Updated 2025: Looking for a Business Associate Agreement? Download our FREE template

TotalHIPAA Logo

The AI Evolution Across the HIPAA Ecosystem

Summary:

As Artificial Intelligence becomes a standard business tool, HIPAA-regulated organizations must evolve their data security strategies. This guide explores how to leverage AI while maintaining compliance through robust Business Associate Agreements (BAAs), thorough risk assessments, and alignment with the NIST AI Risk Management Framework.

Artificial Intelligence is no longer a niche tool for tech startups. It is being deployed across the entire HIPAA spectrum: Business Associates (BAs) are using it for automated processing and data analytics, employer groups are utilizing it for plan management, and medical and dental providers are adopting it for clinical research and growth, among other applications.

While the efficiency gains are undeniable, the core requirement remains the same: any tool that processes Protected Health Information (PHI) must be governed by HIPAA’s Privacy, Security, and Breach Notification Rules.

Is Your Organization’s AI Use Compliant?

For all regulated entities, the burden of compliance falls on how the data is handled and who has access to it. 

  1. The Necessity of the Business Associate Agreement

If an organization uses a third-party AI tool that has access to  PHI, that vendor is, by definition, a Business Associate. 

  • The Mandate: You must have a signed Business Associate Agreement in place, and review these programs’ compliance plans before any sensitive data is uploaded.
  • The Reality: Many popular generative AI platforms do not offer BAAs for their free or standard consumer tiers. Using these for PHI, even for simple tasks like drafting an email or summarizing a meeting, is considered a breach and is a direct violation of HIPAA.
  1. Comprehensive Risk Analysis

The HHS Office for Civil Rights (OCR) emphasized that a Risk Analysis must be “all-encompassing.” When your organization adopts AI, you must:

  • Updated Your Risk Assessment: Identify every point where AI interacts with ePHI. Total HIPAA’s Online Risk Assessment services can help you identify these new vulnerabilities.
  • Audit Data Training: Ensure the AI vendor is not using your organization’s sensitive data to train their “global” models. This prevents your proprietary or patient data from being shared with other users outside your organization.
  • Review Access Controls: Implement strict identity management to ensure only authorized personnel can access AI tools containing PHI.

When “No AI” is the Correct Compliance Choice

While the pressure to innovate is high, AI is not always the right answer for every organization. Depending on your specific regulatory requirements, the complexity of technical implementation, and the difficulty of securing a proper BAA from a vendor, the most effective solution is often to ban the use of AI entirely. When you factor in the additional costs associated with using AI (subscriptions to the AI vendor, monitoring, etc.), many organizations find that the risk-to-reward ratio simply doesn’t align. Choosing not to adopt AI is a proactive risk management decision that can save your organization from significant liability and administrative strain.  

Aligning with the NIST AI Risk Management Framework

Modern compliance extends beyond just “checking a box.” Many forward-thinking organizations are now adopting the NIST AI Risk Management Framework (AI RMF).

This framework helps organizations:

  • Govern: Establish a culture of transparency and accountability regarding AI use.
  • Map: Trace the flow of PHI through AI algorithms to understand where data resides.
  • Measure: Regularly test the AI for accuracy and potential privacy “leakage.”
  • Manage: Prioritize and respond to identified risks based on the sensitivity of the data involved. 

Beyond Federal Law: State-Specific Oversight

While HIPAA provides a federal baseline, regulated entities must also stay mindful of evolving state laws. States like Texas (via HB 300) have implemented stricter privacy standards and shorter breach notification windows. Additionally, states like California (CCPA/CPRA) and Colorado are increasingly scrutinizing “automated decision-making” and data profiles. Please note that these examples are not exhaustive.

If your organization operates across state lines, your AI policies must be flexible and stringent enough to accommodate the strictest applicable regulation.

Actionable Steps for Your Organization

  • Audit “Shadow AI”: Employees may be using unauthorized AI tools to summarize meetings or draft internal memos. Ensure your HIPAA policies strictly prohibit the use of unapproved AI for any task involving PHI.
  • Modernize Your Workforce: Training is your first line of defense. Ensure that your HIPAA training addresses the nuances of AI, teaching your team the risks of “prompt engineering” with sensitive data.
  • De-Identify Where Possible: If you are using AI for high-level data analytics that do not require individual identifiers, follow the HHS De-identification Standard to lower your risk profile.

Next Steps for Your Compliance Program

Integrating AI doesn’t have to mean increasing your liability. By updating your Security Risk Analysis and refining your vendor management processes, you can innovate with confidence and maintain the trust of your clients and patients.

Do you want to learn more about integrating AI into your current compliance workflow? Schedule a clarity call to learn more about Total HIPAA’s HIPAA Prime ™ plan, and stay ahead of the regulatory curve. 

References:

Sharing is caring!

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

Related Posts

Does HIPAA Apply After Death? Limitations of HIPAA Rules

Does HIPAA Apply After Death? Limitations of HIPAA Rules

Yes, HIPAA protections continue long after a patient has passed away. Under the HIPAA Privacy Rule, Protected Health Information (PHI) remains safeguarded for 50 years following the date of death. During this time, the same privacy standards apply, though specific exceptions allow for disclosures to executors, funeral directors, and family members involved in the patient’s prior care.

HIPAA Compliance: A Constant Pulse, Not an Annual Event

HIPAA Compliance: A Constant Pulse, Not an Annual Event

Even though people talk about an “annual HIPAA audit,” compliance isn’t just a once-a-year task. To stay compliant, organizations can’t just “set it and forget it”; they need to constantly manage risks. Staying on top of things is the only way to be ready for an audit at any time.

The $245,000 Wake-Up Call: Why Your Employee Benefits Plan is a HIPAA Target

The $245,000 Wake-Up Call: Why Your Employee Benefits Plan is a HIPAA Target

The $245,000 settlement against a small health plan isn’t just a headline, it’s a warning. Many employers mistakenly believe their benefit plans are “too small to notice,” but federal regulators are proving otherwise. This post breaks down how a lack of formal risk analysis and missing security training can turn a routine oversight into a quarter-million-dollar disaster. Learn the specific steps you must take to shield your organization from becoming the next case study in HIPAA non-compliance.

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)