Artificial Intelligence is no longer a niche tool for tech startups. It is being deployed across the entire HIPAA spectrum: Business Associates (BAs) are using it for automated processing and data analytics, employer groups are utilizing it for plan management, and medical and dental providers are adopting it for clinical research and growth, among other applications.
While the efficiency gains are undeniable, the core requirement remains the same: any tool that processes Protected Health Information (PHI) must be governed by HIPAA’s Privacy, Security, and Breach Notification Rules.
Is Your Organization’s AI Use Compliant?
For all regulated entities, the burden of compliance falls on how the data is handled and who has access to it.
- The Necessity of the Business Associate Agreement
If an organization uses a third-party AI tool that has access to PHI, that vendor is, by definition, a Business Associate.
- The Mandate: You must have a signed Business Associate Agreement in place, and review these programs’ compliance plans before any sensitive data is uploaded.
- The Reality: Many popular generative AI platforms do not offer BAAs for their free or standard consumer tiers. Using these for PHI, even for simple tasks like drafting an email or summarizing a meeting, is considered a breach and is a direct violation of HIPAA.
- Comprehensive Risk Analysis
The HHS Office for Civil Rights (OCR) emphasized that a Risk Analysis must be “all-encompassing.” When your organization adopts AI, you must:
- Updated Your Risk Assessment: Identify every point where AI interacts with ePHI. Total HIPAA’s Online Risk Assessment services can help you identify these new vulnerabilities.
- Audit Data Training: Ensure the AI vendor is not using your organization’s sensitive data to train their “global” models. This prevents your proprietary or patient data from being shared with other users outside your organization.
- Review Access Controls: Implement strict identity management to ensure only authorized personnel can access AI tools containing PHI.
When “No AI” is the Correct Compliance Choice
While the pressure to innovate is high, AI is not always the right answer for every organization. Depending on your specific regulatory requirements, the complexity of technical implementation, and the difficulty of securing a proper BAA from a vendor, the most effective solution is often to ban the use of AI entirely. When you factor in the additional costs associated with using AI (subscriptions to the AI vendor, monitoring, etc.), many organizations find that the risk-to-reward ratio simply doesn’t align. Choosing not to adopt AI is a proactive risk management decision that can save your organization from significant liability and administrative strain.
Aligning with the NIST AI Risk Management Framework
Modern compliance extends beyond just “checking a box.” Many forward-thinking organizations are now adopting the NIST AI Risk Management Framework (AI RMF).
This framework helps organizations:
- Govern: Establish a culture of transparency and accountability regarding AI use.
- Map: Trace the flow of PHI through AI algorithms to understand where data resides.
- Measure: Regularly test the AI for accuracy and potential privacy “leakage.”
- Manage: Prioritize and respond to identified risks based on the sensitivity of the data involved.
Beyond Federal Law: State-Specific Oversight
While HIPAA provides a federal baseline, regulated entities must also stay mindful of evolving state laws. States like Texas (via HB 300) have implemented stricter privacy standards and shorter breach notification windows. Additionally, states like California (CCPA/CPRA) and Colorado are increasingly scrutinizing “automated decision-making” and data profiles. Please note that these examples are not exhaustive.
If your organization operates across state lines, your AI policies must be flexible and stringent enough to accommodate the strictest applicable regulation.
Actionable Steps for Your Organization
- Audit “Shadow AI”: Employees may be using unauthorized AI tools to summarize meetings or draft internal memos. Ensure your HIPAA policies strictly prohibit the use of unapproved AI for any task involving PHI.
- Modernize Your Workforce: Training is your first line of defense. Ensure that your HIPAA training addresses the nuances of AI, teaching your team the risks of “prompt engineering” with sensitive data.
- De-Identify Where Possible: If you are using AI for high-level data analytics that do not require individual identifiers, follow the HHS De-identification Standard to lower your risk profile.
Next Steps for Your Compliance Program
Integrating AI doesn’t have to mean increasing your liability. By updating your Security Risk Analysis and refining your vendor management processes, you can innovate with confidence and maintain the trust of your clients and patients.
Do you want to learn more about integrating AI into your current compliance workflow? Schedule a clarity call to learn more about Total HIPAA’s HIPAA Prime ™ plan, and stay ahead of the regulatory curve.
References:
