where the model can resolve them server-side after the response comes back.
Wire encryption, audit logging, and access control before the first real call
These are not features you add later. The first prompt that hits the vendor must already be inside the compliance perimeter.
Build a synthetic test set that looks like real PHI
Real PHI never goes near non-prod. A good synthetic dataset is the difference between a feature that ships in two weeks and one that gets stuck in compliance review for two months.
Update your risk analysis and incident response plan
Document the AI step, its data flow, its failure modes, and what happens if the vendor breaches. This is the artifact OCR will ask for.
Pilot with a small group, monitor logs, then scale
Watch the audit log for the first two weeks. Look for prompts that should not have included PHI, responses that hallucinated, and access patterns that do not match policy.
Frequently Asked Questions
Is ChatGPT HIPAA compliant?
The consumer ChatGPT product is not. OpenAI offers a BAA for the API and ChatGPT Enterprise with zero-retention enabled. Without a signed BAA and the right configuration, sending PHI to any AI vendor is a HIPAA violation.
Which AI vendors sign a BAA?
OpenAI, Anthropic, Google Vertex AI, AWS Bedrock, and Microsoft Azure OpenAI Service all offer BAAs on their enterprise APIs. Consumer-tier products from these vendors do not. Always confirm the BAA covers the exact endpoint and model you plan to call.
Can I use AI on PHI without a BAA if I de-identify first?
Yes — if the data meets Safe Harbor or Expert Determination, it is no longer PHI. The catch is that real de-identification is harder than it looks; free-text clinical notes routinely leak identifiers automated scrubbers miss.
Do I need to log AI prompts and responses for HIPAA?
Yes. § 164.312(b) requires audit controls for any system that creates, accesses, or transmits PHI. If your AI feature touches PHI, every prompt, response, user, and timestamp must be logged and retained for six years.
Is using AI for medical scribing HIPAA compliant?
It can be. AI scribes are HIPAA compliant when the vendor signs a BAA, audio and transcripts are encrypted in transit and at rest, retention is configured per your policy, and access is logged. Clinical-grade vendors meet these requirements; off-the-shelf transcription apps usually do not.
Are embeddings and vector stores PHI?
Yes. An embedding derived from PHI inherits PHI status. Vector databases storing those embeddings need encryption, access control, audit logging, and a signed BAA — same as any other PHI store.
Does HIPAA apply if I am using a self-hosted open-source model?
HIPAA still applies to the data, not the model. Self-hosting on HIPAA-eligible infrastructure means you do not need a vendor BAA for the model itself, but you still need every other control — encryption, access, audit, risk analysis — and a BAA with your cloud provider.
What happens if a vendor leaks a prompt containing PHI?
It is a breach. You — as the covered entity or business associate — are responsible for breach notification under § 164.404, even if the vendor caused it. Your BAA should require the vendor to notify you within a defined window so you can meet the 60-day patient notification requirement.
Ship AI features without the HIPAA homework
VertiComply generates healthcare app code with BAA-covered AI endpoints, PHI minimization, encrypted vector stores, and audit logging wired in by default — so you spend your time on the feature, not the pipeline.
BAA on day one. Audit logs you can hand to OCR. Zero retention by default.
In This Guide
01
What HIPAA compliant AI means
02
Where PHI leaks into AI
03
Which AI vendors sign a BAA
04
The compliant AI architecture
05
Real use cases, made compliant
06
The compliance checklist
07
Mistakes that get teams in trouble
08
How to actually ship it
09
FAQ
Key Numbers
Required pipeline controls
6
Audit log retention
6 yrs
Breach notification window
60 days
Max annual penalty / category
$1.9M
Topics
Related Articles
Continue reading about healthcare compliance and AI
How to Build a HIPAA-Compliant Healthcare App Without Code in 2026
The complete 2026 guide to building HIPAA-compliant healthcare apps without code. Covers compliance rules, no-code platforms, what to look for, real costs, common mistakes, and a step-by-step practical sequence for US healthcare startups.
Read article
BAA vs HIPAA: Know the Difference (2026 Guide)
BAA vs HIPAA explained in plain English. What each one actually is, why they are not the same thing, who needs a BAA, when it is required, and what happens if you skip it.
Read article
How to Build a Compliant Healthcare App in 2026
Step-by-step guide to building healthcare apps that meet HIPAA, GDPR, SOC 2 and HITRUST compliance. Covers the 5 essential pillars and AI automation.
Read article